Cybersecurity Risk Management

1. Cybersecurity risk management is an ongoing process of identifying, assessing, and responding to threats

Cybersecurity risk management is simply looking at what could go wrong and then coming up with ways to minimize those problems.

Risk assessment framework. Organizations should implement a risk assessment framework to develop objective measurements of risk and better protect at-risk assets. This framework serves as a guide for determining what to assess, who needs to be involved, and the criteria for developing relative degrees of risk. Some widely used frameworks include OCTAVE from Carnegie Mellon University, NIST SP 800-30, and ISACA's RISK IT.

Prioritizing risks. Once vulnerabilities and threats are identified, organizations should focus on those that pose the highest risk to the most critical assets. This involves:

• Determining the importance of assets (e.g. role in revenue generation, operational criticality)
• Assessing the likelihood of successful attacks
• Evaluating potential impacts (financial, reputational, operational)
• Developing response plans for highest priority risks

Ongoing process. Risk management is not a one-time activity, but a continuous cycle of:

1. Framing risk within organizational constraints and goals
2. Assessing vulnerabilities, threats, and potential impacts
3. Responding to identified risks through mitigation, transfer, avoidance, or acceptance
4. Monitoring the effectiveness of controls and changing risk landscape

2. Comprehensive asset management is the foundation of effective cybersecurity

You cannot defend what you don't know exists.

Asset inventory. Organizations must maintain a comprehensive and up-to-date inventory of all hardware and software assets. This inventory should include:

• Traditional IT assets: Desktops, laptops, servers, mobile devices, printers, network equipment
• IoT devices: Voice-activated assistants, connected industrial systems, smart appliances
• Software: Operating systems, applications, databases, cloud services

Prioritization. Not all assets are equally critical. Organizations should develop criteria to rank assets based on:

• Importance to business operations and revenue generation
• Sensitivity of data processed or stored
• Exposure to external threats
• Cost and difficulty of replacement
• Regulatory requirements

Continuous updates. Asset management is an ongoing process. Organizations should:

• Use automated discovery tools to identify new devices on the network
• Implement change management processes for software installations and updates
• Regularly audit the asset inventory for accuracy
• Remove or quarantine unauthorized assets promptly

3. Access control and identity management are critical for protecting systems and data

Access control is simply the process through which your organization ensures that an authenticated user gains access to only what they are authorized to access and nothing else.

Authentication vs. authorization. Authentication verifies a user's identity, while authorization determines what resources they can access. Multi-factor authentication (combining passwords with additional factors like biometrics or security tokens) provides stronger security than passwords alone.

Least privilege principle. Users should be granted only the minimum level of access necessary to perform their job functions. This minimizes the potential damage from compromised accounts. Key implementation steps include:

• Defining clear roles and responsibilities
• Regular access reviews and prompt revocation when no longer needed
• Separation of duties for critical functions

Access control mechanisms:

• Network segmentation to isolate sensitive systems
• Role-based access control (RBAC) for consistent permission assignment
• Privileged access management for administrative accounts
• Single sign-on (SSO) to streamline authentication across multiple systems
• Regular auditing of access logs to detect anomalies

4. Continuous monitoring and intrusion detection are essential for timely threat response

Periodic assessments are therefore not as efficient as continuous monitoring of systems and assets.

Establishing baselines. Before anomalies can be detected, organizations must determine what constitutes "normal" behavior for their systems and networks. This involves tracking attributes such as:

• Typical network traffic patterns
• Expected user behavior and access patterns
• Standard application performance metrics
• Usual system resource utilization

Intrusion detection systems (IDS). These tools analyze network traffic and system logs to identify potential security incidents. Key components include:

• Network-based IDS to monitor traffic across the entire network
• Host-based IDS to detect anomalies on individual systems
• Security information and event management (SIEM) systems to aggregate and correlate data from multiple sources

Continuous monitoring strategies:

• Deploy automated tools for real-time analysis of logs and network traffic
• Implement vulnerability scanners to identify new weaknesses
• Use threat intelligence feeds to stay informed about emerging threats
• Establish clear thresholds and alerts for anomalous activity
• Conduct regular penetration testing to validate security controls

5. Incident response planning is crucial for minimizing damage from cyberattacks

The ultimate goal of incident response is to limit damage and reduce recovery time and costs when an adverse cyber incident affects your organization.

Incident response team. Organizations should establish a cross-functional Computer Security Incident Response Team (CSIRT) including IT, legal, HR, and PR professionals. This team is responsible for coordinating the response to security incidents.

Incident response plan components:

1. Preparation: Develop policies, procedures, and communication plans
2. Detection and Analysis: Identify and assess the scope of incidents
3. Containment: Limit the spread and impact of the attack
4. Eradication: Remove the threat from affected systems
5. Recovery: Restore normal operations and patch vulnerabilities
6. Lessons Learned: Analyze the incident and improve future response

Communication is key. The incident response plan should clearly define:

• Roles and responsibilities for all team members
• Internal and external communication protocols
• Criteria for escalating incidents to senior management
• Procedures for engaging law enforcement or regulators if necessary

Regular tabletop exercises and simulations help ensure the team is prepared to execute the plan effectively when a real incident occurs.

6. Supply chain security requires vigilant management of third-party risks

These components combine to increase the complexity, diversity, and scale of the threats introduced into any organization's operations at any point in the supply chain ecosystem.

Identify and assess suppliers. Organizations must maintain an inventory of all suppliers and third-party partners, prioritizing them based on:

• Criticality to business operations
• Level of access to sensitive data or systems
• Geographic and geopolitical factors
• Financial stability and cybersecurity maturity

Contractual safeguards. Establish clear security requirements in vendor contracts, including:

• Compliance with relevant industry standards and regulations
• Regular security assessments and audits
• Incident reporting and response procedures
• Data handling and protection requirements
• Right to audit clauses

Ongoing monitoring. Supply chain security is not a one-time effort. Organizations should:

• Conduct regular risk assessments of key suppliers
• Implement continuous monitoring of third-party access and activities
• Require prompt notification of security incidents or significant changes in the supplier's environment
• Collaboratively test incident response and recovery plans with critical vendors

7. Recovery planning ensures business continuity in the aftermath of a security incident

Recovery from a cybersecurity incident typically falls into three phases: Activation, Execution Phase, and Reconstitution Phase.

Business impact analysis. Identify critical business functions and supporting IT systems, determining:

• Recovery Time Objectives (RTO): Maximum acceptable downtime
• Recovery Point Objectives (RPO): Maximum acceptable data loss

Recovery strategies:

• Data backups: Regular, tested, and stored securely off-site
• Redundant systems: Hot sites or cloud-based failover options
• Alternative communication channels
• Manual workarounds for critical processes

Testing and maintenance. Recovery plans should be:

• Regularly tested through tabletop exercises and full-scale simulations
• Updated to reflect changes in technology, business processes, and threat landscape
• Integrated with overall business continuity planning

Post-incident analysis is crucial for improving future recovery efforts and addressing root causes of security incidents.

8. Manufacturing and industrial control systems face unique cybersecurity challenges

Unlike the main Framework, the Manufacturing Profile focuses heavily on operational technology used to run machines and equipment and manufacturing processes.

Operational technology (OT) vs. information technology (IT). Industrial control systems have different priorities and constraints compared to traditional IT systems:

• Safety and reliability are paramount
• Many systems have long lifecycles and cannot be easily patched
• Downtime for security updates can be extremely costly

Key considerations for ICS security:

• Network segmentation to isolate critical control systems
• Strict change management processes
• Enhanced physical security for control systems and field devices
• Specialized intrusion detection for industrial protocols
• Robust backup and recovery procedures for control system configurations

Risk-based approach. The NIST Manufacturing Profile provides guidance on prioritizing cybersecurity measures based on potential impacts to:

• Human safety
• Environmental safety
• Product quality
• Production goals
• Protection of trade secrets

Organizations must balance cybersecurity with operational requirements, focusing on measures that address the most severe potential consequences.

Last updated: July 31, 2024