SANS Industrial Control Systems Security Blog

Effective Assessment of ICS Infrastructure Cyber Risk

Entry by Rebekah Mohr

One of the largest challenges facing management in Engineering organizations today is how to effectively assess cyber risk on ICS infrastructure and make the appropriate investments in risk mitigation activities to manage this risk to as low as possible. The cyber threat landscape is dynamic and attacks on ICS infrastructure are increa sing in both frequency and sophistication. As a result, cyber risk assessments need to be able to predict all conceivable threats which may not have already occurred in order to proactively defend against them. However, this would require consideration of seemingly endless threat scenarios. To complicate this problem even further, the methodologies and approaches available today to assess risk to operating industrial environments have been developed for traditional IT domains, and when applied to Engineering environments, are not fit for purpose. Due to the hybrid IT and Engineering nature of ICS, a hybrid competency skillset is required to secure the ICS and ensure operation is not interrupted, and because the Engineering community may not be as familiar with the threats and risk associated with IT Security, traditional IT Security Risk Assessment processes cannot be effectively leveraged. As a result, adoption of risk management is limited, leading to ineffective investment decisions and unnecessary costs.

The Engineering community traditionally assesses process safety risk using a Bow-Tie Model and Risk Assessment Matrix (RAM), which are used to determine whether Residual Risk is As Low As Reasonably Practicable (ALARP). With some simple changes to this Risk Assessment Methodology, these tools can be used to assess cyber risks. In order to reduce the seemingly endless threat scenarios, all possible threat scenarios are limited to specific variables — agent, authorization and motivation. Furthermore, instead of evaluating the likelihood of these threats based on past prevalence, as they do in the IT Community, threats are instead evaluated based on the resources required to carry out an attack.

This solution is explored in the SANS Reading Room whitepaper "Evaluating Cyber Risk in Engineering Environments: A Proposed Framework & Methodology". This paper describes how to leverage commonly used Engineering risk management methodologies and incorporate IT security practices to bridge the gap between the Engineering and IT communities.

The benefits of this whitepaper expand beyond assessing cyber risks and cost savings from defending against them. The proposed solution can also be used to define and defend a Standard of cyber controls for ICS, qualify Residual Risk in a Risk Model, align methodologies within the ICS Practitioner Community, and determine Insurance policies for cyber risk.

The author has requested feedback from the ICS Community. If you have feedback to provide, please reach out to her at

Rebekah Morh



Posted June 8, 2016 at 5:47 PM | Permalink | Reply

David Nix

I saw a good presentation of the Bow Tie applied to ICS risk at the ICSJWG in May.

Posted August 3, 2016 at 12:31 AM | Permalink | Reply

Josh Lane

Thank you for the well written article:)