The meeting focused on practical approaches to risk assessment in industrial control systems (ICS), featuring a recap of theoretical concepts, standards, and a step-by-step demonstration of risk calculation using a simplified use case.
Attendees included Manju and Shiva, who facilitated the discussion and answered audience questions, with significant live engagement from participants.
Key takeaways included methodology prerequisites, the importance of accurate asset inventories, use of open-source vulnerability resources, and the process for achieving acceptable risk levels.
Announcements were made regarding upcoming OT Security Huddle sessions and new formats involving industry and academia experts.
Action Items
(No specific dates given – Manju & Shiva): Share the sample Excel sheet and related resources from the session with attendees.
(Next session – Shiva & Manju): Prepare content on calculating Security Level Targets (SLT) per IEC 62443 3-2/3-3.
(Future session – Shiva & Manju): Plan and schedule sessions on network segmentation, asset inventory management, OT security policies, and patch management as requested by attendees.
(Future session – Shiva & Manju): Share existing checklist and insights for cybersecurity points during Factory Acceptance Testing (FAT).
(Continuous – All): Encourage participants to suggest future topics and continue sharing insights via LinkedIn and YouTube channels.
Recap of Risk Assessment Methodology and Standards
The importance of risk assessment in ICS arises from potential safety, operational, and financial impacts due to cyber threats.
Risk assessment is ongoing, driven by evolving vulnerabilities and attacker tactics, and is guided by several standards: ISO 31000:2018, NIST SP 800-30, ISO 27005, and IEC 62443 3-2/3-3.
The risk formula used: Risk = Threat x Vulnerability x Consequence, typically scored using a matrix to categorize risk levels.
Initial steps include defining the system under consideration, creating a comprehensive asset inventory (hardware, software, people, compliance factors), and collecting architecture/network diagrams and risk metrics.
The methodology involves identifying threats with resources like the MITRE ATT&CK framework, assessing vulnerabilities via tools and public advisories, and determining unmitigated and mitigated risks before deciding risk responses (accept, mitigate, transfer, or discard).
Practical Walkthrough of Risk Assessment Process
Demonstrated using a simplified plant architecture (level 0 devices, PLC, HMI), risk assessment followed IEC 62443 3-2 methodology.
Steps covered: asset inventory creation, risk matrix application, working example with an HMI station and Windows XP vulnerabilities, and calculation of unmitigated/mitigated risks.
Emphasized the collaborative nature of risk assessment workshops involving all stakeholders (operations, safety, IT, vendors, etc.), with the risk assessor acting as a neutral facilitator.
Recommendations included the need for OT-specific security policies, regular asset inventory and vulnerability updates, and context-aware risk evaluation.
Tools, Resources, and Recommendations
Highlighted use of publicly available vulnerability databases (e.g., ICS Advisory Project, CISA, NVD) and the importance of matching vulnerability data to current system patch levels.
Discussed automated versus manual asset inventory processes and the role of both in maintaining accurate vulnerability awareness.
Open source and commercial tools (e.g., Clarity, Nozomi) were mentioned for vulnerability identification, with caution about database freshness.
Recommendations for risk mitigation included technical controls (e.g., disabling USB ports, antivirus, system isolation), policy enforcement, and careful planning of system upgrades due to operational dependencies.
Audience Engagement and Upcoming Topics
High attendee engagement with questions and suggestions for future session topics, including network segmentation, checklists for cybersecurity in FAT, and patch management.
Upcoming sessions to focus on calculating Security Level Targets (SLT) and featuring industry/academic guest talks to share practical experiences.
Decisions
Next session topic will be Security Level Target (SLT) calculation based on IEC 62443 3-2/3-3 — prompted by current session's scope and audience interest.
Future OT Security Huddle Talks will include industry and academic guest speakers — to provide broader perspectives and experience sharing.
Open Questions / Follow-Ups
How best to manage and update asset inventories (manual vs. automated, active vs. passive scanning) for ongoing risk assessment—suggested as a future discussion topic.
Handling upgrade risks for end-of-life operating systems in legacy environments; guidance and case studies requested.
Preparation of standardized cybersecurity checklists for Factory Acceptance Testing (FAT) as requested by attendees.
Further walkthroughs on integrating frameworks like MITRE ATT&CK into ICS risk assessments.
Consideration of impact evaluation methods and corporate risk matrix customization across industry sectors.