The low-level risk assessment is a detailed analysis typically performed after a high-level risk assessment or, sometimes, conducted on specific plants in order to deeply assess the precise risk estimate of a cyber attack. In general, the low-level risk assessment focuses on the most sensitive equipment reported from the high-level risk assessment, and in relation to the potential most critical consequences of a cyber attack.
While the purpose of the high-level risk assessment is to macroscopically assess the potential consequences of an attack, the low-level risk assessment deepens the weakest parts of an industrial control system.
The low-level risks calculation is based on the following formula:
Risk = 〖Threat〗 Specific x 〖Vulnerability] (Exploitable〗 x 〖Consequences〗 Event
Technical standards for low-level risk assessment
The following table shows the technical standards within the IEC 62443 standard applicable to the low-level risk assessment:
Low-level risk assessment phases according to the IEC 62443
Low-level risk assessment is a microscopic quantification of the potential cyber risk affecting an industrial control system. This activity, according to the IEC 62443 scheme, is divided into three main phases:
1. Identification of the target asset, where the target asset is analyzed in terms of extension, technical characteristics, and device composition, by focusing on the existing vulnerabilities.
2. Network mapping and analysis, i.e. the application of potential threats to each subsystem and component by verifying their characteristics. This phase identifies all exploitable vulnerabilities through passive packet scans that analyze network traffic, unauthenticated scans, or authenticated scans, depending on whether the network is studied externally or internally, and, finally, agent-based scans through software.
3. Social engineering and access analysis, i.e. a targeted analysis of vulnerabilities that can be exploited by the human factor, with particular attention to the interventions of external personnel, generally in charge of ordinary and extraordinary maintenance of the infrastructures. This phase also considers the access controls on the perimeter security parts.
Starting from the data collected prior to the low-level risk assessment, i.e. along with the High Level Risk Assessment, our pool of ISA99/IEC62443 certified in-house specialists provides a complete set of services in compliance with the Cyber Security Lifecycle defined by the IEC 62443 standard. Our proven expertise in industrial automation allows us to support our customers in all the phases of the low-level risk assessment described in the previous paragraph.
The low-level cybersecurity risk assessment service is divided into 4 phases:
- Vulnerability assessment, network mapping, social engineering, and access management analyses
- Low-level risk assessment (preliminary), i.e. the issue of a preliminary analysis report containing the results of the analyzes of the previous point
- Evaluation of the preliminary result of the analysis to be shared with the internal staff responsible for the security of the industrial control systems and discussion of the following actions to be planned
- Low-level risk analysis (final), where the detailed risk analysis is completed by providing the necessary information to the internal staff for the implementation of a remediation plan, ie a plan containing the most suitable mitigation measures.
– This article originally appeared on H-ON Consulting’s website. H-ON Consulting is a CFE Media content partner. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, email@example.com.