When working with cybersecurity and segmenting your systems into security zones, it is a good idea to use risk analysis. In this way, you can avoid that the security work is carried out according to an undefined “ad hoc” method. In addition, it is often easier to explain and justify the investments you want to make if you can account for the risks you handle or reduce. The standard IEC 62443 is a good method to use when doing your risk-based zoning.
In this text, we explain in detail what is important to keep in mind when basing your zoning on risk analysis according to IEC 62443.
Why do you do zoning based on risk analysis?
In order to know in which direction to go with your cybersecurity work, you must evaluate the business as it is today – by making an analysis of the risks that currently exist in the business’s system.
An initial, simple risk analysis identifies the worst that can happen today without having introduced any risk-reducing measures. Later, a detailed risk analysis is performed for separate zones and flows. This step is taken when the groupings of zones and flows have been made, based on the initial risk analysis.
The goal of these risk analyses is to ultimately be able to apply the right risk-reducing measures and create a more secure business where focus is put in the right places.
How do you do zoning with the help of risk analysis?
In the initial, simple risk analysis, you look at a worst-case scenario, i.e. the worst that can happen to the business. Here it is assumed that no measures have been taken to reduce the risks that exist. You need some input in this phase, such as:
- Overall system architecture – you need to know which systems are included in order to systematically go through them.
- Risk criteria and risk matrix with tolerable risk – what risks can we accept, and which do we have to do something about? How do we measure risk?
- Existing risk analyses – have we done any kind of risk analysis before, and can we use parts from there?
- Information about what threats that exist – what could happen? What are the threats to the organisation?
Based on this input, it is possible to calculate a worst-case risk to which the various parts of the system are exposed without security functions or segmentation. The question is, what effect does a cyberattack where the systems are put out of play have on the business? What would the magnitude of the attack be? How large geographical areas would be impacted and how many people would be affected? If electricity distribution was to be shut down, many people would feel the effects. Are there critical activities (e.g. hospitals) that are dependent on electricity supply? In the initial risk analysis, you are only interested in the consequence and then you assume that the probability is ‘often’.
By defining our different worst-case scenarios and connecting these to the different systems, we can make an initial zoning where the systems are placed in zones together with other systems with the same level of risk.
Once you have made a grouping of your zones and data flows, you usually need to do a detailed risk analysis. According to IEC 62443, a detailed risk analysis is performed if the initial risk exceeds the acceptable risk. In the detailed risk analysis, one risk analysis is performed per zone and flow and is based on the same risk matrix as for the initial risk analysis. The detailed risk analysis is based on a number of steps:
- Identify threats and threat actors against zones and flows
- Identify vulnerabilities that can be exploited
- Assess unmitigated consequence, probability, and risk
- Introduce risk-reducing measures
- Assess reduced consequence, probability and risk
- Is the reduced risk OK? If not, introduce more measures
When the reduced risk is less than the acceptable risk, you have reached your goals with your risk-reducing measures. Read more about how to do risk-based zoning here!
Do you want to know more about IEC 62443? Read more here!
Do you want to read more about how you do a secure IT/OT integration based on IEC 62443? Read more in our blog post!