Low Level Risk Assessment according to Industrial Cyber Security standards

Reading time: 6 minutes - Difficulty: advanced

The Low Level Risk Assessment is the analysis following the High Level Risk Assessment, in compliance with the Cyber Security Lifecycle according to the IEC 62443 standards, which deals with the security of industrial control systems.

What is the Low Level Risk Assessment

The Low Level Risk Assessment is a detailed analysis typically performed after a High Level Risk Assessment or, sometimes, conducted on specific plants in order to deeply assess the precise risk estimate of an attack. In general, the Low Level Risk Assessment focuses on the most sensitive equipment reported from the High Level Risk Assessment, and in relation to the potential most critical consequences of an attack.

So, while the purpose of the High Level Risk Assessment is to macroscopically assess the potential consequences of an attack, the Low Level Risk Assessment deepens the weakest parts of an industrial control system.

 

The low-level risks calculation is based on the following formula:

Risk = 〖Threat〗 Specific x 〖Vulnerability] (Exploitable〗 x 〖Consequences〗 Event

 

Technical standards for Low Level Risk Assessment

The following table shows the technical standards within the IEC 62443 standard applicable to the Low Level Risk Assessment:

Parte Titolo
ISA 62443-1-1:2015 Industrial communication networks – Network and system security – Part 1-1: Terminology, concepts and models
IEC 62443-2-1:2010 Industrial communication networks – Network and system security – Part 2-1: Establishing an industrial automation and control system security program
IEC 62443-2-4:2015 Security for industrial automation and control systems – Part 2-4: Security program requirements for IACS service providers
IEC/TR 62443-3-1:2009 Industrial communication networks – Network and system security – Part 3 1: Security technologies for industrial automation and control systems
IEC 62443-3-3:2013 Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels
IEC 62443-4-1:2018 Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements.

 

Low Level Risk Assessment phases according to the IEC 62443

Low Level Risk Assessment is a microscopic quantification of the potential cyber risk affecting an industrial control system. This activity, according to the IEC 62443 scheme, is divided into 4 main phases:

1) Identification of the target asset, where the target asset is analyzed in terms of extension, technical characteristics, and device composition, by focusing on the existing vulnerabilities.

2) Network Mapping & Analysis, i.e. the application of potential threats to each subsystem and component by verifying their characteristics. This phase identifies all exploitable vulnerabilities through passive packet scans that analyze network traffic, unauthenticated scans, or authenticated scans, depending on whether the network is studied externally or internally, and, finally, agent-based scans through software.

3) Social Engineering and access analysis, i.e. a targeted analysis of vulnerabilities that can be exploited by the human factor, with particular attention to the interventions of external personnel, generally in charge of ordinary and extraordinary maintenance of the infrastructures. This phase also considers the access controls on the perimeter security parts.

 

Cyber Security Risk Assessment: our proposal

Starting from the data collected prior to the Low Level Risk Assessment, i.e. along with the High Level Risk Assessment, our pool of ISA99/IEC62443 certified in-house specialists provides a complete set of services in compliance with the Cyber ​​Security Lifecycle defined by the IEC 62443 standard. Our proven expertise in industrial automation allows us to support our customers in all the phases of the Low Level Risk Assessment described in the previous paragraph.

 

Our Low Level Cyber ​​Security Risk Assessment service is divided into 4 phases:

  1. Vulnerability assessment, network mapping, social engineering, and access management analyses
  2. Low Level Risk Assessment (preliminary), i.e. the issue of a preliminary analysis report containing the results of the analyzes of the previous point
  3. Evaluation of the preliminary result of the analysis to be shared with the internal staff responsible for the security of the industrial control systems and discussion of the following actions to be planned
  4. Low Level Risk Analysis (final), where we complete the detailed risk analysis by providing the necessary information to the internal staff for the implementation of a remediation plan, ie a plan containing the most suitable mitigation measures.

Did you find this helpful? For further information about our IEC 62443 Risk Assessment or to request a quote

 

Contact us

or

Go back to the blog

Send this to a friend