Risk Analysis is the primary way to understand cyber security threats and control needs. This activity is carried out with a focus on a specific installation, since, in addition to the logical environment, the physical is also analyzed. Risk analysis can be conducted on production plants (brownfield) or in the design phase (Greenfield). When risks and threats are identified prematurely, security controls are implemented with the lowest cost and maximum efficiency.
Conducting risk analysis in automation networks follows the following steps:
Static Risk Analysis
- In this step, network diagrams are checked, the operational environment (industrial datacenter) is checked and questionnaires on the physical and logical security audits of the automation network, in line with the good practices of ANSI / ISA-99, ISA-IEC 62443, NIST 800, are answered. -82 and ISOs 27001/27002. Visits to the client's facilities allow our consultants to identify the physical and logical security controls and countermeasures already in place on the networks, assessing, as far as possible, the conditions in which these controls are installed and their suitability for needs.
Dynamic Risk Analysis
- In this step, the automated collection of data packages from the automation network is done in TAP mode (non-intrusive). At the beginning of the dynamic analysis, the architecture of each automation network is analyzed and a plan is drawn up to grant visibility of traffic and threats coming from the Internet, as well as other perimeters such as borders with corporate networks, SCADA control systems, data center and process network. , as well as links with third parties and external VPN connections or regulatory authorities. The secure data collection is done through the connection with the X9 (equipment developed by TI Safe to automate the collection of data in industrial networks) on the mirrored port configured on the switch.
- Once collected, network data packets (PCAPs) are sent and analyzed in the TI Safe laboratory and the dynamic analysis report is issued. The Dynamic Analysis Report contains a set of data on the monitored network and is based on three main pillars: The first is visibility, that is, knowledge about which applications are being executed in the industrial network. The second is control, that is, what data travels through the automation network and its main vulnerabilities and threats? Finally, the third pillar is the detection of threats. Exist malware on the network? On which machines?
Preparation of the Risk Analysis Report
- The data collected by the static analysis are processed according to qualitative criteria, with qualitative probability and impact scales. For each set of threats / vulnerabilities, it is attributed, based on information collected in interviews with the local team, a probability of occurrence and an impact (depending on the consequences). In a complementary way, the data from the dynamic analysis are used for the verification and the generation of evidence of the information from the static analysis. The result of the union of the information from the static and dynamic analyzes is then consolidated in the Risk Analysis Report that will be delivered to the client, in Portuguese. It will serve as the basis for the elaboration of the Industrial Cybersecurity Planning (PSCI).