Process Security Risk Assessment
Introduction: Security Risk Assessment is a mandatory requirement of IEC 61511-1 Clause 8.2.4 and a requirement of the UK HSE Operational Guidance OG-0086, with respect to Major Accident Hazard, and aligns with the requirements of IEC 62443 and NIST SP 800-82. The assessment follows on from the System Under Consideration (SuC) audit and is a tool for determining the required security posture for the SuC. The outcome can be based on the Security levels, and associated counter measures in IEC 62443 or / and aligned to the control measures and cyber assessment framework in OG-0086.
Application: The purpose of this Process Security Risk Assessment is to understand the Health, Safety, Environmental, Asset and Reputation impact in the event that availability, integrity or confidentiality of the System under Consideration (SuC) is compromised and provide a baseline or unmitigated risk level with respect to cyber security threats. The output from the assessment should provide information that will:
1. Identify the SuC, the security boundaries and potential access points.
2. Utilise the outputs from previous risk assessments, i.e., QRA, HAZID, HAZOP and identify worse-case impacts within the SuC that can be compared to a calibrated risk matrix to establish a preliminary security level (SL) target for the SuC.
3. Identify how rigorous the risk treatment countermeasures must be to protect against varying levels of threat actors, e.g., an actor with knowledge of the SuC environments and moderate resources.
4. Gain a high-level understanding of the worst-case risk the SuC presents should it be compromised/exploited to assist in prioritisation of the detailed risk assessment and the effective grouping of assets when establishing zone and conduits and their security levels.
The SRA identifies the security gaps and compares the current achieved security posture, with respect to the SuC, with HSE operational guidance OG86 and provides recommendations for the purpose of mitigating SuC cyber security risks related to cyber security threats and vulnerabilities to achieve compliance with OG86 and IEC 62443-3-3.
The security gaps identified in conjunction with the target security levels identified will help decide what counter measures are required to reduce the risk to As Low As Reasonably Practicable (ALARP).
The treatment of the risk can be managed by taking one of the accepted four risk management actions:
· Accept,
· Avoid,
· Transfer, or
· Mitigate the risk.
Any counter measures must take a defence-in-depth approach to defending against risks, making the defences much more rigorous and the risk treatment more reliable.
To achieve and maintain this, a risk management process should be implemented to ensure the ongoing management of counter measures and the assessment of security threats.
It should be noted that the key objective of the SRA is not to treat the risk to either a tolerable level or ALARP level, but rather gain an understanding of what level of risk cyber threats pose to the SuC and prioritise the risks so that the highest risks can be treated first. This will be achieved by examining the identified risks in detail during a Detailed IEC 62443 security risk assessment.
Services: ProSalus has assisted a number of our clients in carrying out Security Risk Assessments and system audits.