“Security Risk Assessment Guide for Industrial Control Systems (ICS)” (hereinafter, the “Guide”) focuses primarily on developing a correct understanding of security risk analysis, and explaining methodologies, including specific procedures used to prepare risk assessment sheets. Therefore, due to li mitations in the paper space available, we have kept the focus of explanatory notes provided on examples of asset based risk assessment sheets for certain system assets, and business impact based risk assessment sheets covering attack scenarios and attack trees for certain business impacts.
In this separate volume, we provide descriptions on the implementation of asset based risk analysis and business impact based risk analysis for typical model systems. The three main objectives of this are as follows.
(1) Present an overall picture of risk analysis and analysis results Concerns of increase in the man hours and the number of outputs required from risk analysis in detailed risk assessment are key factors in why it is often shied away from. Here, we present an overall picture of the amount of man hours required, and the extent to which analysis outputs are prepared when actually conducting risk analysis on a model system. In this, we hope to present risk analysis as something that is “not as bad as it looks”, pr oviding a
practical look at implementing risk analysis by understanding the specific procedures involved, using assessment materials (threats, measures, the correspondence charts for such, assessment sheet formats, etc.), and methods for refining analysis targets.
(2) Provide overall materials by presenting the results of a risk assessment sheetWe hope to reduce the man hours required for risk analysis by providing the results of a risk assessment sheet for a typical model control system for re use and custom izing materials,
where possible, when conducting system analysis in your own organization.
(3) Introduction to variations in compiling risk assessment sheets In business impact based risk analysis, the risk assessment sheet could potentially be compiled in various ways based on the complexity of the analysis target model, and the intended purpose for using the risk analysis results. We hope the specific examples of such variations provided can serve as a reference for choosing the optimal method for compiling the risk assessment sheet when performing risk analysis on target systems in your own organization.
We hope that this separate volume helps provide a clear picture of the total number of man hours required for, and outputs (interim and final deliverables of works) produced from risk analysis in detailed risk assessment, and aids a large number of businesses with control systems in taking the first step toward conducting risk analysis in detailed risk assessment.
Views: 3