Cybersecurity Risk Assessment
Provides a Rational Strategy for
Protecting Technology Assets
TELECOM & TECH
Large or small and
in every industry,
cybersecurity is vital
By Tracy Barbour
Organizations of all types and sizes havebeen rockedby securitybreach- es and other cyber attacks, including large corporations (Merck, Maersk, and
FedEx), government agencies, and even a
credit reporting bureau (Equifax). And given
the growing threat from botnets, malware,
ransomware, worms, and nefarious hackers,
companies need an organized method for assessing and addressing cybersecurity risks.
Cybersecurity is the technologies, processes, and practices designed to protect
networks, computers, programs, and data
from attack, damage, or unauthorized access. A cybersecurity risk assessment identi-fies the gaps in an organization’s critical risk
areas and determines actions to close them.
The evaluation typically involves considering the primary types of information being
handled—whether Social Security numbers,
credit or debit card numbers, patient records,
industrial control system data, designs, or
human resources data—and then making a
priority list of what needs to be protected.
Cybersecurity assessment also entails
identifying where information assets reside,
such as file servers, workstations, laptops, removable media, smartphones, and databases,
and then classifying them. The top-rated
assets are further considered for additional
risks they may face from threats such as identity spoofing, data tampering, information
disclosure, or denial of service. From there,
an organization can weigh the probability of
a threat actually being carried out against a
particular asset and the potential impact of
a successful cybersecurity attack. A cybersecurity risk assessment exercise can take
anywhere from one full day for smaller organizations to several days or weeks for larger
firms. The cost of an assessment can run tens
of thousands of dollars, depending on the
size and complexity of the system as well as
the time involved making the assessment.
Ultimately, a cybersecurity risk assessment
can yield a comprehensive, prioritized rank-
ing by risk of threats and vulnerabilities that
can help organizations create a strategy for
sensible risk mitigation. They can then focus
their efforts on the most critical areas and
avoid spending resources on secu-
rity technologies or activities that
are less essential and irrelevant to
addressing the highest risks.
The Assessment Process
Cybersecurity risk assessments
are often done by an organiza-
tion’s IT department or their
internal audit groups. However,
many organizations opt to use
outside consultants. There are
arguments for both approaches,
says John Cusimano, CISSP, GIC-
SP, CFSE. Cusimano is the direc-
tor of industrial cybersecurity for
Applied Engineering Solutions
(aeSolutions), a provider of industrial process
safety, cybersecurity, and automation life-
cycle solutions and tools. “The main thing is
the person facilitating the assessment should
have some independence from the group that
actually designs and operates the system,” he
says. “You want a third party that can come
in with no biases...You want as close to the
real version of the truth as you can get.”
That’s the type of service aeSolutions
strives to provide its clients. The company
specializes in industrial control system (ICS)
cybersecurity or what is often referred to as
operational technology (OT) cybersecurity.
The primary service it offers is a combination
of vulnerability and gap assessment followed
by a formal risk assessment. The vulnerability
and gap assessment involves physically visiting a site and gathering data about the system
and operational practices. The data, such as
Windows system information, network configurations, and packet captures, is collected
passively to ensure that there is no
possible impact to production.
“We then analyze the data offsite
and prepare up-to-date network
diagrams, dataflow diagrams,
zone and conduit diagrams, and a
vulnerability register,” Cusimano
says. “This information is then
used in the risk assessment phase
of the process. We refer to our
ICS cybersecurity risk assessment
process as a Cyber Process Hazard
Analysis, or CyberPHA, because
it links cybersecurity vulnerabili-
ties and threats to process safety
consequences to identify realistic
cyber risks. The result provides
management with a roadmap
highlighting a ranked set of risks,
a mitigation plan.”
When conducting assessments,
aeSolutions will evaluate an en-
tire enterprise or the security of
a particular system at one facility.
aeSolutions also makes a distinction between IT (laptops, printers, and accounting systems) and
OT (computers and networks that
control production). Most companies assess IT and OT separately because the systems and
the personnel who support them
are very different, Cusimano says.
A cybersecurity risk assessment
cannot be performed without a
solid understanding of the system being assessed, Cusimano says. This means having
up-to-date network diagrams and system inventory, an understanding of data flows, an
understanding of how the system is configured
and maintained, and site specific operational
practices. “This homework must be done up
front before sitting down to perform a risk assessment,” he says. “The risk assessment must
incorporate input from personnel who are familiar with the configuration and operation of
the system so they can reasonably estimate the
consequences and severity of compromise.”
Northrim Bank Prioritizes
Risk Assessment
Cybersecurity risk assessments are particularly critical for organizations that manage highly
sensitive and private information, such as hospitals and financial institutions. At Northrim
Bank, for example, cybersecurity risk assessments are extremely important. And they are
completed on a frequent basis, according to Vice President, Security
and Business Continuity Manager
Douglas Frey.
In fact, whenever Northrim is
contemplating a new network, hiring a new vendor, or making other
significant changes, it conducts
a risk assessment. This is an essential part of protecting valuable
assets like customer information
as well as the bank’s reputation,
brand, business secrets, and funds.
“Any time our landscape changes,
we look for potential risks,” Frey
says. “It’s like a process we’ve
baked into our culture.”
Northrim makes cybersecu-
rity risk assessment a priority that
Douglas Frey
Vice President,
Security and
Business Continuity
Manager
Northrim Bank
Image courtesy of
Northrim Bank
John Cusimano
Director of Industrial
Cybersecurity
aeSolutions
Image courtesy of
aeSolutions