Deconstructing risk can help focus where we should be spending our time and money to reduce risk. Most security controls in OT reduce the likelihood of a cyber incident that causes an impact on operations.
How much of a reduction of likelihood, and consequentially risk, is achieved by the selected security control?
There are two answers to this question, a relative likelihood reduction and an absolute likelihood reduction. Let’s use microsegmentation in OT, Purdue levels 0 – 2, as an example.
If an attacker has breached the OT system, microsegmentation will limit what protocols they can use to attack a zone or a cyber asset. The automotive OT system in the S4x26 POC Pavilion had two lines, a paint line and an assembly line. Some of the participating vendors implemented microsegmentation that limited communications between these lines, to and from the MES, and to and from the SCADA system.
The likelihood of an attack that breached the OT system causing a high consequence event is reduced by some amount if least privilege microsegmentation is deployed properly (and the OT system doesn’t require insecure control and administration protocols between the segments). We could run Monte Carlo or other tests to determine how much reduction is achieved.
Let’s pull a number out of the air … 80%. Let’s say the testing estimated that microsegmentation reduced the likelihood of an attack that had breached the OT system causing a high consequence event was reduced by 80% with microsegmentation in place, an impressive security control. This 80% is a relative likelihood reduction. It assumes the OT system breach has occurred.
The absolute likelihood reduction is the 80% relative risk reduction * the likelihood the OT system is breached. If the likelihood of an OT breach in a year is .1%, one thousandth, then the likelihood has been reduced by .08%. A much less impressive likelihood reduction and tougher decision on whether microsegmentation is worth the time and money.
While the likelihood of an OT breach in a year has been a small number like .1% for the past two decades, this could change at any time and we don’t have solid data. And a small number of security controls, such as a strong OT / IT security perimeter with no unrestricted Internet access to OT cyber assets, are required for the this low OT breach likelihood.
A counterargument is that microsegmentation will also reduce the consequence of a cyber attack that reached OT. Will is too strong here. The attacker may be able to compromise the microsegmentation solution or the administrator or management credentials for that solution.
There are security solutions that have a more credible argument of reducing consequence. Backup, orchestration, and anything speeding recovery is a clear example. Monitoring and detection are less clear; probably strongest case is the data in these systems will aid the recovery in providing some direction and assurance that the attack has been eradicated.
Considering the absolute likelihood and risk reduction achieved will lead you in most cases to prioritze consequence reduction actions after the likelihood of OT security breach has been made very small.
Let’s continue to gather the data and promote data driven OT cyber risk management.