Fri Apr 8 06:49:41 PDT 2016

Risk Management: Risk definition: How should I define risk levels for ICS systems?


Options:

Option 1: Analyze risks in terms of financial numbers.
Option 2: Use a 3-level system with low, medium, and high risks defined based on consequences.
Option 3: Use a 4-level system with risk classes I, II, III, and IV per IEC 61508.
Option 4: Combine IEC 61508 with a 3-level system.
Option 5: Use a 10-level system rating risks from 1 to 10 based on consequences.
Option 6: Don't rate risks.
Option 7: Rate systems based on protection objectives.

Ten-level approach:

Risk level Definition
10 Enterprise collapse, massive deaths, or massive destruction
9 .
8 .
7 .
6 .
5 .
4 .
3 .
2 .
1 Minimal or no identifiable consequence.
Ten-level risk approach

Three-level approach:

Risk level Definition
High Anything that can put the enterprise out of business, cause large-scale loss of shareholder value, cause significant damage to the environment, cause governmental agencies to stop doing business with you, cause loss of life, get officers thrown into jail, or result in other very serious negative consequences.
Medium Anything that causes substantial negative publicity, substantial loss of business, losses in the range of 5% or more of annual revenues, legal difficulties for officers, workers, or others, things that interrupt production or cause quality control problems in important manufacturing systems, and other events that don't reach the level of high risk but are not in the low-risk range.
Low Anything that is similar in consequence to a slip and fall accident, anything that normal business insurance standardly covers, and day-to-day office issues.
Three-level risk model

IEC 61508 approach:

Likelihood Catastrophic Critical Marginal Negligible
Frequent I I I II
Probable I I II III
Occasional I II III III
Remote II III III IV
Improbable III III IV IV
Incredible IV IV IV IV
IEC 61508 risk model
Where:

Frequent:= Many times in a system lifetime (>10-3)
Probable:= Several times in a system lifetime (10-3 to 10-4)
Occasional:= Once in a system lifetime (10-4 to 10-5)
Remote:= Unlikely in a system lifetime (10-5 to 10-6)
Improbable:= Very unlikely to occur (10-6 to 10-7)
Incredible:= Cannot believe that it could occur (less than 10-7)

And:

Catastrophic:= Multiple loss of life
Critical:= Loss of a single life
Marginal:= Major injuries to one or more persons
Negligible:= Minor injuries at worst

Requirements are:

Class I:= Unacceptable in any circumstance
Class II:= Undesirable. Tolerable only if risk reduction is impractical or costs are grossly disproportionate to the improvement gained
Class III:= Tolerable if the cost of risk reduction would exceed the improvement
Class IV:= Acceptable as it stands, though it may need to be monitored


Decision:

IF Specialized physically interacting systems (e.g., ICSs) are in use, THEN Combine IEC 61508 with a 3-level system.
OTHERWISE IF there is a highly advanced risk management program AND justification for ten different protection profiles AND ten different levels of countermeasures are well defined, THEN use a 10-level system rating risks from 1 to 10 based on consequences AND rate systems based on protection objectives,
OTHERWISE IF the protection program is capable of varying protection continuously AND everything of import to the enterprise is reconcilable in terms of money, THEN analyze everything in terms of financial numbers AND rate systems based on protection objectives,
OTHERWISE IF a small number of systems are involved OR all systems have roughly equivalent risks OR protection is not to be differentiated between enterprise systems, THEN don't rate risks,
OTHERWISE Use a 3-level system with low, medium, and high risks defined based on consequences AND rate systems based on protection objectives.

ALSO Fill in the following table to indicate areas rated as "High", Medium", and "Low" risk for the purposes of security architecture analysis and reviews. Use the term "Risk" as a surrogate for these locations in this table where not otherwise clear.

High threat N/A Medium / High High
Medium threat N/A Medium High / Medium
Low threat Low Medium / Low N/A
Low consequence Medium consequence High consequence
Risk rating for review and analysis purposes

Basis:

Analyze risks in terms of financial numbers.

This approach typically uses probabilistic risk assessment (PRA) or a similar system to derive financial metrics that codify expected losses and event sequence probabilities so as to generate expected loss. Defensive measures are then applied to reduce expected loss. The problems with this approach are many, including high cost of the undertaking, inability to accurately codify everything in terms of numbers, difficulty with using probability distributions and confidence intervals instead of fixed numbers to mitigate the inaccuracies with fixed values, the sensitivity of defense selection to minor changes in values used in computations, and inability to list all event sequences of interest. In fact, even the losses associated with events after they take place are often hard to agree on to within several orders of magnitude.

Option 4 is problematic in that it fails to address the basic need to systematically address risks. The Sarbanes-Oxley Act mandates that all public companies undertake to understand and describe business risks internally and to their shareholders, and this notion is sweeping the world as a mandatory component of rational business management. Rational business owners and executives want to understand risks and deal with them prudently. But they cannot do that without gaining a clear understanding of the risks in business terms. For this reason, option 4 should not be used.

Use a 3-level system with low, medium, and high risks defined based on consequences.

Typical definitions are:

  • Low risk is defined as anything that is similar in consequence to a slip and fall accident, anything that normal business insurance standardly covers, and day-to-day office issues.
  • Medium risk is defined as anything that causes substantial negative publicity, substantial loss of business, losses in the range of 5% or more of annual revenues, legal difficulties for officers, workers, or others, things that interrupt production or cause quality control problems in important manufacturing systems, and other events that don't reach the level of high risk but are not in the low-risk range.
  • High risk is defined as anything that can put the enterprise out of business, cause large-scale loss of shareholder value, cause significant damage to the environment, cause governmental agencies to stop doing business with you, cause loss of life, get officers thrown into jail, or result in other very serious negative consequences.

This approach is advantageous because it is relatively simple and because it allows defined protection measures to be used for the different risk levels without undue complexity while reasonably addressing the basic needs. More detailed system-specific protection measures are also needed in many cases, but this is a good starting point.

Use a 4-level system with risk classes I, II, III, and IV per IEC 61508

    Typical structure is:

    Likelihood Catastrophic Critical Marginal Negligible
    Frequent I I I II
    Probable I I II III
    Occasional I II III III
    Remote II III III IV
    Improbable III III IV IV
    Incredible IV IV IV IV
    IEC 61508 risk structure
    Where:

    Frequent:= Many times in a system lifetime (>10-3)
    Probable:= Several times in a system lifetime (10-3 to 10-4)
    Occasional:= Once in a system lifetime (10-4 to 10-5)
    Remote:= Unlikely in a system lifetime (10-5 to 10-6)
    Improbable:= Very unlikely to occur (10-6 to 10-7)
    Incredible:= Cannot believe that it could occur (less than 10-7)

    And:

    Catastrophic:= Multiple loss of life
    Critical:= Loss of a single life
    Marginal:= Major injuries to one or more persons
    Negligible:= Minor injuries at worst

    Requirements are:

    Class I:= Unacceptable in any circumstance
    Class II:= Undesirable. Tolerable only if risk reduction is impractical or costs are grossly disproportionate to the improvement gained
    Class III:= Tolerable if the cost of risk reduction would exceed the improvement
    Class IV:= Acceptable as it stands, though it may need to be monitored

Combine IEC 61508 with a 3-level system. In this approach, we augment the injury and loss of life aspects of the IEC 61508 approach with the other consequences identified in the 3-level approach, ignore Class IV of the IEC 61508 approach and treat Class I as High, Class II and Medium, and Class III as Low risk.

Use a 10-level system rating risks from 1 to 10 based on consequences.

The 10-tier system, or other similar systems with large numbers of levels present advantages and disadvantages. The advantage is finer granularity of control and less bunching of wider ranges of things together. The disadvantage is complexity of understanding and management. For example, there are rarely well codified procedural differences between tiers 6 and 7, different HR requirements, different legal requirements, and so forth. This means that some things change with tiers and some things don't, which makes the system harder to manage and operate. Systems also tend to move from tier to tier more often when there are finer differentiations and people tend to argue over the subtle differences. Another major problem is that there aren't usually ten different levels of surety for protective approaches to any given issue, so the minor differences in the tiers don't result in substantial changes in how things are protected.

Don't rate risks.

While almost all standard approaches to protection call for rating risks, some situations do not require ratings, either because all systems are equivalent in all important ways, or because they are all treated as equivalent regardless of the specifics. While this leads to a non-optimal program in terms of balancing surety with risk, it is also very low cost and simple to do the same thing for all systems and content.

Rate systems based on protection objectives.

When rating risks in other ways, sub-ratings, or definitions of protection requirements are typically also driven by particular objectives of particular systems.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved