risk management ebook npi lss
TRANSCRIPT
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 114
copy2015 Hone
The Four-Step Guide toUnderstanding Cyber RiskIdentifying Cyber Risks and
Addressing the Cyber Security Gap
Lifecycle Solutionsamp Services
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 214
copy2015 Hone
The Four-Step Guide to Understanding Cyber Risk
TABLE OF CONTENTS
3 Introduction A Real Danger
4 In the Firing Line
5 The Cyber Arms Race
6 Assessing the Risk
8 Step 1 Knowing Your Vulnerabilities
9 Step 2 Identifying Threats
12 Step 3 Measuring ConsequencesndashThe Final Piece
13 Step 4 Bringing it TogetherndashMeasuring Risk
14 More About Cyber Security
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 314
3
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
A poll of 1642 experts by the Pew
Centre shows 61 predict a majattack will cause ldquowidespread harm security and capacity to defend ipeoplerdquo in the next ten years
ldquoBy lsquowidespreadrsquo harm we meanloss of life or property lossesdamat the levels of tens of bi llions of Pew clarified
L I N K
A successful attack is among the major risks
worrying the US government As MichaelRogers commander of US Cyber Commandtestified to the US House of RepresentativesIntelligence Committee
ldquoWe have seen instances where we are
observing intrusions into industrial control
systems What concerns us is that access
can be used by nation states groups or
individuals to take down [their] capabil ityrdquo he
said ICSs are a growth area of vulnerabili ty he added ldquoItrsquos among the things that concern
me the mostrdquo
It is estimated thatcyber risks costs theglobal economy up to$400 billion a yearmdashmaybe even moreFor industrial controlsystems (ICSs)however the risks areeven more acute
Introduction A Real Danger
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 414
4
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
The warning signs are already there Rogersrsquocomments came just weeks after a Departmentof Homeland Security alert said malware namedBlackEnergy had infiltrated companies runningmuch of the countryrsquos infrastructure Less thana month later a German government report
revealed ldquomassive damagerdquo from an infectedemail targeting a steel mill in the country
Like Stuxnet Havex and BlackEnergy theGerman attack was targeted specifically atindustrial control systems
In the Firing Line
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 514
5
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull Attackersrsquo growing sophistication The German attackers had ldquoadvancedknow-how not only of conventionalIT security but also detailed technicalknowledge of the industrial controlsystems and production processesused in the plantrdquo the governmentreport noted
bull The industrialization of cyber crime with skilled attackers selling ldquocrime as aservicerdquo to others without technical skills
bull Growing vulnerabilities as up to 25 billionweb-connected systems and devices inthe ldquoInternet of thingsrdquo come online by2020 Publicly available tools like Shodanlet would-be attackers easily identify ICSsIn 2013 for instance Finnish researchersused the search engine to find nearly3000 unsecured Internet-facing SCADAsystems running the countryrsquos watersupply building automation and othersystems Project SHINE (SHODANInformation Extraction) a multi-yearresearch project aimed at identifyingindustrial control devices that weredirectly connected to the Internetfound millions of such devices
Against this cyber risk managemindustrial control systems is fallin
bull Tools and methods used by ITsecurity professionals for mannetwork risks are not fully adoICS engineering and operation
bull Worse those with legacy systignore best practices avoiding
and virus protection updates theyrsquoll jeopardize plant stability
The result is a growing gap betwcapabilities of attackers and thepitched against them
The Cyber Arms Race
The Threat is Driven by a Number of Factors
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 614
6
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
What is RiskISO The potential that a given
threat will exploit vulnerabilities
of an asset or group of assets
and thereby cause harm to the
organizationNIST A function of the likelihood
of a given threat mdashsourcersquos
exercising a particular potential
vulnerability and the resulting
impact of that adverse event
on the organization
Fortunately organizations such as the International StanOrganization (ISO) and National Institute of Standards a
Technology (NIST) have developed definitions that are waccepted and used
In both cases risk is seen as a function of the vulnerabi
an asset the threat which is the likelihood an attack wiland the consequence of such an attack being successf
(con
Assessing the Risk
To Understand the Risk We Need a Definition
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 714
7
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Assessing the Risk (cont)
To Put it Another Way Risk = Vulnerability983091
Threat983091
Consequence Through a function of vulnerability threat andconsequence we are able to quantify risk By assigninga value (whether between 0 and 1 0-100 or any otherconsistent scale) to each element users derive ametric that provides a consistent measure of risk andcan be used throughout the organization
The ultimate aim of course is to manage thrisk and this will be considered in a forthcome-book However you cannot manage whatcannot measure
This e-book therefore focuses on evaluatingand requires a thorough understanding of al
components in the equation above It is thefour-stage process looking at each elementmdashvulnerabilities and consequencesmdashin turn bbringing them all together
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 814
8
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull First VA tools can probe aggressively to testfor vulnerabilities across enterprises whichmay be unsuitable and unsafe applied tonetwork activity in an ICS
bull Second vulnerabilities are frequently theresult not of a particular device or softwaresuite but poor practices or configurationsmdashweak passwords group accounts withadministrative privileges failures to implementanti-virus programs and host firewalls and soon All of these can be exploited by attackersto leverage systems for unintended purposes
bull Finally vulnerabilities must be looked at operations and processes Control sysare not just a collection of individual debut interconnected systems of devicesaccess controls on an application runnin a control room for example can mawhole process vulnerable not just a siworkstation
A vulnerability is anyquality of an assetthat could allow it tobe exploited Alldigital assets havethem Some areknown some arenrsquotSome are easier toexploit than others
Step 1 Knowing Your Vulnerabilities
A common source of vulnerabilities is software bugs 2014rsquos Heartbleed vulneaffecting half a million websites as well as thousands of connected device
just among the most high profile examples
There are numerous vulnerability assessment (VA) tools to track known vulnerawithin applications and operating systems but these have their limits
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 914
9
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it
They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs
(cont ne
It is threats thatturn a vulnerabilityinto an incident
Step 2 Identifying Threats
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 214
copy2015 Hone
The Four-Step Guide to Understanding Cyber Risk
TABLE OF CONTENTS
3 Introduction A Real Danger
4 In the Firing Line
5 The Cyber Arms Race
6 Assessing the Risk
8 Step 1 Knowing Your Vulnerabilities
9 Step 2 Identifying Threats
12 Step 3 Measuring ConsequencesndashThe Final Piece
13 Step 4 Bringing it TogetherndashMeasuring Risk
14 More About Cyber Security
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 314
3
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
A poll of 1642 experts by the Pew
Centre shows 61 predict a majattack will cause ldquowidespread harm security and capacity to defend ipeoplerdquo in the next ten years
ldquoBy lsquowidespreadrsquo harm we meanloss of life or property lossesdamat the levels of tens of bi llions of Pew clarified
L I N K
A successful attack is among the major risks
worrying the US government As MichaelRogers commander of US Cyber Commandtestified to the US House of RepresentativesIntelligence Committee
ldquoWe have seen instances where we are
observing intrusions into industrial control
systems What concerns us is that access
can be used by nation states groups or
individuals to take down [their] capabil ityrdquo he
said ICSs are a growth area of vulnerabili ty he added ldquoItrsquos among the things that concern
me the mostrdquo
It is estimated thatcyber risks costs theglobal economy up to$400 billion a yearmdashmaybe even moreFor industrial controlsystems (ICSs)however the risks areeven more acute
Introduction A Real Danger
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 414
4
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
The warning signs are already there Rogersrsquocomments came just weeks after a Departmentof Homeland Security alert said malware namedBlackEnergy had infiltrated companies runningmuch of the countryrsquos infrastructure Less thana month later a German government report
revealed ldquomassive damagerdquo from an infectedemail targeting a steel mill in the country
Like Stuxnet Havex and BlackEnergy theGerman attack was targeted specifically atindustrial control systems
In the Firing Line
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 514
5
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull Attackersrsquo growing sophistication The German attackers had ldquoadvancedknow-how not only of conventionalIT security but also detailed technicalknowledge of the industrial controlsystems and production processesused in the plantrdquo the governmentreport noted
bull The industrialization of cyber crime with skilled attackers selling ldquocrime as aservicerdquo to others without technical skills
bull Growing vulnerabilities as up to 25 billionweb-connected systems and devices inthe ldquoInternet of thingsrdquo come online by2020 Publicly available tools like Shodanlet would-be attackers easily identify ICSsIn 2013 for instance Finnish researchersused the search engine to find nearly3000 unsecured Internet-facing SCADAsystems running the countryrsquos watersupply building automation and othersystems Project SHINE (SHODANInformation Extraction) a multi-yearresearch project aimed at identifyingindustrial control devices that weredirectly connected to the Internetfound millions of such devices
Against this cyber risk managemindustrial control systems is fallin
bull Tools and methods used by ITsecurity professionals for mannetwork risks are not fully adoICS engineering and operation
bull Worse those with legacy systignore best practices avoiding
and virus protection updates theyrsquoll jeopardize plant stability
The result is a growing gap betwcapabilities of attackers and thepitched against them
The Cyber Arms Race
The Threat is Driven by a Number of Factors
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 614
6
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
What is RiskISO The potential that a given
threat will exploit vulnerabilities
of an asset or group of assets
and thereby cause harm to the
organizationNIST A function of the likelihood
of a given threat mdashsourcersquos
exercising a particular potential
vulnerability and the resulting
impact of that adverse event
on the organization
Fortunately organizations such as the International StanOrganization (ISO) and National Institute of Standards a
Technology (NIST) have developed definitions that are waccepted and used
In both cases risk is seen as a function of the vulnerabi
an asset the threat which is the likelihood an attack wiland the consequence of such an attack being successf
(con
Assessing the Risk
To Understand the Risk We Need a Definition
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 714
7
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Assessing the Risk (cont)
To Put it Another Way Risk = Vulnerability983091
Threat983091
Consequence Through a function of vulnerability threat andconsequence we are able to quantify risk By assigninga value (whether between 0 and 1 0-100 or any otherconsistent scale) to each element users derive ametric that provides a consistent measure of risk andcan be used throughout the organization
The ultimate aim of course is to manage thrisk and this will be considered in a forthcome-book However you cannot manage whatcannot measure
This e-book therefore focuses on evaluatingand requires a thorough understanding of al
components in the equation above It is thefour-stage process looking at each elementmdashvulnerabilities and consequencesmdashin turn bbringing them all together
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 814
8
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull First VA tools can probe aggressively to testfor vulnerabilities across enterprises whichmay be unsuitable and unsafe applied tonetwork activity in an ICS
bull Second vulnerabilities are frequently theresult not of a particular device or softwaresuite but poor practices or configurationsmdashweak passwords group accounts withadministrative privileges failures to implementanti-virus programs and host firewalls and soon All of these can be exploited by attackersto leverage systems for unintended purposes
bull Finally vulnerabilities must be looked at operations and processes Control sysare not just a collection of individual debut interconnected systems of devicesaccess controls on an application runnin a control room for example can mawhole process vulnerable not just a siworkstation
A vulnerability is anyquality of an assetthat could allow it tobe exploited Alldigital assets havethem Some areknown some arenrsquotSome are easier toexploit than others
Step 1 Knowing Your Vulnerabilities
A common source of vulnerabilities is software bugs 2014rsquos Heartbleed vulneaffecting half a million websites as well as thousands of connected device
just among the most high profile examples
There are numerous vulnerability assessment (VA) tools to track known vulnerawithin applications and operating systems but these have their limits
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 914
9
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it
They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs
(cont ne
It is threats thatturn a vulnerabilityinto an incident
Step 2 Identifying Threats
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 314
3
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
A poll of 1642 experts by the Pew
Centre shows 61 predict a majattack will cause ldquowidespread harm security and capacity to defend ipeoplerdquo in the next ten years
ldquoBy lsquowidespreadrsquo harm we meanloss of life or property lossesdamat the levels of tens of bi llions of Pew clarified
L I N K
A successful attack is among the major risks
worrying the US government As MichaelRogers commander of US Cyber Commandtestified to the US House of RepresentativesIntelligence Committee
ldquoWe have seen instances where we are
observing intrusions into industrial control
systems What concerns us is that access
can be used by nation states groups or
individuals to take down [their] capabil ityrdquo he
said ICSs are a growth area of vulnerabili ty he added ldquoItrsquos among the things that concern
me the mostrdquo
It is estimated thatcyber risks costs theglobal economy up to$400 billion a yearmdashmaybe even moreFor industrial controlsystems (ICSs)however the risks areeven more acute
Introduction A Real Danger
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 414
4
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
The warning signs are already there Rogersrsquocomments came just weeks after a Departmentof Homeland Security alert said malware namedBlackEnergy had infiltrated companies runningmuch of the countryrsquos infrastructure Less thana month later a German government report
revealed ldquomassive damagerdquo from an infectedemail targeting a steel mill in the country
Like Stuxnet Havex and BlackEnergy theGerman attack was targeted specifically atindustrial control systems
In the Firing Line
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 514
5
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull Attackersrsquo growing sophistication The German attackers had ldquoadvancedknow-how not only of conventionalIT security but also detailed technicalknowledge of the industrial controlsystems and production processesused in the plantrdquo the governmentreport noted
bull The industrialization of cyber crime with skilled attackers selling ldquocrime as aservicerdquo to others without technical skills
bull Growing vulnerabilities as up to 25 billionweb-connected systems and devices inthe ldquoInternet of thingsrdquo come online by2020 Publicly available tools like Shodanlet would-be attackers easily identify ICSsIn 2013 for instance Finnish researchersused the search engine to find nearly3000 unsecured Internet-facing SCADAsystems running the countryrsquos watersupply building automation and othersystems Project SHINE (SHODANInformation Extraction) a multi-yearresearch project aimed at identifyingindustrial control devices that weredirectly connected to the Internetfound millions of such devices
Against this cyber risk managemindustrial control systems is fallin
bull Tools and methods used by ITsecurity professionals for mannetwork risks are not fully adoICS engineering and operation
bull Worse those with legacy systignore best practices avoiding
and virus protection updates theyrsquoll jeopardize plant stability
The result is a growing gap betwcapabilities of attackers and thepitched against them
The Cyber Arms Race
The Threat is Driven by a Number of Factors
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 614
6
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
What is RiskISO The potential that a given
threat will exploit vulnerabilities
of an asset or group of assets
and thereby cause harm to the
organizationNIST A function of the likelihood
of a given threat mdashsourcersquos
exercising a particular potential
vulnerability and the resulting
impact of that adverse event
on the organization
Fortunately organizations such as the International StanOrganization (ISO) and National Institute of Standards a
Technology (NIST) have developed definitions that are waccepted and used
In both cases risk is seen as a function of the vulnerabi
an asset the threat which is the likelihood an attack wiland the consequence of such an attack being successf
(con
Assessing the Risk
To Understand the Risk We Need a Definition
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 714
7
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Assessing the Risk (cont)
To Put it Another Way Risk = Vulnerability983091
Threat983091
Consequence Through a function of vulnerability threat andconsequence we are able to quantify risk By assigninga value (whether between 0 and 1 0-100 or any otherconsistent scale) to each element users derive ametric that provides a consistent measure of risk andcan be used throughout the organization
The ultimate aim of course is to manage thrisk and this will be considered in a forthcome-book However you cannot manage whatcannot measure
This e-book therefore focuses on evaluatingand requires a thorough understanding of al
components in the equation above It is thefour-stage process looking at each elementmdashvulnerabilities and consequencesmdashin turn bbringing them all together
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 814
8
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull First VA tools can probe aggressively to testfor vulnerabilities across enterprises whichmay be unsuitable and unsafe applied tonetwork activity in an ICS
bull Second vulnerabilities are frequently theresult not of a particular device or softwaresuite but poor practices or configurationsmdashweak passwords group accounts withadministrative privileges failures to implementanti-virus programs and host firewalls and soon All of these can be exploited by attackersto leverage systems for unintended purposes
bull Finally vulnerabilities must be looked at operations and processes Control sysare not just a collection of individual debut interconnected systems of devicesaccess controls on an application runnin a control room for example can mawhole process vulnerable not just a siworkstation
A vulnerability is anyquality of an assetthat could allow it tobe exploited Alldigital assets havethem Some areknown some arenrsquotSome are easier toexploit than others
Step 1 Knowing Your Vulnerabilities
A common source of vulnerabilities is software bugs 2014rsquos Heartbleed vulneaffecting half a million websites as well as thousands of connected device
just among the most high profile examples
There are numerous vulnerability assessment (VA) tools to track known vulnerawithin applications and operating systems but these have their limits
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 914
9
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it
They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs
(cont ne
It is threats thatturn a vulnerabilityinto an incident
Step 2 Identifying Threats
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 414
4
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
The warning signs are already there Rogersrsquocomments came just weeks after a Departmentof Homeland Security alert said malware namedBlackEnergy had infiltrated companies runningmuch of the countryrsquos infrastructure Less thana month later a German government report
revealed ldquomassive damagerdquo from an infectedemail targeting a steel mill in the country
Like Stuxnet Havex and BlackEnergy theGerman attack was targeted specifically atindustrial control systems
In the Firing Line
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 514
5
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull Attackersrsquo growing sophistication The German attackers had ldquoadvancedknow-how not only of conventionalIT security but also detailed technicalknowledge of the industrial controlsystems and production processesused in the plantrdquo the governmentreport noted
bull The industrialization of cyber crime with skilled attackers selling ldquocrime as aservicerdquo to others without technical skills
bull Growing vulnerabilities as up to 25 billionweb-connected systems and devices inthe ldquoInternet of thingsrdquo come online by2020 Publicly available tools like Shodanlet would-be attackers easily identify ICSsIn 2013 for instance Finnish researchersused the search engine to find nearly3000 unsecured Internet-facing SCADAsystems running the countryrsquos watersupply building automation and othersystems Project SHINE (SHODANInformation Extraction) a multi-yearresearch project aimed at identifyingindustrial control devices that weredirectly connected to the Internetfound millions of such devices
Against this cyber risk managemindustrial control systems is fallin
bull Tools and methods used by ITsecurity professionals for mannetwork risks are not fully adoICS engineering and operation
bull Worse those with legacy systignore best practices avoiding
and virus protection updates theyrsquoll jeopardize plant stability
The result is a growing gap betwcapabilities of attackers and thepitched against them
The Cyber Arms Race
The Threat is Driven by a Number of Factors
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 614
6
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
What is RiskISO The potential that a given
threat will exploit vulnerabilities
of an asset or group of assets
and thereby cause harm to the
organizationNIST A function of the likelihood
of a given threat mdashsourcersquos
exercising a particular potential
vulnerability and the resulting
impact of that adverse event
on the organization
Fortunately organizations such as the International StanOrganization (ISO) and National Institute of Standards a
Technology (NIST) have developed definitions that are waccepted and used
In both cases risk is seen as a function of the vulnerabi
an asset the threat which is the likelihood an attack wiland the consequence of such an attack being successf
(con
Assessing the Risk
To Understand the Risk We Need a Definition
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 714
7
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Assessing the Risk (cont)
To Put it Another Way Risk = Vulnerability983091
Threat983091
Consequence Through a function of vulnerability threat andconsequence we are able to quantify risk By assigninga value (whether between 0 and 1 0-100 or any otherconsistent scale) to each element users derive ametric that provides a consistent measure of risk andcan be used throughout the organization
The ultimate aim of course is to manage thrisk and this will be considered in a forthcome-book However you cannot manage whatcannot measure
This e-book therefore focuses on evaluatingand requires a thorough understanding of al
components in the equation above It is thefour-stage process looking at each elementmdashvulnerabilities and consequencesmdashin turn bbringing them all together
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 814
8
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull First VA tools can probe aggressively to testfor vulnerabilities across enterprises whichmay be unsuitable and unsafe applied tonetwork activity in an ICS
bull Second vulnerabilities are frequently theresult not of a particular device or softwaresuite but poor practices or configurationsmdashweak passwords group accounts withadministrative privileges failures to implementanti-virus programs and host firewalls and soon All of these can be exploited by attackersto leverage systems for unintended purposes
bull Finally vulnerabilities must be looked at operations and processes Control sysare not just a collection of individual debut interconnected systems of devicesaccess controls on an application runnin a control room for example can mawhole process vulnerable not just a siworkstation
A vulnerability is anyquality of an assetthat could allow it tobe exploited Alldigital assets havethem Some areknown some arenrsquotSome are easier toexploit than others
Step 1 Knowing Your Vulnerabilities
A common source of vulnerabilities is software bugs 2014rsquos Heartbleed vulneaffecting half a million websites as well as thousands of connected device
just among the most high profile examples
There are numerous vulnerability assessment (VA) tools to track known vulnerawithin applications and operating systems but these have their limits
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 914
9
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it
They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs
(cont ne
It is threats thatturn a vulnerabilityinto an incident
Step 2 Identifying Threats
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 514
5
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull Attackersrsquo growing sophistication The German attackers had ldquoadvancedknow-how not only of conventionalIT security but also detailed technicalknowledge of the industrial controlsystems and production processesused in the plantrdquo the governmentreport noted
bull The industrialization of cyber crime with skilled attackers selling ldquocrime as aservicerdquo to others without technical skills
bull Growing vulnerabilities as up to 25 billionweb-connected systems and devices inthe ldquoInternet of thingsrdquo come online by2020 Publicly available tools like Shodanlet would-be attackers easily identify ICSsIn 2013 for instance Finnish researchersused the search engine to find nearly3000 unsecured Internet-facing SCADAsystems running the countryrsquos watersupply building automation and othersystems Project SHINE (SHODANInformation Extraction) a multi-yearresearch project aimed at identifyingindustrial control devices that weredirectly connected to the Internetfound millions of such devices
Against this cyber risk managemindustrial control systems is fallin
bull Tools and methods used by ITsecurity professionals for mannetwork risks are not fully adoICS engineering and operation
bull Worse those with legacy systignore best practices avoiding
and virus protection updates theyrsquoll jeopardize plant stability
The result is a growing gap betwcapabilities of attackers and thepitched against them
The Cyber Arms Race
The Threat is Driven by a Number of Factors
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 614
6
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
What is RiskISO The potential that a given
threat will exploit vulnerabilities
of an asset or group of assets
and thereby cause harm to the
organizationNIST A function of the likelihood
of a given threat mdashsourcersquos
exercising a particular potential
vulnerability and the resulting
impact of that adverse event
on the organization
Fortunately organizations such as the International StanOrganization (ISO) and National Institute of Standards a
Technology (NIST) have developed definitions that are waccepted and used
In both cases risk is seen as a function of the vulnerabi
an asset the threat which is the likelihood an attack wiland the consequence of such an attack being successf
(con
Assessing the Risk
To Understand the Risk We Need a Definition
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 714
7
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Assessing the Risk (cont)
To Put it Another Way Risk = Vulnerability983091
Threat983091
Consequence Through a function of vulnerability threat andconsequence we are able to quantify risk By assigninga value (whether between 0 and 1 0-100 or any otherconsistent scale) to each element users derive ametric that provides a consistent measure of risk andcan be used throughout the organization
The ultimate aim of course is to manage thrisk and this will be considered in a forthcome-book However you cannot manage whatcannot measure
This e-book therefore focuses on evaluatingand requires a thorough understanding of al
components in the equation above It is thefour-stage process looking at each elementmdashvulnerabilities and consequencesmdashin turn bbringing them all together
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 814
8
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull First VA tools can probe aggressively to testfor vulnerabilities across enterprises whichmay be unsuitable and unsafe applied tonetwork activity in an ICS
bull Second vulnerabilities are frequently theresult not of a particular device or softwaresuite but poor practices or configurationsmdashweak passwords group accounts withadministrative privileges failures to implementanti-virus programs and host firewalls and soon All of these can be exploited by attackersto leverage systems for unintended purposes
bull Finally vulnerabilities must be looked at operations and processes Control sysare not just a collection of individual debut interconnected systems of devicesaccess controls on an application runnin a control room for example can mawhole process vulnerable not just a siworkstation
A vulnerability is anyquality of an assetthat could allow it tobe exploited Alldigital assets havethem Some areknown some arenrsquotSome are easier toexploit than others
Step 1 Knowing Your Vulnerabilities
A common source of vulnerabilities is software bugs 2014rsquos Heartbleed vulneaffecting half a million websites as well as thousands of connected device
just among the most high profile examples
There are numerous vulnerability assessment (VA) tools to track known vulnerawithin applications and operating systems but these have their limits
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 914
9
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it
They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs
(cont ne
It is threats thatturn a vulnerabilityinto an incident
Step 2 Identifying Threats
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 614
6
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
What is RiskISO The potential that a given
threat will exploit vulnerabilities
of an asset or group of assets
and thereby cause harm to the
organizationNIST A function of the likelihood
of a given threat mdashsourcersquos
exercising a particular potential
vulnerability and the resulting
impact of that adverse event
on the organization
Fortunately organizations such as the International StanOrganization (ISO) and National Institute of Standards a
Technology (NIST) have developed definitions that are waccepted and used
In both cases risk is seen as a function of the vulnerabi
an asset the threat which is the likelihood an attack wiland the consequence of such an attack being successf
(con
Assessing the Risk
To Understand the Risk We Need a Definition
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 714
7
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Assessing the Risk (cont)
To Put it Another Way Risk = Vulnerability983091
Threat983091
Consequence Through a function of vulnerability threat andconsequence we are able to quantify risk By assigninga value (whether between 0 and 1 0-100 or any otherconsistent scale) to each element users derive ametric that provides a consistent measure of risk andcan be used throughout the organization
The ultimate aim of course is to manage thrisk and this will be considered in a forthcome-book However you cannot manage whatcannot measure
This e-book therefore focuses on evaluatingand requires a thorough understanding of al
components in the equation above It is thefour-stage process looking at each elementmdashvulnerabilities and consequencesmdashin turn bbringing them all together
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 814
8
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull First VA tools can probe aggressively to testfor vulnerabilities across enterprises whichmay be unsuitable and unsafe applied tonetwork activity in an ICS
bull Second vulnerabilities are frequently theresult not of a particular device or softwaresuite but poor practices or configurationsmdashweak passwords group accounts withadministrative privileges failures to implementanti-virus programs and host firewalls and soon All of these can be exploited by attackersto leverage systems for unintended purposes
bull Finally vulnerabilities must be looked at operations and processes Control sysare not just a collection of individual debut interconnected systems of devicesaccess controls on an application runnin a control room for example can mawhole process vulnerable not just a siworkstation
A vulnerability is anyquality of an assetthat could allow it tobe exploited Alldigital assets havethem Some areknown some arenrsquotSome are easier toexploit than others
Step 1 Knowing Your Vulnerabilities
A common source of vulnerabilities is software bugs 2014rsquos Heartbleed vulneaffecting half a million websites as well as thousands of connected device
just among the most high profile examples
There are numerous vulnerability assessment (VA) tools to track known vulnerawithin applications and operating systems but these have their limits
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 914
9
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it
They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs
(cont ne
It is threats thatturn a vulnerabilityinto an incident
Step 2 Identifying Threats
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 714
7
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Assessing the Risk (cont)
To Put it Another Way Risk = Vulnerability983091
Threat983091
Consequence Through a function of vulnerability threat andconsequence we are able to quantify risk By assigninga value (whether between 0 and 1 0-100 or any otherconsistent scale) to each element users derive ametric that provides a consistent measure of risk andcan be used throughout the organization
The ultimate aim of course is to manage thrisk and this will be considered in a forthcome-book However you cannot manage whatcannot measure
This e-book therefore focuses on evaluatingand requires a thorough understanding of al
components in the equation above It is thefour-stage process looking at each elementmdashvulnerabilities and consequencesmdashin turn bbringing them all together
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 814
8
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull First VA tools can probe aggressively to testfor vulnerabilities across enterprises whichmay be unsuitable and unsafe applied tonetwork activity in an ICS
bull Second vulnerabilities are frequently theresult not of a particular device or softwaresuite but poor practices or configurationsmdashweak passwords group accounts withadministrative privileges failures to implementanti-virus programs and host firewalls and soon All of these can be exploited by attackersto leverage systems for unintended purposes
bull Finally vulnerabilities must be looked at operations and processes Control sysare not just a collection of individual debut interconnected systems of devicesaccess controls on an application runnin a control room for example can mawhole process vulnerable not just a siworkstation
A vulnerability is anyquality of an assetthat could allow it tobe exploited Alldigital assets havethem Some areknown some arenrsquotSome are easier toexploit than others
Step 1 Knowing Your Vulnerabilities
A common source of vulnerabilities is software bugs 2014rsquos Heartbleed vulneaffecting half a million websites as well as thousands of connected device
just among the most high profile examples
There are numerous vulnerability assessment (VA) tools to track known vulnerawithin applications and operating systems but these have their limits
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 914
9
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it
They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs
(cont ne
It is threats thatturn a vulnerabilityinto an incident
Step 2 Identifying Threats
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 814
8
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull First VA tools can probe aggressively to testfor vulnerabilities across enterprises whichmay be unsuitable and unsafe applied tonetwork activity in an ICS
bull Second vulnerabilities are frequently theresult not of a particular device or softwaresuite but poor practices or configurationsmdashweak passwords group accounts withadministrative privileges failures to implementanti-virus programs and host firewalls and soon All of these can be exploited by attackersto leverage systems for unintended purposes
bull Finally vulnerabilities must be looked at operations and processes Control sysare not just a collection of individual debut interconnected systems of devicesaccess controls on an application runnin a control room for example can mawhole process vulnerable not just a siworkstation
A vulnerability is anyquality of an assetthat could allow it tobe exploited Alldigital assets havethem Some areknown some arenrsquotSome are easier toexploit than others
Step 1 Knowing Your Vulnerabilities
A common source of vulnerabilities is software bugs 2014rsquos Heartbleed vulneaffecting half a million websites as well as thousands of connected device
just among the most high profile examples
There are numerous vulnerability assessment (VA) tools to track known vulnerawithin applications and operating systems but these have their limits
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 914
9
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it
They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs
(cont ne
It is threats thatturn a vulnerabilityinto an incident
Step 2 Identifying Threats
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 914
9
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it
They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs
(cont ne
It is threats thatturn a vulnerabilityinto an incident
Step 2 Identifying Threats
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1014
10
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too
First new devices and applications
bring with them new vulnerabilities
Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security
Since new vulnerabilities and themerge and are detected all the both must be continuously revie
(cont ne
Moving targetsthe importanceof regular review
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1114
11
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network
This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk
The relationship between threatand vulnerabilities is complex bwith the right tools can be both
understood and managed
Understandingthe relationshipbetween threatsand vulnerabilities
Step 2 Identifying Threats (cont)
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1214
12
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system
Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational
impacts legal liabilities or even aswersquove seen national security concerns
Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de
A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag
The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences
Consequencesput these threatsand vulnerabilitiesinto perspective
Step 3 Measuring ConsequencesmdashThe Final Piece
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1314
13
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
bull It will know the vulnerabilities tolook out for
bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection
bull And it will have identified its most
important assets and the potentialconsequences of an attack on them
A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager
Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security
risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on
managing risks that matter most reliable plant operations
Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks
Step 4 Bringing it TogetherndashMeasuring Risk
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom
7232019 Risk Management eBook Npi Lss
httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 1414
14
The Four-Step Guide to Understanding Cyber Risk
copy2015 Hone
For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks
More about Cyber SecurityFor More Information
Meanwhile for more information about Cyber Sechere are some more resources to help you
bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap
bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se
View the complete list
bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks
bull Visit
e-boo
here
case studies
becybersecurecom