OT RISK ASSESSMENT

OT Risk Assessment Services

Operational Technology (OT) systems are the backbone of modern industry, overseeing and managing essential processes. However, these systems are increasingly becoming targets for cybercriminals, making OT risk management crucial to identify and mitigate potential vulnerabilities through comprehensive risk assessment processes.

CNB provides extensive IEC 62443 compliance risk assessment services, accurately pinpointing cybersecurity risks within your OT environment. Our risk assessment services encompass:

  • Identification of assets comprising the OT environment under review.
  • Identification and segmentation of these assets into security zones and conduits.
  • Business Impact Assessment (BIA) to ascertain critical OT assets.
  • Identification and analysis of threat sources/actors and relevant scenarios.
  • Evaluation of existing (as-is) controls.
  • Identification and assessment of gaps and vulnerabilities.
  • Evaluation of additional mitigating controls.
  • Risk rating, prioritization, and remedial recommendations.
  • Detailed assessment report.

Our assessments are “outcome-focused,” meaning that any remedial recommendations are designed to provide tangible risk reduction. This approach equips organizations with the necessary information to justify OT cybersecurity improvements and the associated costs, by understanding the “What, Why, and How?”

Moreover, our assessments adhere to industry best practices and standards/frameworks such as ISO/IEC 62443, ISO/IEC 27001, NIST, and ISF, but can also be tailored to meet your specific needs.

Our Consultancy Services Portfolio

Edit Content

Risk Assessment

Comprehensive risk assessment services that accurately identify and prioritise OT cyber security risks with actionable remediation recommendations.

OT Vulnerability Assessment

Baseline review of your OT environment security capabilities and weaknesses. Enables the mitigation of priority risks identified and the development of a long-term security strategy.

OT Asset Inventory

Comprehensive asset discovery services that result in a complete view of your OT assets, systems and networks. Enables risk exposure evaluation and obsolescence management.

Penetration Testing

We analyse attack vectors and non-disruptively test egress and ingress points to and from your OT systems and networks. Provides insight into operational impacts from a cyber compromise.

OT Vulnerability Assessment

Technical assessment of an architecture where current security posture is considered, and any improvements identified. The focus is on establishing a defendable architecture.

Regulatory Compliance

We support organisations in successfully navigating this evolving and complex space. Our guidance helps you become and remain compliant.
Edit Content

Consultancy

We help you achieve your OT cyber security goals by providing advice and guidance based on actual real-world experience resulting in tangible OT cyber security advancement.

Network Segmentation

The goal of our Network Segmentation service is to enhance security by stopping attacks from propagating throughout an OT network and penetrating vulnerable assets.

OT Asset Hardening

The goal of our OT Asset Hardening service is to reduce security risk by eliminating potential attack vectors and condensing the environment’s attack surface.

Training & Awareness

Educational programs and resources to help organisations understand, utilise, and defend against cyber threats using the MITRE ATT&CK framework.

Capital Project Assurance

We ensure OT cyber security requirements are identified, embedded, deployed and verified at all stages of the capital project lifecycle.

OT Cyber Security Program

We help deliver your program objectives on time and on budget. We offer full program management and deployment to tailored roles.

OT Cyber Security Framework (OT-CSF)

We ensure your OT-CSF meets objectives but is also designed realistically and its procedural and technical requirements achievable and sustainable.

Staff Augmentation

We provide clients with the capability to meet strategic objectives via our trusted, highly skilled and flexible resource pool.
Edit Content

Incident Response

We identify the key cyber threat scenarios that need to be prepared and assist establish process and plans to ensure you can respond effectively and swiftly.

Table Top Exercise (TTX)

Our TTX tests your organisations ability to respond to different cyber incident scenarios. It helps evaluate how effective your cyber incident response plans are.

Digital Forensics Incident Recovery (DFIR)

We offer a complete DFIR service that enables your organisation to act decisively should a cyber incident occur.
Edit Content

Malevolent Threat Actor Monitoring

We actively monitor the deep and dark web surface for “malevolent chatter” and alert you if there is a risk to your organisation’s OT assets and infrastructure.

Why Conduct an OT Risk Assessment?

Conducting a cyber risk assessment provides a structured understanding of the risks present in your OT environment and the potential impact they could have on your organization, whether through malicious or non-malicious means.

The assessment process is outcome-focused, generating a “risk rating” for each worst-case threat scenario (also known as “Top-Event” or “Boom Event”). Each threat scenario is evaluated under the following conditions:

  • Without mitigating controls (inherent risk rating);
  • With current (as-is) mitigating controls (residual risk rating);
  • With additional mitigating controls (target risk rating).

Through thorough discovery and analysis, the effectiveness of existing controls for each threat scenario is evaluated. This evaluation may reveal that current controls sufficiently reduce the risk to an acceptable level, or that the risk is acceptable and requires no additional actions. Alternatively, it may identify vulnerabilities where enhancements or additional controls are necessary to bring the risk within organizational tolerance.

The assessment also considers “risk vs. benefits vs. cost and complexity,” enabling the pragmatic prioritization of remedial efforts. This approach focuses on items that offer the most significant risk reduction both tactically (short-term mitigations, often referred to as “low-hanging fruit”) and strategically (medium to long-term mitigations requiring more effort to plan, design, and implement).

Risk Ratings are typically derived using a 5 x 5 grid format known as a “Risk Assessment Matrix” (RAM). The RAM provides a straightforward and effective way to present a comprehensive view of cyber risks to all team members and key stakeholders. “Risk Tolerance” is the level of risk or uncertainty an organization can accept and varies significantly across industries. Many organizations develop their own RAMs, tailored to their specific consequence categories and likelihood scales based on historical data.

A high-level summary of the key steps in our risk assessment process is outlined and visualized below:

01: Discover: Identify Assets

  • Identify and catalog all assets within the OT environment.
  • Categorize OT assets based on their criticality to the organization’s operations (e.g., High, Medium, Low).

02: Discover: Identify Threats

  • Identify and prioritize threat scenarios that could lead to high-consequence events.
  • Consider all applicable real-world cyber scenarios seen across industries for completeness.

03: Analyze: Threats & Controls

  • Evaluate the effectiveness of existing (as-is) controls for each threat scenario.
  • Determine the risk rating for each threat scenario based on organizational impact and likelihood.

04: Analyze: Additional Controls

  • Identify additional controls that can provide tangible risk reduction for each threat scenario.
  • Ensure the controls are realistic and agree on an updated risk rating achievable with these additional controls.

05: Analyze: Prioritize Risk

  • Prioritize risks to determine which require immediate action, where to invest time and resources, and which risks can be addressed later.
  • Prioritization is based on the highest risk ratings in descending order.

06: Formalize: Create Report

  • Document the assessment in a formal report.
  • The report includes an executive summary, a description of the current situation, risk exposure, findings, observations, and recommendations.

07: Formalize: Readback

  • Conduct a high-level feedback session to provide an overview of the assessment outcome to executive-level stakeholders.
  • Plan the next steps and conclude the engagement.

Why is an OT-Specific Risk Assessment Necessary?

Traditional IT security models focus on Confidentiality first, then Integrity, and finally Availability (known as the “CIA Triad”). In contrast, OT cybersecurity models prioritize Availability first, followed by Integrity, and then Confidentiality (known as the “AIC Triad”).

This prioritization is due to the critical nature of OT environments, such as manufacturing plants and upstream oil assets, which rely heavily on continuous availability and dependable integrity for both process control and safety. In some scenarios, the loss of availability or system integrity could jeopardize the safety of the workforce, consumers, physical assets, and the environment. The type and duration of availability loss can lead to significant economic, ecological, and life-threatening consequences. Notable examples of availability attacks include the 2021 Colonial Pipeline attack, the 2019 Springhill Memorial Hospital ransomware attack, and the 2015 Sandworm attacks on Ukrainian critical infrastructure.

Understanding these differences between OT and IT environments is crucial for accurately assessing risks and recommending appropriate countermeasures. This highlights the importance of conducting an OT-specific risk assessment.

Key Benefits of Conducting an OT Risk Assessment

  • Gain insights into and benchmark your current risk exposure, along with the potential consequences of cyber-attacks.
  • Identify gaps in People, Processes, and Technology, helping to prioritize high-risk areas for remediation and improvement.
  • Supply supporting information to make informed decisions regarding cybersecurity investments.
  • Provide compliance evidence of cyber risk management to regulatory authorities.

Deliverables from an OT Risk Assessment

As part of this service offering, CNB provides a formal report that includes:

  • Assessment methodology
  • Executive summary
  • Description of the current situation, risk exposure, and potential consequences for the organization
  • Assessment findings and observations
  • Remediation recommendations with associated priorities

Additionally, the following items will also be provided:

  • High-level presentation for executive-level stakeholders
  • Any supporting materials produced during the assessment (e.g., risk assessment analysis worksheets, etc.)