In recent years, global tensions have been rising due to factors such as the Russian invasion of Ukraine and the situation in the Middle East. Cyber-attacks related to these conflicts have also extended their targeting scope to not only the parties directly involved in conflicts but also ally nations and supporters. Cyber-attacks directed at government agencies, medical institutions, financial institutions, and manufacturing supply chains can shut down social infrastructure and cause product shortages. These can have tremendous impacts on people’s lives and develop into major societal problems. These serious impacts make cyber-security an urgent business challenge for companies. In this running feature on control system security, we will learn about control system security trends and Toshiba’s initiatives to improve the cyber-resilience of social infrastructure and plant control systems.

In Part 1 of this running feature, we discussed recent trends surrounding control system security, along with the direction Toshiba is taking with its control system security technologies. In Part 2, we will look at methods of conducting risk assessment for control systems.

Until recently, most of the control systems used in factories and plants were operated using closed networks, which are isolated from the external network. However, advances in digital transformation (DX) and the IoT have led to demands for the ability to visualize operational status and analyze data in real time. Factories are turning into “connected factories,” linked to information systems and other systems via networks. This shift has the potential to optimize supply chains and improve productivity. However, it also necessitates addressing cyberspace threats, such as unauthorized access and ransomware attacks.

Let’s think about how actual measures can be implemented. Many questions could arise: “What assets should we protect?” “What measures do we need to implement?” “Where should we start with our measures?” The process of answering these questions is “risk assessment,” which we will explain in this issue.

By conducting risk assessments, system owners can identify the latent risks faced by their systems and can implement appropriate security measures based on their respective risks. Looked at from another direction, if a system owner fails to conduct a risk assessment, they might not implement the measures that should be their highest priorities, or they could implement costly measures that fail to produce the benefits they expected. That is, they could implement measures that are not appropriate for dealing with their risks. The fundamental goal of security measures is mitigating risk. Given that, risk assessment is an essential process that must be carried out before implementing security measures.

Before we go further into our explanation of risk assessment, let’s look at the position risk assessment occupies within risk management. Risk management is the process of analyzing various security risks involved in organizational activities, evaluating them in advance, and managing systems to prevent those risks from manifesting themselves. In ISO31000, a leading risk management standard, risk assessment is positioned as one of the processes in implementing risk management. It is made up of three steps: risk identification, risk analysis, and risk evaluation (Fig. 1).

Let’s look at each of the three steps of risk assessment.

Step 1: Risk identification

The main purpose of this step is to identify and recognize the latent risks of the system for which risk management is being implemented. For example, one potential risk is that if a maintenance computer that has been infected with malware is connected to a control system, the malware could infect the system. This step also includes assessing the current status of the system: identifying the assets within the system, deciding on the importance of each, and identifying the threats that face them.

Step 2: Risk analysis

In this step, risk levels are decided for each of the risks identified in step 1, based on an understanding of the characteristics of each of these risks. There are various methods for analyzing risks, each of which has its own advantages and disadvantages. We will explain each method and its characteristics in the next section.

Step 3: Risk evaluation

In this step, the results from step 2 are then compared against the risk criteria defined by the company or organization owning the system to calculate risk values. Risk values are calculated as follows: “Asset importance x Threat x Vulnerability.” The calculated risk values are used to quantitatively decide the prioritization of the risks to be addressed and the effectiveness of the measures for addressing them.

Various methods are employed in risk analysis which is the core of risk assessment. Toshiba uses different methods depending on the scales of systems and the demands of customers. Below are overviews of each method, along with their respective advantages and disadvantages.

■ Baseline approach

This method checks whether the security measures of system comply with existing guidelines used as international or industry standards. One typical guideline for control system security is the IEC 62443 series of standards.

  [Advantages]

• This method only requires security measures to be checked against security requirements indicated in guidelines, so it involves a comparatively low workload.
• It is based on existing standards, so it can be used as a rough guide for performing a certain degree of evaluation.

  [Disadvantages]

• It consists of checking measures against guideline measure requirements, and it does not extend as far as analysis based on actual system status (it may not be sufficient to evaluate system-specific risks).
• The degree of granularity of measure requirements varies by guideline, and different risk assessment personnel can interpret guideline requirements in different ways, resulting in a lack of consistency in check results.

■ Detailed risk analysis approach

Risk analysis is conducted using the three evaluation indices of “importance” (the importance of the system’s assets and the work it performs), envisioned “threat level,” and the system’s “vulnerability level.” In general, the Security Risk Assessment Guide for Industrial Control Systems, 2nd Edition^[1], issued by the Information-technology Promotion Agency (IPA), is used for this approach.

  [Advantages]

• This method can be used to conduct an accurate risk assessment of the target system.
• With this method, the determination of security measure priorities and the selection of measures that are effective in combatting risks can be performed objectively.

  [Disadvantages]

• The use of this method requires the involvement of advanced security experts, making risk analysis costly.

■ Informal approach

Risk analysis is conducted on target systems based on the experience and judgment of the organization and the people in charge of the system.

  [Advantages]

• Costs can be kept low by drawing on the experience of those conducting the analysis.

  [Disadvantages]

• This method is highly dependent on the capabilities of individual personnel, making it difficult to continuously improve the security level when analysis personnel are assigned to new positions or leave the organization.

■ Combined approach

The baseline approach and the detailed risk analysis approach are combined to conduct risk analysis.

  [Advantages]

• When the systems being analyzed are large-scale, the detailed risk analysis approach can be used in important areas and the baseline approach can be used in other areas, optimizing the cost of analysis.

  [Disadvantages]

• The combined methods vary by system and operator, and there are no defined guidelines, making it difficult to apply as a one-size-fits-all approach.

By understanding the characteristics of each analysis method and using the appropriate method to conduct risk assessment for the system being analyzed, latent risks in systems can be identified and evaluated properly. After the evaluation, the next step is risk treatment based on the results of the risk assessment.

Risk treatment is the process of formulating plans for dealing with risks identified through risk assessment and of implementing the formulated measures. There are four methods of dealing with risk: risk acceptance, risk mitigation, risk avoidance, and risk transfer. The choice of which method to be used for each risk is made by considering the results of the risk assessment.

• Risk acceptance
  

When the likelihood of a risk becoming manifest is low, or when the impact of a risk on the system and on business would be low if it were to manifest itself, the risk can be accepted, without implementing measures. This decision is made holistically, taking into consideration factors such as the cost of implementing measures. There are times when risks are acceptable due to their particular characteristics, such as when measures are not feasible.

• Risk mitigation
  

Security measures are used to minimize the possibility that a risk will become manifest and the impact that it would have if that were to happen. For example, installing anti-malware software in devices is done to mitigate the risk that a device will be infected with malware.

• Risk avoidance
  

Risk avoidance is eliminating the very causes of risks. For example, the risks associated with remote maintenance can be eliminated by not performing maintenance remotely.

• Risk transfer
  

Risk transfer consists of offloading risks to another organization or company. One example would be enrolling in a cyber insurance policy with an insurance company to cover losses if a risk becomes manifest.

If the potential of a risk manifesting itself is set as the vertical axis and the impact of a risk that manifests is set as the horizontal axis, these four risk treatment measures would be plotted on the graph as shown below (Fig. 2).

When conducting a risk assessment, no matter which analysis method is used, security experts and personnel who are knowledgeable about the system must be secured, a period of anywhere from two months to half a year must be set aside, and some level of cost is always involved. For customers in the manufacturing or social infrastructure fields, conducting a risk assessment places both an operational and a financial burden.

Because of this, we offer a simple risk assessment tool for conducting a basic diagnosis of the status of the security measures being used in a target system (Fig. 3). Developed based on our expertise, it can be used as a first step in gaining an understanding of the current status of a customer’s system and in determining the need for a full-fledged risk assessment.

The simple risk assessment tool is currently offered free of charge to customers in the manufacturing and social infrastructure fields. To prepare for the diagnosis, we have created a questionnaire with a total of 14 questions, consisting of questions from a technical perspective based on the J-CLICS* self-diagnosis tool for industrial control systems provided by the JPCERT Coordination Center (JPCERT/CC) and questions we formulated ourselves, from an organizational perspective.

* https://www.jpcert.or.jp/ics/jclics.html

Customers can simply answer these questions to determine the state of the security measures for the system they wish to diagnose by looking at the indicator of “maturity level”. Furthermore, their questionnaire responses can be used to receive a holistic evaluation report from our security expert, including the risks faced by the system and proposals for measures and solutions. Below is an example of one of these reports (Fig. 4).

Advances in DX and the IoT have led to a heightened threat from cyber-attacks in open network environments, making risk assessment a vital process for protecting one’s control systems. Risks change not only due to external factors but also internal factors, such as the deployment or updating of systems, so as a general rule, it is recommended to conduct risk assessments on a regular basis, such as once per year. At the very minimum, they should be conducted whenever there are system configuration changes.

We can meet a wide range of customer risk assessment needs and requests, from baseline analysis and detailed risk analysis compliant with the guidelines adopted by various industries to our simple risk assessment tool that we offer free of charge. Feel free to contact us with any of your risk assessment needs.

In Part 2, we presented methods for conducting risk assessment for control systems, and we discussed the characteristics of each. In Part 3, we will look at the attack and defense technologies that we are researching in Toshiba’s unique test environment.

Up next: (Part 3) Security verification with attack and defense in industrial control system testbeds

Reference materials
[1] Information-technology Promotion Agency (IPA) “Security Risk Assessment Guide for Industrial Control Systems, 2nd Edition” (March 2023)
https://www.ipa.go.jp/security/controlsystem/ssf7ph00000098vy-att/000109380.pdf (PDF)(6.98MB)

[2] “Risk Assessment Methods Ensuring Security of CPS,” Toshiba Review Vol. 77, Issue 3 (May 2022)
https://www.global.toshiba/content/dam/toshiba/jp/technology/corporate/review/2022/03/a08.pdf (PDF)(607KB)

• Toshiba’s Cyber Security