When working with cybersecurity and segmenting your systems into security zones, it makes sense to use risk analysis. In this way, you can prevent security work from being performed in an undefined “ad hoc” method. In addition, it is often easier to explain and justify the investments you want to make if you can account for the risks you are managing or reducing. IEC 62443 is a good method to use during your risk-based zoning.
In this text, we explain in detail what is important to keep in mind when basing your zoning on a risk analysis according to IEC 62443.
Why are you zoning based on risk analysis?
In order to know which direction to go with your cybersecurity work, you need to assess the business as it is today – by doing an analysis of the risks that currently exist in the business system.
A first simple risk analysis identifies the worst that can happen today without having put in place risk reduction measures. Later, a detailed risk analysis is performed for separate areas and flows. This step is carried out when the groupings of zones and flows have been carried out, on the basis of the initial risk analysis.
The goal of these risk analyzes is to finally be able to apply the right risk reduction measures and create a safer business where the focus is in the right places.
How do you achieve zoning using a risk analysis?
In the initial and simple risk analysis, you look at the worst case – that is, the worst that can happen to the business. It is assumed here that no measures have been taken to reduce the existing risks. You need information in this phase, such as:
Overall system architecture – you need to know which systems are included in order to systematically walk through them.
Risk criteria and risk matrix with tolerable risk – what risks can we accept and what should we act against? How do we measure risk?
Existing risk analyzes – have we done any risk analysis already and can we use parts of it?
Information on Existing Threats – What Could Happen? What are the threats to the organization?
Based on this input, it is possible to calculate a worst-case risk to which different parts of the system are exposed without safety functions or segmentation. The question is, what effect does a cyberattack where systems are disabled have on the business? What would be the scale of the attack? How large would the geographic areas be and how many people would be affected? If the electricity supply were to be shut down, many people would feel the effects. Are there critical activities (eg hospitals) that depend on the electricity supply? In the initial risk analysis, you are only interested in the consequence and then assume that the probability is “often”.
By defining our different worst-case scenarios and connecting them to the different systems, we can perform an initial zoning where the systems are placed in areas with other systems with the same level of risk.
Once you’ve grouped your areas and data feeds together, you usually need to do a detailed risk analysis. According to IEC 62443, a detailed risk analysis is performed if the initial risk exceeds the acceptable risk. In the detailed risk analysis, a risk analysis is carried out by zone and by flow and is based on the same risk matrix as for the initial risk analysis. The detailed risk analysis is based on a number of steps:
Identify threats and threat actors against areas and flows
Identify vulnerabilities that can be exploited
Assess unmitigated consequences, likelihood and risk
Implement risk reduction measures
Assess reduced consequences, likelihood and risk
Is the reduced risk OK? If not, introduce more measures
When the reduced risk is less than the acceptable risk, you have achieved your goals with your risk reduction measures. Learn more about how to do risk-based zoning. here!
Would you like to know more about the IEC 62443 standard? Read more here!
Do you want to know more about how you achieve secure IT / OT integration based on IEC 62443 standard? Read more in our blog post!