Conducting a risk assessment and gap analysis exercise for Industrial Control System environments is important from cybersecurity, business continuity, and risk mitigation perspectives. It is important to bring the risk exposure down to acceptable levels and minimize the risk tolerance with every assessment cycle so that the overall risk sensitivity of the enterprise improves measurably. Where to start your Risk Assessment & Gap Analysis journey? What is the best time to start an assessment? As a matter of practice, there shouldn’t be a gap of more than 300 days between every OT/ICS & IoT risk assessment and gap analysis cycle. If 300 days have passed since you conducted your last ICS risk assessment cycle, then an assessment is due right now. A gap of 300 days gives your security team enough time to address the gaps identified in the last round and gives you sufficient time to plan the next assessment with your OT/ICS & IoT risk assessment and gap analysis vendor. Such a time frame also overlaps between multiple procurement cycles so that the maximum number of new assets are considered and are covered in an assessment. Planning an assessment is not just about bringing the plant and other stakeholders on board to derive a schedule. Instead, an OT/ICS & IoT risk assessment and gap analysis planning exercise should ideally have the following: Planning an OT/ICS and IoT Risk Assessment and Gap Analysis An example from our experience of conducting OT/ICS and IoT Risk Assessment and Gap Analysis In one of the OT/ICS risk assessment and gap analysis projects that Sectrio did recently, we covered an asset base that was spread across over 994 miles (1600 km). In this project, the planning phase itself stretched over 38 days as we had to also study the report submitted by another vendor during a previous assessment. Further, our pre-assessment teams also visited multiple sites to get a first-hand view of the infrastructure along with site-specific challenges/considerations. Other considerations while planning a Risk Assessment and Gap Analysis: Focus areas for the pre-assessment phase The initial/ pre-assessment steps should ideally set the stage for a more comprehensive and relevant assessment exercise. However, the initial assessment should be seen not merely as an enabler for the next assessment. The initial assessment has legs of its own to stand on and if done right, the gaps identified in this assessment can be addressed as
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: