5 Signs It’s Time for an ICS Risk Assessment

Risk assessments are a fundamental part of maintaining security protocols. But unlike formal security audits, there isn’t a fixed frequency for how often risk assessments need to be conducted.

So, how are security operators to know when they should conduct an in-depth evaluation of their industrial control system (ICS)?

While it may be tempting to put off a risk assessment when there’s so much other work to be done, protection must be proactive. This is especially true when securing your environment and keeping operations running smoothly.

Fortunately, there are fairly clear signs that indicate it’s time for an ICS risk assessment. Specifically, if any of the thoughts below have crossed your mind recently, it’s probaly time to get proactive about your system’s security.

Sign #1: Did We Add a New Machine to the Asset Inventory?

An asset inventory is a comprehensive and up-to-date list of all process controllers, controller model & serial numbers, firmware versions, associated network information and addresses, along with any other related connections and components. A complete device inventory includes all of your industrial system’s OT, IT, and IIoT assets.

Ideally, managing your assets is a continuous process – any additions and changes should be logged whenever they’re made. Keeping an updated inventory makes it easy for the operations and security team to thoroughly and quickly understand the devices and software at any given time.

If your list is anything but exhaustive, it’s probably time to conduct a new ICS risk assessment.

🔥 Hot tip / Shameless plug → View a snapshot of the devices and protocols contained within a packet capture using our Free OT PCAP Analyzer.

Sign #2: I Didn’t Know You Had Access to That…

If it isn’t clear who has administrative access or security clearance (or that information isn’t documented), it’s time to conduct a risk assessment. Knowing what’s going on with access control mitigates risk and helps avert cybersecurity incidents caused by human error.

Strong and consistent security clearance practices create defense-in-depth by adding another layer of complexity to accessing critical systems.

A thorough risk assessment can clarify your current access distributions and identify opportunities for stronger security measures.

Sign #3: Finally, an Upgrade!

Any changes to your industrial environment, no matter how small they seem, can impact connected systems and devices. That means any new equipment or upgrades to hardware, firmware, or software justify an updated risk assessment, including even seemingly small security patches. A new ICS risk assessment can clarify whether changes to your current security protocols and responses are needed.

Sign #4: When Was the Last Time We Did an Update?

If you can’t tell what software version is running on a machine, when a machine or system was patched (if it even can be patched), or when the hardware was purchased, it’s time to bump that risk assessment higher on the to-do list.

ICS risk assessments can identify potential vulnerabilities and highlight any oversights. They also serve as a valuable running inventory of any previously identified risks throughout your environment.

Conducting regular assessments also makes it easier to identify areas for improvement and stop any potential issues before they have an impact on operations.

Sign #5: The Last Full Security Assessment was with an Audit

Security audits are meant to assess environments to ensure they meet the bare minimum of compliance requirements. Since audits are usually pass-fail, results typically don’t go into any deeper details that facility managers, operators, or administrators can use.

On the other hand, risk assessments usually go into much more detail. They’re meant to document the current state of your security and its performance. They identify potential risks and issues (hence the name) but also document what is working.

EmberOT: Simplifying Visibility for your ICS Risk Assessment

EmberOT is committed to helping amplify operators’ visibility into their industrial systems with our ultra-small footprint, software-based sensors.

EmberOT sensors, called “Embers,” can deploy on darn near anything:

• compute modules
• side-loaded
• installed directly on existing hardware
• containerized
• even virtual!

Our software was tailor-made for industrial environments to provide more affordable and democratic security that protects critical infrastructure.

Interested in learning more about EmberOT’s vendor-agnostic solution that decouples data collection and analysis from event management? Need a usable tool capable of sending data to any detection platforms, SIEMs, and data lakes?

Reach out to us for a demo of the full product, or download our free OT PCAP Analyzer to get started on your ICS visibility journey.