Fri Apr 8 06:49:41 PDT 2016
Risk Management: Risk definition: How should I define risk levels for ICS systems?
Options:
Option 1: Analyze risks in terms of financial numbers.
Option 2: Use a 3-level system with low, medium, and high risks defined based on consequences.
Option 3: Use a 4-level system with risk classes I, II, III, and IV per IEC 61508.
Option 4: Combine IEC 61508 with a 3-level system.
Option 5: Use a 10-level system rating risks from 1 to 10 based on consequences.
Option 6: Don't rate risks.
Option 7: Rate systems based on protection objectives.
Ten-level approach:
Risk level | Definition |
10 | Enterprise collapse, massive deaths, or massive destruction |
9 | . |
8 | . |
7 | . |
6 | . |
5 | . |
4 | . |
3 | . |
2 | . |
1 | Minimal or no identifiable consequence. |
Ten-level risk approach
Three-level approach:
Risk level | Definition |
High | Anything that can put the enterprise out of business, cause large-scale loss of shareholder value, cause significant damage to the environment, cause governmental agencies to stop doing business with you, cause loss of life, get officers thrown into jail, or result in other very serious negative consequences. |
Medium | Anything that causes substantial negative publicity, substantial loss of business, losses in the range of 5% or more of annual revenues, legal difficulties for officers, workers, or others, things that interrupt production or cause quality control problems in important manufacturing systems, and other events that don't reach the level of high risk but are not in the low-risk range. |
Low | Anything that is similar in consequence to a slip and fall accident, anything that normal business insurance standardly covers, and day-to-day office issues. |
Three-level risk model
IEC 61508 approach:
Likelihood | Catastrophic | Critical | Marginal | Negligible |
Frequent | I | I | I | II |
Probable | I | I | II | III |
Occasional | I | II | III | III |
Remote | II | III | III | IV |
Improbable | III | III | IV | IV |
Incredible | IV | IV | IV | IV |
IEC 61508 risk model
Where:
Frequent:= Many times in a system lifetime (>10-3)
Probable:= Several times in a system lifetime (10-3 to 10-4)
Occasional:= Once in a system lifetime (10-4 to 10-5)
Remote:= Unlikely in a system lifetime (10-5 to 10-6)
Improbable:= Very unlikely to occur (10-6 to 10-7)
Incredible:= Cannot believe that it could occur (less than 10-7)
And:
Catastrophic:= Multiple loss of life
Critical:= Loss of a single life
Marginal:= Major injuries to one or more persons
Negligible:= Minor injuries at worst
Requirements are:
Class I:= Unacceptable in any circumstance
Class II:= Undesirable. Tolerable only if risk reduction is impractical or costs are grossly disproportionate to the improvement gained
Class III:= Tolerable if the cost of risk reduction would exceed the improvement
Class IV:= Acceptable as it stands, though it may need to be monitored
Decision:
IF Specialized physically interacting systems (e.g., ICSs) are in use, THEN Combine IEC 61508 with a 3-level system.
OTHERWISE IF there is a highly advanced risk management program AND justification for ten different protection profiles AND ten different levels of countermeasures are well defined, THEN use a 10-level system rating risks from 1 to 10 based on consequences AND rate systems based on protection objectives,
OTHERWISE IF the protection program is capable of varying protection continuously AND everything of import to the enterprise is reconcilable in terms of money, THEN analyze everything in terms of financial numbers AND rate systems based on protection objectives,
OTHERWISE IF a small number of systems are involved OR all systems have roughly equivalent risks OR protection is not to be differentiated between enterprise systems, THEN don't rate risks,
OTHERWISE Use a 3-level system with low, medium, and high risks defined based on consequences AND rate systems based on protection objectives.
ALSO Fill in the following table to indicate
areas rated as "High", Medium", and "Low" risk for the purposes of
security architecture analysis and reviews. Use the term "Risk" as a
surrogate for these locations in this table where not otherwise clear.
High threat | N/A | Medium / High | High |
Medium threat | N/A | Medium | High / Medium |
Low threat | Low | Medium / Low | N/A |
| Low consequence | Medium consequence | High consequence |
Risk rating for review and analysis purposes
Basis:
Analyze risks in terms of financial numbers.
This approach typically uses probabilistic risk assessment (PRA)
or a similar system to derive financial metrics that codify expected
losses and event sequence probabilities so as to generate expected
loss. Defensive measures are then applied to reduce expected loss. The
problems with this approach are many, including high cost of the
undertaking, inability to accurately codify everything in terms of
numbers, difficulty with using probability distributions and
confidence intervals instead of fixed numbers to mitigate the
inaccuracies with fixed values, the sensitivity of defense selection
to minor changes in values used in computations, and inability to list
all event sequences of interest. In fact, even the losses associated
with events after they take place are often hard to agree on to within
several orders of magnitude.
Option 4 is problematic in that it fails to address the basic need
to systematically address risks. The Sarbanes-Oxley Act mandates that
all public companies undertake to understand and describe business
risks internally and to their shareholders, and this notion is
sweeping the world as a mandatory component of rational business
management. Rational business owners and executives want to understand
risks and deal with them prudently. But they cannot do that without
gaining a clear understanding of the risks in business terms. For this
reason, option 4 should not be used.
Use a 3-level system with low, medium, and high risks defined based on consequences.
Typical definitions are:
- Low risk is defined as anything that is similar in
consequence to a slip and fall accident, anything that normal business
insurance standardly covers, and day-to-day office issues.
- Medium risk is defined as anything that causes substantial
negative publicity, substantial loss of business, losses in the range
of 5% or more of annual revenues, legal difficulties for officers,
workers, or others, things that interrupt production or cause quality
control problems in important manufacturing systems, and other events
that don't reach the level of high risk but are not in the low-risk
range.
- High risk is defined as anything that can put the
enterprise out of business, cause large-scale loss of shareholder
value, cause significant damage to the environment, cause governmental
agencies to stop doing business with you, cause loss of life, get
officers thrown into jail, or result in other very serious negative
consequences.
This approach is advantageous because it is relatively simple and
because it allows defined protection measures to be used for the
different risk levels without undue complexity while reasonably
addressing the basic needs. More detailed system-specific protection
measures are also needed in many cases, but this is a good starting
point.
Use a 4-level system with risk classes I, II, III, and IV per IEC 61508
Typical structure is:
Likelihood | Catastrophic | Critical | Marginal | Negligible |
Frequent | I | I | I | II |
Probable | I | I | II | III |
Occasional | I | II | III | III |
Remote | II | III | III | IV |
Improbable | III | III | IV | IV |
Incredible | IV | IV | IV | IV |
IEC 61508 risk structure
Where:
Frequent:= Many times in a system lifetime (>10-3)
Probable:= Several times in a system lifetime (10-3 to 10-4)
Occasional:= Once in a system lifetime (10-4 to 10-5)
Remote:= Unlikely in a system lifetime (10-5 to 10-6)
Improbable:= Very unlikely to occur (10-6 to 10-7)
Incredible:= Cannot believe that it could occur (less than 10-7)
And:
Catastrophic:= Multiple loss of life
Critical:= Loss of a single life
Marginal:= Major injuries to one or more persons
Negligible:= Minor injuries at worst
Requirements are:
Class I:= Unacceptable in any circumstance
Class II:= Undesirable. Tolerable only if risk reduction is impractical or costs are grossly disproportionate to the improvement gained
Class III:= Tolerable if the cost of risk reduction would exceed the improvement
Class IV:= Acceptable as it stands, though it may need to be monitored
Combine IEC 61508 with a 3-level system. In this approach,
we augment the injury and loss of life aspects of the IEC 61508
approach with the other consequences identified in the 3-level
approach, ignore Class IV of the IEC 61508 approach and treat
Class I as High, Class II and Medium, and Class III as Low risk.
Use a 10-level system rating risks from 1 to 10 based on consequences.
The 10-tier system, or other similar systems with large numbers of
levels present advantages and disadvantages. The advantage is finer
granularity of control and less bunching of wider ranges of things
together. The disadvantage is complexity of understanding and
management. For example, there are rarely well codified procedural
differences between tiers 6 and 7, different HR requirements,
different legal requirements, and so forth. This means that some
things change with tiers and some things don't, which makes the system
harder to manage and operate. Systems also tend to move from tier to
tier more often when there are finer differentiations and people tend
to argue over the subtle differences. Another major problem is that
there aren't usually ten different levels of surety for protective
approaches to any given issue, so the minor differences in the tiers
don't result in substantial changes in how things are protected.
Don't rate risks.
While almost all standard approaches to protection call for rating
risks, some situations do not require ratings, either because all
systems are equivalent in all important ways, or because they are all
treated as equivalent regardless of the specifics. While this leads to
a non-optimal program in terms of balancing surety with risk, it is
also very low cost and simple to do the same thing for all systems and
content.
Rate systems based on protection objectives.
When rating risks in other ways, sub-ratings, or definitions of
protection requirements are typically also driven by particular
objectives of particular systems.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|