Over the last couple of blogs, I mapped out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment. 

For part 1, I started from the beginning and outlined what exactly ICS cybersecurity is and why it is important. 

For part 2, I explained the difference between IT vs. ICS cybersecurity and differing the security focus between IT and ICS.

For part 3, I explained the structure of the standards that pertain to ICS cybersecurity.

In this blog, I will talk about control system assessments.

Risk vs. Vulnerability Assessments

The difference between a risk and the vulnerability assessment.  A lot of people use the names interchangeably. A risk assessment tells you, if this device were compromised, what could happen, how bad could it be, and eventually what do I need to do to bring my security level up and my risk down?  The vulnerability assessment is performed to look at your system and to look at the devices and see what can be used to compromise your system.

What you look back with a risk assessment on is, okay, that vulnerability exists, how bad will it be if someone does something to it?  Well that’s our front door system, people can't get in, so what?  That's one of the controls of our burner management system.  That's bad.  So which one are you going to apply your resources to first?  The one that's the most critical, the one that can do the most damage.  How do you know that?  That's where the assessments come in.  

When should you perform an assessment?

It depends on your lifecycle position.  Are you in a greenfield installation, a situation which is a new installation where you haven't broken ground yet and everything is on paper? Or are you working in a brown field, it exists, your're running and you now need to assess it.  What’s your known posture in security to begin with?  What have you done previously? Do you know?  

Do you know your situation?

If you don't know what you've done yet, we have a process called NIST Gap Assessment.  It’s very quick, very simple, but it gives you an outline, or a gap assessment of where you are right now and where you want to be.

NIST Gap Overview

The NIST Gap Assessment is based on a National Institute of Standards and Technology’s cybersecurity framework.  It defines functions, categories, and subcategories.   It introduces something called the Tier/Profile concept.  It compares your current situation with what you want to achieve.  It is a pretty short half a day exercise and it reveals your posture but it doesn't necessarily tell you what you need to fix it.  So it's purely an informative process at this point.  


Process control systems have long been known to be critical to the health, safety, welfare, and economic stability of the public at large. Recognizing this fact in 2013, the president issued Presidential executive order 13636 “Improving Critical Infrastructure Cybersecurity.” The policy calls for the development of a voluntary risk-based Cybersecurity Framework. Based on sets of existing industry standards, policies, and guidelines, developed to be technology neutral, and designed to be used as a template to guide an organization in its cybersecurity activities and focus, the resulting framework is now known as the NIST Cybersecurity Framework. 

This framework is not a prescriptive document as are other published standards and regulations. Instead this document allows the organization to determine where they currently stand against a number of categories and at the same time determine where they would like to

The determination of how the company stands up against a predefined matrix determines the Tier for each category. The aggregation of the Tiers determines the Profile for each of the Functions. The exercise identifies the gap between the Current Profile and the Target Profile. The framework does not give prescriptive solutions on how to achieve the desired Target Profile, but it does lay out a roadmap to guide where activities and energies should be most effectively applied.

Using the Functions, Categories, and Subcategories as detailed in the NIST Cybersecurity Framework as a guide, exida works with you. We spend 3 to 4 hours determining your Current and Target profiles, giving you valuable insight into where you are doing well and where some more effort should be applied. 

Based on the results of the exercise, we provide recommendations and suggestions specific to your organization on how to proceed, where you can accomplish tasks yourself, and where outside expertise would be beneficial. 

Basic NIST-Based Cybersecurity GAP Assessment Benefits

What It Offers

  • Quick non-time or personnel intrusive method of gauging current cybersecurity posture as compared against a target of where the company wants to be
  • Based on NIST Cybersecurity Framework
  • Low cost as compared to full assessment
  • Does not require invasive discovery in and around the control system

Why is it Worth It?

  • Easy gauge to determine if further detailed review is necessary
  • Does not entail intrusion in to ICS systems and the facility
  • 1⁄2 day approx. vs multiple day engagement

What It Will Do

  • Provide the Tier descriptions and a short training on the process
  • Spend a small period of time interviewing those knowledgeable about your control system asking standardized questions and applying a 4 level response.
  • Produce a summary of the findings and recommendations 

In the next blog, I will explain where to go after a NIST Gap Assessment has been conducted.

Tagged as:     SCADA     ICS Cybersecurity     IACS Cybersecurity     Eric Persson     Cybersecurity  

Other Blog Posts By Rick Smith