Cyber Security: A Simple Approach to Understanding the Cyber Risk in OT Assets
Marine and Offshore Solutions
A Practical Approach
Until now, descriptions of cybersecurity risk and resulting management plans were anecdotal and largely an educated guess made by vessel OT environment managers — which characterized risk based on abstract concepts — perceived threats and vulnerabilities. Fundamentally, we were using educated guesses as the foundation for maritime OT risk assessment.
A new, practical and quantifiable model to define maritime OT risk analysis was badly needed. Our Cyber Risk Management team began this effort as basic research with the U.S. Department of Homeland Security, the U.S. Coast Guard and the Stevens Institute of Technology. Our work with government agencies and researchers demonstrated that available guidance for developing the required Cybersecurity Risk Management Plan was insufficient (C2M2 CERT-RMM [C2M2: U.S. DHS Cybersecurity Capability Maturity Model, CERT: Computer Emergency Readiness Team, and RMM: Resilience Management Model] specifically calls for implementation actions based on a detailed Risk Management Plan).
Following on from the joint research effort, we applied research and development resulted in methods and tools that describe cyber risk on vessels as readily observable and quantifiable cyber risk constructs. In contrast to commonly used risk elements in the cybersecurity risk equation defined by the FBI Risk = Consequence x Vulnerability x Threat (This model is often referred to as the "FBI Risk Equation"), we defined OT risk elements to reflect countable maritime OT realities: Functions, Connections and Identities, respectively.
ABS FCI Cyber Risk Model
The ABS FCI Cyber Risk™ model (patent pending) is simple in its structure, but sophisticated in its application. The FCI Model transforms the abstract constructs of the commonly used risk equation into physical constructs that are observable and countable in a vessel OT system. The revised equation for maritime is, Risk = Functions x Connections x Identities.
Using the FCI Cyber Risk equation, we can calculate a cyber risk index for clients that is actionable and easily understood by senior management and C-Level executives. From the risk index, an actionable report details how to reduce cyber risk, enabling owners and operators to prioritize OT cybersecurity design and investments across their assets.
First, consider Functions of an OT system, which represent Consequences in the original equation. Failure of critical Functions, like navigation, steering or engine management controls, has serious consequences. Solutions to reduce risk for vessel Functions are basically constrained to network architecture management activities, such as distributing critical functions to segmented and protected networks, which reduces risk that a single cyber incident could impact several critical Functions simultaneously.
Second, consider Connections to potential cyber threats which represent Vulnerabilities. Digital Connections are the pathways to critical functions that must be operational, and therefore protected from a cyber incident. The gateways to connections are network nodes. Logically controlling access to critical Functions through digital Connection nodes, reduces risk.
In the end, what are we protecting Functions from? In the common risk equation, Functions must be protected from Threats. The concept of a cyber threat is widely assumed to be malware, software viruses, ransom-ware and the like. A Threat has an agenda that may or may not be malicious. Most importantly, a Threat has an Identity that is either known or unknown. Threats are merely methods by which Identities impose a threat. Untrusted Identities introduce threats into connection nodes that can, or are intended to, impair critical Functions.
Eliminating the Uncertainty of Cyber Risk
Controlling access to important Functions, through vulnerable Connection nodes, by untrusted Identities capable of delivering an infinite number of potential threats, reduces or eliminates Cyber Risk. So there it is — cybersecurity in a nutshell. Once described in these terms, cybersecurity becomes simple to understand and just detailed and tedious to define and design.
By applying the FCI Risk constructs to an OT system, risk elements can be observed, defined, counted and reduced or eliminated within the risk tolerance limits of the concerned organization. All risk management requirements imposed by international cybersecurity guidance standards and regulations can be prioritized and clearly explained in real risk elements using the FCI Cyber Risk model. Finally, with the results of the FCI Cyber Risk process, owners/operators can apply a cost-effective risk mitigation strategy across their assets and fleets.