The Low Level Risk Assessment is the analysis following the High Level Risk Assessment, in compliance with the Cyber Security Lifecycle according to the IEC 62443 standards, which deals with the security of industrial control systems.
What is the Low-Level Risk Assessment
The Low-Level Risk Assessment is a detailed analysis typically performed after a High-Level Risk Assessment or, sometimes, conducted on specific plants in order to deeply assess the precise risk estimate of an attack. In general, the Low-Level Risk Assessment focuses on the most sensitive equipment reported from the High-Level Risk Assessment, and in relation to the potential most critical consequences of an attack.
So, while the purpose of the High-Level Risk Assessment is to macroscopically assess the potential consequences of an attack, the Low-Level Risk Assessment deepens the weakest parts of an industrial control system.
The low-level risks calculation is based on the following formula:
Risk = 〖Threat〗 Specific x 〖Vulnerability] (Exploitable〗 x 〖Consequences〗 Event
Technical standards for Low-Level Risk Assessment
The following table shows the technical standards within the IEC 62443 standard applicable to the Low-Level Risk Assessment:
Parte | Titolo |
ISA 62443-1-1:2015 | Industrial communication networks – Network and system security – Part 1-1: Terminology, concepts and models |
IEC 62443-2-1:2010 | Industrial communication networks – Network and system security – Part 2-1: Establishing an industrial automation and control system security program |
IEC 62443-2-4:2015 | Security for industrial automation and control systems – Part 2-4: Security program requirements for IACS service providers |
IEC/TR 62443-3-1:2009 | Industrial communication networks – Network and system security – Part 3 1: Security technologies for industrial automation and control systems |
IEC 62443-3-3:2013 | Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels |
IEC 62443-4-1:2018 | Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements. |
Low-Level Risk Assessment phases
Low-Level Risk Assessment is a microscopic quantification of the potential cyber risk affecting an industrial control system. This activity, according to the IEC 62443 scheme, is divided into 4 main phases:
1) Identification of the target asset, where the target asset is analyzed in terms of extension, technical characteristics, and device composition, by focusing on the existing vulnerabilities.
2) Network Mapping & Analysis, i.e. the application of potential threats to each subsystem and component by verifying their characteristics. This phase identifies all exploitable vulnerabilities through passive packet scans that analyze network traffic, unauthenticated scans, or authenticated scans, depending on whether the network is studied externally or internally, and, finally, agent-based scans through software.
3) Social Engineering and access analysis, i.e. a targeted analysis of vulnerabilities that can be exploited by the human factor, with particular attention to the interventions of external personnel, generally in charge of ordinary and extraordinary maintenance of the infrastructures. This phase also considers the access controls on the perimeter security parts.
Do you need immediate assistance in regard to Industrial Cyber Security?
Go back to the blog