Team development, charter, reference and documentation
ICS Cyber Security Risk Management
Knowing the risk of the asset is like knowing "ourself" prior to go to the battle. The SWOT security posture of the ICS environment can be determined well by having proper risk security posture, and this is why we need the ICS Cyber Security Risk Assessment & Management
The ICS Cyber Security Risk Assessment milestones consist of 4 core segments as per the following list:
Controls catalog or known as Risk Register as the RA reference for any follow-up action. The responsible party for each action item should be defined and ensure they understand the job at their hands. Review and revise the Controls Catalog (Risk Register) as per system changes/upgrades (in line with RA review) as required. Since Controls Catalog (Risk Register) has the function as the reference point based on the risk assessment workshop, it will also determine the strategic planning that covers the future implementation to fix the gap findings and to ensure the risk level is achieved and maintained under the ALARP level
The implementation of Controls Catalog (Risk Register) action items as per agreed by the Risk Assessment team. The sustainability phase is covering the periodic review of risk assessment (depends on the level of the risk), stewardship against the implementation and continuous improvement against the system in place. RA periodic review is based on the risk category (high, medium, low, etc.). The unplanned review can be performed if any crucial changes happened on the system or some incident happened. The owner and custodian should understand and aware regarding system risk status and its Controls Catalog (Risk Register).
The Critical Steps
Please keep in mind that managing the risk in an ICS environment is not “One Man Show“. It is purely a Team Work that works as a team. Recruiting the proper personnel to join the Risk Assessment team is a crucial part while doing the proper Risk Assessment Workshop is also seemed as critical. The result of the RA workshop in form of Risk Register (Controls Catalog) will be the basic reference for the next activity of ICS Cyber Security assurance
Keep The Pace
Don't Get Loose
The agreed risk as mentioned in the Risk Assessment result is the basis for implementing the Controls Catalog (Risk Register) and some other proposed security controls to put down the risk at the ALARP level. Don’t get loose on the sustainability phase, the Controls Catalog (Risk Register) stewardship and periodic review will be the window to manage the performance