[Music] foreign [Music] [Music] control system so today uh we will be doing a bit of recap of what we have discussed last time and then we will be taking a use case to understand how practically we can achieve the risk assessment in industrial control system okay so uh let's begin with the discussion then yeah you know me you know Manju and uh on this onset I will again take the opportunity to thanks Manju for joining me in this discussion and bringing these wonderful topics to discuss with the people which are there online before we begin a bit of disclaimer that whatever we are doing does not mean that we are representing the organization that we are working with this is the outcome of the personal interests and we want to share the knowledge with the people and uh if there is any error Omission or misunderstanding that may be uh correlated accordingly so the agenda of the session will be doing a brief recap of the adult too then we'll quickly see why we need this risk assessment we'll also see the extenders that are available and finally we'll go into the Practical risk assessment mode where we will be discussing the prerequisites the workflow of the events the use cases okay so last hurdle we have discussed the requirement and the understanding of risk is very important for industrial Control Systems which is majorly because of three big reasons because uh industrial control system have big safety impacts if you see any big attack on Industrial control system whether it's stuxnet whether it's black energy whether it's a Triton prices they had some impact on the physical side of the world as well as the production side of the world the second big important part is the operation disruption could happen when something goes wrong so that's why we need to understand the uh risk that could arise because of cyber security issues and third and final both of them will sum up as the Financial Risk so we really need to understand these issues in our environment the importance of risk assessment is driven from the vulnerabilities that exist in our environment since security is not a one-time event any OEM who is supplying the industrial control system they do it uh proactively or because of the regulation they do release the new threats and risk rising out of the new vulnerability that are discovered and we really need to do the risk assessment of our environment continuously to understand these risks which to exist there also uh since attackers are always ahead of the defender they will come up with new and new uh threat landscapes and uh we really need to understand what could be the new threads which are there in our environment and finally the consequences which sum up through these vulnerabilities and threats that we have in our environment the uh process of risk assessment basically involves identifying the system under consideration then we need to identify the threats through some certain modeling finally we need to do some risk assessment through some tools and some online available resources we'll be discussing them today as well and we will be also giving you uh some links of the online available open source tools as well then as the outcome of this is the impact that we need to understand if we look at the standard size there are four major standards that are generally used in the uh cyber security risk assessment the first one is the iso standard 31 000 2018 version then we have any specific special publication 8830 and the other one is from the 27k series of standard 27005 and last but not least the industrial control system specifically standard 624433-2 and today's discussion is mostly driven from the process that are described in assessment method that is being given in the standard after this we discussed last time that the formula for risk is a threat times vulnerability time consequence and we can utilize a matrix to calculate this if we are using a five is to Pi Matrix then we can divide it into different uh sub segments like medium uh medium low medium high high and very high something like that and we'll be utilizing a matrix like this in today's discussion uh immediately after this is the one slide that I wanted to discuss before we get into the Practical aspect a little bit of theory uh with an example that we know now that the threat the risk is basically a product of threat time vulnerability time consequence and if we have an example like a general assembly area into an car manufacturing plant who is using uh Industrial Automation and control system there could be threats like USB devices and these devices can actually cause malware infection or system malfunction and this could become a bigger threat for the manufacturing organization and since generally these areas are open and there might not be any physical control available they are available to this kind of threats and consequence generally is the non-availability of resources so if I have to calculate the risk out of this information is I first need to identify what are my threat uh category threat score in the scale of 0 to 5 and if I assess that generally these plants are open the network assessment might say that okay my threat score is three then my vulnerability since there is no control available could be four and consequence since it's like impacting my operation would be again four and If I multiply with the risk formula then it will become 3 multiply by 4 multiply 4 which is 48 and 48 out of 125 which could be the highest score gives me that this kind of risk is really high and I need to take some mitigation measure to fix this so this is just the theory and recap of uh last episode that we have done now I will start with today's session so uh for today session we have kept like the prerequisite for a risk assessment and then after uh this we will be uh doing a deep dive of architecture that we have prepared specifically for this session so before that manjul would you like to add on the last week's things and then maybe take up the today's discussion for that thanks for uh you know arranging this session uh really you know sometimes uh I think the people what what they are expecting when they hear about Roti security the first thing comes to mind uh is the risk assessment so when we had a discussion that you know on which topic we need to address I think this is one of the interesting and I think so many people have asked me as well like how to conduct the risk assessment I think we are in the right place to discuss these things openly uh we will be using uh you know some of the publicly available documents to share our knowledge as well because these experiences you know it might differ because I will be working in uh different projects uh which might be from oil and gas or petrochemicals maybe you are working in water and wastewater so each and every you know sector will have its own risk you know when we talk about threat vectors so it varies from uh you know the protector and the vulnerabilities it varies from sector to sector so even uh each organization will adopt different risk methodologies and as you rightly mentioned there are various standards been there in the market as well as when it comes to asset owner uh most of the time people use nist 830 or even ISO sometimes and this IEC 62443 right uh yeah so today you know uh before jumping in uh we would like to mention that whatever material we are sharing here on the public domain is just only for the educational purpose this is not for the commercial thing uh just keep that in mind uh yeah let's uh straight away start jump into this today's uh risk assessment yeah uh Shiva would like to start with the prerequisite like how we need to start yeah so we uh as I mentioned that we will be following the IEC 624433-2 methodology and before we begin we need to gather some documents and some information about the system that we are going to assess for that is and first on them is the system under consideration in the previous example that I have discussed just now is the general assembly automation system was the one that we consider a system under Constitution similarly whenever you are doing a risk assessment the first thing that we should ask at what system are we doing the risk assessment for if I take the same or Automotive example again there could be like a general assembly area there could be an engine manufacturing area there could be uh this cheshi manufacturing area it would be paint shop there could be electrical shop and number of shops could be there so whenever we are doing the risk we need to First Define which area we are targeting this because generally the each of this shop is coming from uh one vendor or the other and they might have their own system their own protocol their own applications running into that area so it is very important to understand that system first and then Define the boundaries for the list so uh the system under consideration might involve the asset inventory which all assets are there and asset inventory should not only be the hardware it should include the software asset it should include the application it should also include the critical people which are there in the area and also uh it should include the compliance related requirement like licensing of the application all those kind of information as well um there is a and number of things that we can do with the SN inventory itself like uh each of the plant would have its own format and template of the asset inventory but for today's discussion we have prepared a basic asset inventory which have some information available and this could include maybe the asset ID asset name uh the make and model of the asset itself which all protocol I am using it for what is the configuration like whether it's running a standalone whether it is running a redundant Manner and then also who is the owner of that particular asset this could be like the manager who is managing the particular show floor in the plant then we also need the system architecture how all these systems are connecting and finally the network diagrams which would show how these extra assets are communicating basically so why these two are different is the system architecture will tell you the block label diagram of how this overall architecture is where the network level diagram will tell you the details like which asset is having what IP and what layer of the cardio model they are alignment then we need the rest Matrix each of the organization would have its own Matrix if it is not available then you can use the standard risk metrics which is given into 3-2 standard but also that the one that we have shown into the last discussion as well as the previous slide and since industrial control system have safety element into it the process Hazard analysis is very important uh like if it's the paint shop and we really need to know what is the chemical that would be there and how we are releasing them into the environment if there is any gaseous they are also available into a plant which is processing some chemical things all those things need to be understood because the system that is controlling the release of these substances are controlled by a cyber system and if there is any risk storage system there could be compliance issue there could be an environmental issue and there could be safety issues then the next is uh Gathering the threat information and there could be n number of resources to gather this one best source that is available is the miteratec framework it basically enumerates the threads in terms of the hacker group who has attacked these infrastructures and the methodology that they have used to attack that particular infrastructure and finally uh once we have the list of asset inventory then we will be uh also Gathering the vulnerability uh information about these assets this vulnerability assessment could either through a full-fledged assessment that we can do into the network or there are some open source uh tools that are available through which we can just search that particular make and model and we can find out the vulnerabilities that to adjust into these assets so that would be the prerequisite and the workflow of the discussion is we'll be doing the calculation of the initial risk through the formula thread times vulnerability times consequence then we'll put some counter measures and recalculate the mitigated risk and the outcome of this for an organization could be uh either doing some additional counter measure to arrive at the risk which is acceptable to them or just say okay the already calculated mitigated risk is acceptable to them sometimes they would just say okay this is not applicable to us they discard it and last but not the least is the transferring of the risk through either buying a cyber insurance or putting it to a vendor or a third party so that's how the risk assessment flows generally works and immediately after this is a sample architecture that we have prepared before that Manju would you like to add something on this methodology yes uh thank you I think this gives the clear picture here uh you know for any risk methodology if you take a beta qualitative or quantitative uh more or less the same methodology will be used I mean the workflow uh in the prerequisite you know uh we try to incur you know include only the relevant important documents what we need to refer as she rightly mentioned about uh the what are the documents that we need to collect right it's on the system architecture Network diagram or even sometimes data flow diagrams uh also policies procedures sometimes we have seen that there are you know it security policy will be there in the organization but there are we have not seen much of the OT security policies so uh the one good thing is you know we can recommend to customer or it is good to have uh the OT security policy as a separate so uh these things we need to keep in mind uh whenever we conduct the risk assessment and also you can uh you know visit site and have a questionnaire based on your organization uh you know based on the risk methodology so there are many things uh available uh you know there are various methodology typically maybe each organization will have their different methodologies but yeah uh so apart from that you know the workflow as we rightly mentioned here that usually we calculate the initial risk threat into vulnerability into consequence that we will go through now with the Practical approach and also if there are any existing countermeasure available uh you know when we calculate the unmitigated risk so then we will come to know uh so then you know we can take a decision whether usually the who who is doing the risk uh you know assessment only recommend the solution or the action to be taken but it is up to the asset owner or you know the system owner to decide whether to accept the risk or reject the risk or transfer the risk so it is purely depending on the you know don't think that the risk assessment is finalized and the one thing is uh for sure that it also has to be adopted for any change management I mean tomorrow you are going to add uh new plcs or new hardware new software so better to conduct the risk assessment at that level also so also you keep this in mind yeah yeah I would like to add these points uh maybe yeah thanks yeah thanks Manju thanks for adding that so now I will share this uh simple architecture that we have prepared for you meanwhile you can just also share your screen as well okay so this is a very simple architecture that we have kept for today it has a level zero device a bunch of them one of them is a flow meter that is reading the flow of liquid and then there is a flow wall that will take action whether to open the system whether to close the system this all is controlled through a PLC and the PLC is then giving the situational awareness through the HMI that is connected at layer 2. we are keeping it very simple for today's discussion since it's a very uh beginner level understanding of risk assessment and it is very very important that we start light later on the same model can be replicated on the uh bigger systems as well and Justin heads up that immediately after this session we have planned the next session which would be arriving at the security level Target according to IC 62443 uh 3-2 and 3-3 and there we might use a architecture which is a a superset of this architecture including layer 3 3.5 devices as well yeah so this is where we start uh when you I'll hand you over to you now so that you can share this yes documents as related to this diagram sure hope everyone can see my screen as well yes okay I hope it is visible yeah please pardon me on that hi uh so we have shown that uh you know the what are the workflow that we need to consider right so before that you know we have taken uh the 3-2 risk assessment uh methodology I would like to highlight how it uh you know the workflow as per 3-2 this is publicly available document from ICA an Isa website uh this is as per the you know detail level risk assessment uh you can see here so what it says is you know uh the first when you start you have to identify the threads and vulnerabilities and the consequence because we know that when we calculate risk is nothing but threatening to vulnerability into consequence then you have to determine unmitigated likelihood I mean what could be the likelihood based on the risk Matrix that we will show it to you then ultimately it will come the risk so then determine the SLT Target security level so it varies from uh you know organization to organization and Zone by Zone uh but uh we will not go deep dive into this because this is a very big topic how to derive SLT so what we need to do is you know for SLT we have planned for the next session next security huddle uh is on the this particular topic then we will for any organization there will be a tolerable risk okay even for our example we have taken tolerable risk as 5 just for an example but it varies from organization to organization then we will check if uh so we will arrive at this number right some risk number will be there and we will be verifying whether it is greater than 5 or you know less than five if it is greater than 5 then we have to check if it is any existing Contour measures are available uh immediately to you know uh use it if there then again we will evaluate the risk ultimately you know if you have existing countermeister definitely the risk will be uh you know reduced and then finally uh determine the residual risk so this because riskies cannot be eliminated completely there will be some risk will be available even after some recommendation so finally we will document and communicate the result uh you know to the asset owner so here an important point I think someone asked safety team must join in a risk assessment as shiv has already uh answered that question yes definitely uh I will tell you how the risk assessment process happens so when you are assigned with the to conduct the you know risk assessment uh so who will evaluate the I mean who is the Assessor uh okay for example uh now I am the asset owner uh I will I will be you know you guys are from consulting company for example anybody or probably he's from consulting company then uh what I'll do is uh I will give him the corporate risk metrics if he is it is there I will give otherwise I will ask them to I will ask the consulting company to prepare their own risk Matrix uh based on the you know their experience so it is up to him to uh complete the risk assessment for my assets so now the risk Matrix is available and he is the you know the facilitator who conduct the risk assessment but when we when we you know uh provide the number for example uh anyways I will show that when it comes to the uh you know numbering uh the risk numbering uh when we say no uh for example it is not up to one stakeholder I mean the risk facilitator has to consider everyone uh I mean he needs to include uh so everyone uh in the uh in conduct in the discussion for example uh from operations team from safety team even for maintenance team even from I.T security team uh you know some managers operations managers everyone has to be included even vendors I mean third party vendors also to be included because we have seen in any asset uh owner's plan uh we have seen multiple vendors DCS plc's uh HMI workstations and OPC servers will be there and scada system will be there so whenever we conduct a risk assessment uh all the parties to be included and then we will come to our conclusion point where okay we agreed to one uh you know based on the risk Matrix we will come to a one rating then finally we will check if there are any countermeasures so initially the risk assessor like he will prepare and then he will conduct a workshop along with the you know the asset owner place so what happens there is you know he will collect all the information and when we come to uh you know when we present this Excel sheet to them then it is uh up to the customer whether to accept or not because based on the criticality of the asset also it will vary so for us maybe the criticality is sis system but for them maybe uh something else you know uh even in PLC for them it is critical for us we might consider non-critical so it varies so it is up to the asset owner to finalize I mean the rating so once it is done we will collect all the information together so and then we will submit as a report so now as a if you see with the workflow first we will collect gather all the information now I have the simple architecture what the uh you know here we have created a very simple asset inventory it is not necessary that all these headlines should be there you can change the you know these namings I mean what we have included is the very simple asset inventory tools uh it should have you know Hardware software and even virtual environment if you have virtual machine you can include those as well so basically we have included asset name asset type asset ID make model version software firmware why it is important to have all this information is uh to find the you know the vulnerabilities uh in the you know the public domain so exactly yes risk assessment also to be shared inside incident response team that is true that is correct now if for example now I have calc you know we have taken that PLC name asset type is hardware and this is self-explanatory I am not going to read uh so these are the information that are available here uh I have listed on from the system architecture and sometimes the asset owner also will have the same architecture right uh so here even we listed down uh you know which software is available like Windows XP or win CC software and which version we are using and what what is the version of software firmware and if we have any IP address Mac address and which protocol we are using and if we find any open ports so from logical uh and even Network diagram if we have we can collect all the information related to you know the uh Network IP addresses which will be really helpful uh when we and also uh you know we need to review the configuration logs and syslog files and even uh you know you can collect the PK file and run through your uh you know vulnerability assessment tools uh like you know Clarity or even you can run through nazomi uh and also the NASA scan you can do it uh so some of the tools which you can use you know based on your organization and once we are done with this okay what um yeah also I would like to highlight one point yeah somebody asked that can we use the threat model in Rapid risk during the respiratory determine potential architecture risk yes definitely we can use uh threat modeling uh because uh based on uh you know what because usually you know the threat modeling it takes a lot of uh time but based on if you have ready-made templates uh for the threat modeling then definitely you go for it uh you implement because most of the threat modeling what we have seen is not the app for the OT environment I mean if you have already developed this threat model modeling tools for the OT assets like plcs DCS and what we have seen from The Stride model is uh you know some of the threat modeling which has the uh you know it related stuffs like web-based uh like that but when it comes to OT uh it's better to go with some kind of this ready-made tools which which can easily uh calculate uh I mean finding the vulnerabilities on individual assets okay first now we completed the asset inventory then how uh you know this is some of the uh you know I'm not going to read everything uh so the Matrix will be given by for example this is being given by uh you know even we have taken this Matrix from the 3-2 uh standard uh on the you know here uh likelihood you can see uh what are the exact uh you know this you can read out uh so I'll keep it for some minutes uh here the safety environment impact uh what could be the financial impact and what is the repetition impact based on the cbrid I mean likelihood of the occurrence of the events uh based on like trivial minor moderate major and critical So based on this uh we will uh you know do the conductor risk assessment so now let us start uh I will take uh one example now uh let us go with the HMI station okay so just I will start writing it so it will be easy for you to see it why you write yes that I noticed that the phones are the online audiences so maybe what we can do is we can put this sample okay later maybe I will just uh exactly yeah I'll just zoomed in uh possibly if uh yes as a link [Music] um so that they can access it for your views yeah exactly we will share it with them this okay so let us consider the asset as HMI station okay so what would be the retraction uh would be you know it may follow attackers to take the axis right so attacker May uh in the system through all the vulnerabilities in the system okay so what kind of vulnerability we know that you know for example uh okay so this is uh one second not this uh threat action could be you know uh insert USB into HMI station with uh you know maybe sophisticated malware then what could be the vulnerability is uh you know this HMI station uh in the control room uh USB ports are not blocked this is the vulnerability okay we are taking a very simple example but uh for you know for everything we will share it with you later yeah or maybe um disabled okay not disabled I mean ports are not blocked or disabled and also no antivirus this is the normal uh no vulnerability and consequence will be you know uh denial of service effect on operation system act on SMS station and what happens is when we uh you know this dots attack happens it may uh you know the all uh servers it can spread you know even this can spread to all the OS in the system to all the uh you know stations in the system for example all these are connected to the control Network right so it may split to all the other systems as well now coming to the risk rating right so uh basically based on this risk Matrix we will consider for example if I have the access to the if I am the attacker I have the access to the you know safety uh I mean this HMI station what could be the impact for safety I would say you know for me it is trivial and then for economy also I would say trivial or I would say uh for financial maybe minder then reputation probably it is moderate for example then uh you know what is the maximum is you know the moderate moderate is number three so this also can be automated for example uh so now uh what is the unmeticated threat likelihood here right so uh you can see that you know the maximum uh rating is three and also the uh you know uh probably I will say if someone is I mean has the this USB inserted into HMI station probably the unmitigated three likelihood uh could be likely for me because it will happen then you can see that the risk is has become 15 and the target security level two but how we arrived this we did some formula calculation uh actually some of our friends has helped do to automate this even this template we are using from our previous uh you know trainings but you know we thank for all of them uh who has you know automated this Excel file uh just for this you know OD security hurdle as well we would like to thank them and then you can see the risk is on the higher level so we can see that no it's in 15. I mean uh we know that it is likely to happen uh because of this so you may ask like now I have selected trivial minor mod rate I mean based on this number right trivial moderate but uh who will decide this so this is where your experience comes I mean based on your uh experience or the OT and security domain uh you might ask uh suppose say you want to change it to minor because let us tomorrow even the workshop uh customer will say that okay for me the economic impact will be minor or maybe they will say major then you can decide so this exactly this is based on you know uh the experience and also the workshop where we conduct the risk assessment Workshop this is where these uh you know numbering will happen I mean trivial or minor or moderate then and even just wanted to add here yes yes or you mentioned that these uh this is very important here that whenever we risk assessment and we bring all the people who are responsible from the Departments so we we need people from operations we need people from safety we need people from I.T side of the world promoting side of the word security teams physical security your operations and everyone and that's this is the part where we decide okay what will be the impact the most discussions would happen and it is very important that the risk assessor who is facilitating this risk assessment he should tea a neutral stance and only facilitate there it does not need to give his perspective at that moment in the time right uh it is upon the people who are owner of the asset they and the operations they will understand that what could be the real impact if they have any history already available the incident already available they might have had some knowledge captured there so uh most of the time when I had done this is the most discussed topic some of the people let's say the uh OEM side of people who are responsible for maintenance they would say no the impact is not that much uh whereas also the operations people they would also would like to downgrade the impact as such because their their focus is not to complicate the things but to keep the plant running so we need to uh bring uh out the perspective that is very important but not to influence the decision as such yeah yeah thanks for adding that ship yeah now we uh so this SLT is automatically it's calculating from the crrf that is cyber risk reduction Factor how it is calculated is the it is calculating from the unmitigated risk divided by the tolerable risk and this tolerable risk is defined by the organization uh so that anyways for this calculation anyways in the next session in the public you know OT security huddle we will be talking about taking a detailed step on how to arrive at this number so as of now anyways we automated this so now uh once we arrive at the unmitigated threat likelihood I mean the risk has been calculated as 15. now based on the risk Matrix now the when we say counter measure uh so we have you know definitely we will have some policy procedure about the you know disabling this or so we need to follow that and also let us say application white listing in in place suppose if it is not there that is fine so this is just for an information okay we have put then probably you know here we have put unmitigated threat likelihood utl uh is likely but if we have this in the existing countermeasure then we may you know it probably it is unlikely then what is the recommendation that you give definitely you will say that you know you disable uh you know unused USB ports I mean uh like through uh even you can use GPO registry uh many things right Etc also what you can do is uh uh you know maybe you can relocate the HMI station for example to server room where you will have physical lock and only the authorized person will have the access right not everyone will have the access server room it's also one and then install antivirus it's called antivirus and then probably you know you can uh even uh maybe stricter enforcement of your policy as well because many times we have policies but it is not not known to be uh you know to the employees so ultimately we arrive at the you know last stage suppose if all these recommendations are have been considered just definitely achieved threat likelihood we will be very rare it's not that uh not rare I mean improbable I would say so you can say that ultimately you know my risk has reduced to three now initially it was 15 unmitigated now achieved threat likelihood has become too has become to three right uh So based on the calculation so ultimately we need to reduce the risk less than the tolerable risk okay so this is what we have achieved basically so the same workflow goes with uh the other uh you know uh for example based on the asset inventory even HMI station might have the multiple vulnerability so we need to consider each point so here we have considered only one uh retraction like vulnerabilities probably you might have heard for example if you take Windows 10 Windows XP there will be you know lacks of vulnerabilities in the you can find it in nvds so it is not necessary to put everything whichever is applicable specifically when we talk about the DCS or plcs you know there might be uh less vulnerabilities compared to you know normal ways so we can if we consider which are very critical you know then we can put those uh even minor also we can put But ultimately it is up to the risk assessor how we need to consider so now for example let us take you know we know that uh here we are using in the asset inventory Windows XP and everybody knows that uh you know Windows software are settings Windows software and uh what could be that retraction if he uh you know maybe he can access the complete he or she can access uh overall system by exploiting the vulnerabilities what is uh vulnerability that we are already aware that you know Windows XP has stopped right uh because of the you know uh multiple uh vulnerabilities multiple vulnerabilities so I will just type short forms so it can be exploited yeah then the consequence will definitely you know um attacker might access exploit these vulnerabilities and access the complete system so if this complete system is available with him then definitely it has the higher risk right because this is the major uh bug in the system so I will say that it would be moderate for uh for all the you know system let us say maybe reputation could go damage major then maximum probably five and then definitely this one would be possible Right then you can see that the risk has gone to three and the target security level to be achieved as three and there are definitely there is no countermeasure and like uh you know you have to isolate the system but I cannot isolate the system so there is no existing uh existing uh you know then definitely mitigated will be uh three and then uh what you can say is uh either the quick measure is isolate the system or finally the recommendation is upgrade the windows create the windows uh XP to Windows 10 or Windows level latest one so then you can say it could be you know rare improbable it's not yeah you can say probably if all the system hardening everything took place but also you need to consider the hardware compatibility of this Windows machine as well so in that case you can say probably it is rare I can only update with certain SPS which has some vulnerabilities it is up to the customer again you know but ultimately you should convey that the ultimately the risk has to be reduced less than the tolerable risk so we have seen this uh you know uh so now with that Excel sheet what we have achieved now you start reading this workflow you will understand easily what we have done so this is a simple example that we took now if you read this you know as per 3-2 you will easily understand that is what we did right we have identified the threats and vulnerabilities and determine the consequence impact based on the risk Matrix and finally we arrived at unmitigated cyber risk and the SLT also automatically we have calculated but it again depends so here if you see the unmitigated risk exceeds the tolerable risk so in our case it was you know uh now then again we will do this uh you know again uh we will check whether it is existing our countermeasures are there if uh yes then we will list out then again we will re-evaluate the mitigated threat likelihood and finally we will come to our conclusion that this is what the uh you know after the recommendation if it is implemented we will arrive at the final figure so uh ultimately we have to reduce the risk that is what our risk assessment says and also from this what customer will get the advantage is they will understand uh what are the assets which has the higher risk based on this for example here ultimately even after this oh okay so even if we know that the mitigated threat likelihood he will take it and then all these risk you know based on this ratings you can achieve as criticality or you know whether it is very high or high so depending on the numbering and they can decide which uh you know which recommendation to take first in place so this is what uh you know we have come to our conclusion uh Shiva would you like to add thing few things here yes absolutely you know first of all when you're not very well and simple way that you have used to explain it generally uh the discussions are more complicated than the way and it clearly shows the experience that you bring here so uh thanks for that one important perspective there is I would also like to discuss let's say yeah we have the asset inventing and like an employee who is working in the organization he wants to do the resistance and he does not have the Olympic assessment report so let's say he has the asset inventory available and now he wants to know the um vulnerability that do exist for that particular asset without any risk assessment connecting to the network so what tool would you suggest to uh get the list of vulnerabilities and the list of threats uh for that particular system or that particular plant which is maybe a electric utility maybe a manufacturing plant and uh we'll get there in a bit but before that I would also like to add one important Point here is why we need the asset inventory and why we need the current asset inventory is very important you know sometime back to mentioned that if we have Windows XP then it might have a one lakh vulnerabilities which is available already but at the same time we really need to update the vulnerability that what version of Windows XPR we using and what is the current patch level of the this particular OS with this we will be negating the vulnerabilities which are not applicable to our system and we only need to focus the availability which are applicable to reach while I'm saying so it's a kind of counterintuitive because anything related to Windows XP is already vulnerable so you can read node to bother which vulnerability I should consider everything is SMB or n number of remote code execution availability to exist in Windows but this holds true for other operating systems as well that we really need to keep updating the vulnerability with information every time we do the patching every time we do the update of the system it needs to be there in the asset inventory as well and there are n number of tools that can be used for either automated way of doing the asset inventory update or maybe some manual asset Elementary object as well yeah so and this asset inventory topic itself may require maybe a separate adult discussion as well because discussion is generally asked a lot that which is the right way to keep updated uh the asset inventory whether it should do automated asset inventory whether I should do a manual asset inventory should I use active way to scan the net track should I use the passive way to scan the network to get asset inventory but these questions could be a good discussion point so while we move forward to identifying the vulnerabilities I will also request people who are online that they can put their suggestion for the topics that they want us to cover in the coming titles yes uh so finding vulnerabilities you know we have a lot many places now uh like one uh such you know useful tool what I have uh in recent times is ICS advisory project here uh what they did is usually Whenever there is an update from the you know the sisa website right uh for example icsc art if you search in Google the first thing uh the cyber security alerts and advisory here if you go to news and events click on the cyber security alerts and advisories so here you will get all the you know vulnerability is related to the ICS products I mean it's not uh the common one so uh even we have nvds even the same thing because it will have uh you know even National vulnerability database also will be updated and but all these organizations work together to release uh you know the CV numbers and the vulnerability list so the ICS advisory project why it is such a good tool is because you can search for example now we know in the our asset inventory right we know that uh Siemens PLC is there I want to go and check s71200 so for example I will search for vendor let us say Siemens then I will select uh sequence only and then uh say S7 right S7 0.2 double zero okay so I will say s seven one two double zero so now it is list down uh like for example if you click on this then I have all the information available with me so if you see uh there are there will be many uh I need to select the you know the range then it will give more alerts but I'm just giving an example like here once you go here it will clearly says like what are the affected products impact vulnerability characterization so the good thing is it is directing to you know the the original vulnerability disclosure so like CSUB website which is which will have all the mitigation plans as well so you can just bookmark this uh not only this even uh we can go to you know you can choose for example for example ABV okay let me take ABB so I will say ABV and even you can download this Excel file as well uh so the for example I will just go what is it OPC server okay I will just click on this now it has gone to the CSA page right where it says what is the CVS score vendor equipment vulnerability list even uh same thing uh if you want you just bookmark this and also you can subscribe to this so whenever there is a vulnerability uh you will get the alert right for example see uh today today we that CSUS VDP platform annual report showcase success but six industrial control system advisories so what are those each will have its own number then when you click on this again you will get the details right which vendor which vulnerability so for example based on your asset inventory it's not necessary that only while conducting the risk assessment we will be using this uh suppose you are working in a a plant and if you need some information then you can straight away visit these you know ICS advisory project search for your product and just or maybe subscribe to this so this is what I felt uh you know most of the time we'll be using and even some automated tools are there like Clarity nozumi and Drago's waterfall and all these have threat uh intelligence but these are paid ones and these are vulnerability if you want you can find it easily and also there are some open source tools uh you know from OTP cap analyzer uh if you have the PK file just put it and it will upgrade the only the problem with these uh open source is not uh you know the latest information might not be available you need to update uh you know on the system regularly otherwise if you know everything uh these are the you know website which are really helpful on the OT yeah uh Shiva would like to add few stuffs or maybe we can take some questions in between so we are already uh close to 53 minutes we are seven minutes uh so maybe uh I will I'll see if there are few questions there are many questions I think even people are responding to those questions shout out to the people who are contributing there it's really uh we are fulfilling the objective here I really like to thank the people who are answering the question and engaging in the discussion here so a big shout out to them yeah so we have question from hustle how do we consider impact in live trading and arithmetics as well and I see a couple of people have already answered this this is where the experience of the risk assessor comes in picture uh to guide them okay how do I come and this is also a subjective matter as well as there could be some guideline that could be available uh you can refer miterate attack framework and maybe next session we will give you a walkthrough of attack navigator that could also be helpful in understanding what kind of impact these particular threads could have if they get materialized but would you like to add here Manju something on this nature of identifying the likelihood and impact yeah again you know it is uh depending on the corporate risk metrics as well uh because uh and also the infrastructure even though it is subjective uh you know uh but you know if you have the corporate Trace Matrix uh the impact and likelihood ratings it varies uh I mean the for example if I consider wind form uh probably the rating what I consider the risk Matrix may not be same as the uh you know in oil and gas petrochemical so again it varies so I would like to add and we can talk about this particular subject itself for one OT security header yeah maybe offline we can share our learnings through Linkedin platform yeah absolutely yeah so I am also flashing one of the comment that ruchir has uh put up there it's very good comment that we can also consider that ATX added into this assessment exercise and dtx's are really helpful to understand your techniques that are being used by the attackers or the Malaysia sectors and maybe in the coming sessions I would really like to give a walkthrough of these techniques which are really helpful to drive your uh threat MacBook and particular industry or a blank yeah but thanks ruchir for putting that up into the discussion then we have some submissions that we can keep the next hurdle on network segmentations surely uh Gobind we will consider that but since we have already booked the next one for calculating there is uh the security level Target maybe uh immediately after that this can be a good candidate of uh discussing the network segmentation part also there is one more suggestion by Debo Pam Mukherjee it will be helpful if there is a session on preparation of checklist for a cyber security points for fat so very tricky one but yeah I will try to uh share something on that one as well I already had shared some insight on this particular topic maybe last year itself so maybe I'll pin this up into the Huddle page once more because that post was really helpful and I got really good response from the people on that one training itself yeah then there is one more comment by Amit uh Ahmed to Amit sometime system owner put wrong risk level like backup restore you can put more trade but in sis will be high risk or mortality yeah so these are some engagements really wonderful things that people are discussing uh maybe I'll quickly scroll down to some more comments uh gaurav is asking about the recording so recording is already available in the hotel YouTube channel you can use that and also it will be available for rewatch in LinkedIn as well then there is couple of more commands chillificar has mentioned we also have to consider the impact of upgrading the end of life Windows absolutely yeah that we need to consider what will be the impact if we are upgrading the systems which are critical in the in the environment and I I know n number of examples like this and this one example that I give is four years ago I visited a plant and they are running one of their system on 98 and they tried to upgrade it to Windows me and the system was malfunctioning so they required to go back to Windows 98 so we really need to consider uh what will be the impact of upgrading the system as well and that's where the specific standard that is part of the 62443 KT is 2-3 and it has given the guidelines for patch management even that could also be a one a good topic for cuddle maybe sometime yeah so then we majorly have comment so I would not like to uh would not be able to flash them all but I would like to thank all the people who have spare their time and join this huddle this is the motivation for us that people are engaging here and giving their suggestion their comment they are engaging in discussion and we would really like to see uh more of such engagements I mean moving forward and that's the reason we are coming up with some different format of discussions as well and one of them would be uh bringing the people from the industry and Academia we are starting it very soon uh maybe in one week or two weeks uh of time we will be starting something called as OT security huddle talks where the people from the industry will be discussing their experiences sharing the Insight how they built up their cyber security programs and how to succeed in overcoming the buying in from the management sometimes or maybe researching on the product security side so I'm really excited about this one as well and looking forward to really organize this new format of OT security hurdle discussions apart from this this next hurdle four would be there for calculating the security level Target and then the topic that you suggested we may take them into the coming discussions as well so uh at the center I would like to thank you Manju again for joining today and sparing your time not only for the discussion but also spending some time with me in preparing for this discussion as a closing note would you like to add something yeah I just would like to you know it's good to see you know people are commenting and sharing their Insight also so this also helps us I mean as a speaker or you know even we are also on the learning you know process so we learn from you guys as well so thanks for joining and thanks for arranging this session and really you know I know in the background how much hard work we are putting in so it's great to see that thank you it is all uh all succeeded when I'm seeing already the really good engagement and enthusiasm with the people so thanks to the people and thanks to you Manju with this um we are right on time we just finished one hour now so thanks again thank you everyone uh do subscribe to our Channel and follow OT security huddle please if you really want to watch uh the sessions again you can follow the YouTube streams and then maybe they could be helpful in your day-to-day work as well thanks thank you bye bye have a nice weekend