Traditional IT Cyber Risk Assessments vs. Critical Infrastructure
Not all cybersecurity risks are created equal, and as threats are constantly evolving, performing and updating risk assessments on a regular basis is crucial. This is especially true for critical infrastructure, where cyberattacks can have deadly consequences. But are critical infrastructure cyber risk assessments different from traditional IT cyber risk assessments? The answer is mostly yes.
To understand how the ratings differ, it is important to first establish how the risks differ:
The degree of danger associated with critical infrastructure cyber risk is significantly higher than with traditional IT cyber risk. For example, if someone were to steal your identity and open a credit card in your name, it would certainly disrupt your personal life, but you are unlikely to be held responsible for fraudulent charges. On the other hand, if bad actors were to shut down the power grid, poison the local water system, or compromise a reservoir dam, your family could be in mortal danger. Sufficiently widespread critical infrastructure attacks could also have serious national security consequences.
While it is important to highlight the differences between critical infrastructure and traditional IT cyber risks, it should also be noted that real incidents are not always so easy to analyze. For example, nation states are sometimes motivated to steal money rather than wreak havoc; North Korea and Iran come to mind. And, while ransomware is a favorite among criminals looking to extort private companies, a ransomware attack can also have national security implications – think of the recent shutdown of the Colonial Pipeline. In another example, a criminal could launch a ransomware attack on a hospital to extort money, but if the ransomware attack affects the delivery of patient care, people could suffer and die.
Critical Infrastructure Cyber Risk Assessments vs. Traditional IT Cyber Risk Assessments
The use of computers is widespread in industrial environments. Critical infrastructure cyber risk assessments should therefore include all elements of information risk that an IT cyber risk assessment would include. They also have to address many other – and, frankly, scarier – physical risk elements.
Traditional IT cyber risk assessments and critical infrastructure cyber risk assessments both need to consider the consequences of the following risk scenarios:
- loss of income
- loss of reputation
- decline in share price
- IT incident response costs
- IT Disaster Recovery Costs
- impact on the customer — for example, in the event of fraud
Critical infrastructure cyber risk assessments should consider the following additional consequences of risk scenarios:
- injury, illness and death of employees;
- injuries, illnesses and deaths in the community;
- fires and explosions;
- damage to equipment;
- damage to property and infrastructure in the surrounding community;
- damage to flora and fauna;
- release of toxins that threaten air, soil and water quality;
- environmental response and recovery costs;
- supply chain effects; and
- effects on national security.
Expertise of the risk assessor
The dual scope of critical infrastructure cyber risk assessments makes them far more complex and challenging than traditional IT cyber risk assessments, largely because assessing physical risks requires additional knowledge, skills, and methodologies.
Traditional IT cyber risk assessors and critical infrastructure cyber risk assessors require expertise in the following areas:
- IT security
Critical infrastructure cyber risk assessors should also have expertise in the following topics:
- operational and field technologies
- industrial cybersecurity
- operations supervision management
- industrial engineer
- process safety management
- health and safety management
- environmental risks and compliance
- environmental remediation
- industrial regulatory compliance
- physical security
Risk assessment methodologies
The two types of risk assessments also use different methodologies. Traditional IT risk assessments rely on frameworks such as the following:
In contrast, critical infrastructure risk assessment methodologies include the following:
Risk assessment environments
The environments that these assessments respectively cover also differ. Traditional IT risk assessments consider the following:
- the Internet
- cloud services and applications
- business networks
- on-site services and applications
- remote access
- information and data
- accounts, access and privileges
Critical infrastructure cyber risk assessments also cover these environments:
- field of operations areas
- safe areas of operations
- operational control areas
- demilitarized/historic zone operations
- remote access zone operations
- transaction information and data
- operating accounts, access and privileges
Recommendations for Critical Infrastructure Cyber Risk Assessments
The most important point to remember is that critical infrastructure cyber risk assessments are more complex than traditional IT risk assessments, as they encompass both traditional IT risks and physical risks.
Consider the following recommendations when undertaking a critical infrastructure cyber risk assessment:
- Get help from an appropriate third party. Internal staff likely lack the built-in expertise needed to design and conduct a comprehensive critical infrastructure cyber risk assessment. Work with an external organization, public or private, that has extensive experience in critical infrastructure risk assessment and protection preparedness.
- Involve the right people internally. While IT personnel possess digital technology threats, people who understand the potential physical implications of cyber threats come from elsewhere in the organization. Work with internal experts in operations, process engineering, technical engineering, environmental health and safety, and process safety.
- Send the right message to the management team. Executives often view cyber risk as a technical issue that IT must address. Help them understand that when it comes to modern cyber threats, the stakes are much higher. IT alone cannot solve the problem of critical infrastructure risks; it will concern the entire organization, from the factory to the meeting room.