Lifecycle Solutions

& Services

The Four-Step Guide to

Understanding Cyber Risk
Identifying Cyber Risks and
Addressing the Cyber Security Gap

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

TABLE OF CONTENTS

3 Introduction: A Real Danger

4 In the Firing Line
5 The Cyber Arms Race
6 Assessing the Risk
8 Step 1: Knowing Your Vulnerabilities
9 Step 2: Identifying Threats
12 Step 3: Measuring ConsequencesThe Final Piece
13 Step 4: Bringing it TogetherMeasuring Risk
14 More About Cyber Security

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

Introduction: A Real Danger

It is estimated that
cyber risks costs the
global economy up to
$400 billion a year
maybe even more.
For industrial control
systems (ICSs)
however, the risks are
even more acute.

A successful attack is among the major risks

worrying the U.S. government. As Michael
Rogers, commander of U.S. Cyber Command
testified to the US House of Representatives
Intelligence Committee:

A poll of 1,642 experts by the Pew Research

Centre shows 61% predict a major cyber
attack will cause widespread harm to a nations
security and capacity to defend itself and its
people in the next ten years.

We have seen instances where we are

observing intrusions into industrial control
systems. What concerns us is that access...
can be used by nation states, groups or
individuals to take down [their] capability, he
said. ICSs are a growth area of vulnerability,
he added. Its among the things that concern
me the most.

By widespread harm we mean significant

loss of life or property losses/damage/theft
at the levels of tens of billions of dollars,
Pew clarified.

LINK

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

In the Firing Line

The warning signs are already there. Rogers
comments came just weeks after a Department
of Homeland Security alert said malware named
BlackEnergy had infiltrated companies running
much of the countrys infrastructure. Less than
a month later, a German government report

revealed massive damage from an infected

email targeting a steel mill in the country.
Like Stuxnet, Havex and BlackEnergy, the
German attack was targeted specifically at
industrial control systems.

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

The Cyber Arms Race

The Threat is Driven by a Number of Factors
Attackers growing sophistication.
The German attackers had advanced
know-how not only of conventional
IT security, but also detailed technical
knowledge of the industrial control
systems and production processes
used in the plant, the government
report noted.
The industrialization of cyber crime,
with skilled attackers selling crime as a
service to others without technical skills.

Growing vulnerabilities as up to 25 billion

web-connected systems and devices in
the Internet of things come online by
2020. Publicly available tools like Shodan
let would-be attackers easily identify ICSs.
In 2013, for instance, Finnish researchers
used the search engine to find nearly
3,000 unsecured Internet-facing SCADA
systems running the countrys water
supply, building automation and other
systems. Project SHINE (SHODAN
Information Extraction), a multi-year
research project aimed at identifying
industrial control devices that were
directly connected to the Internet,
found millions of such devices.

Against this, cyber risk management in

industrial control systems is falling behind.
T
 ools and methods used by IT cyber
security professionals for managing
network risks are not fully adopted in
ICS engineering and operations teams.
W
 orse, those with legacy systems may
ignore best practices, avoiding patches
and virus protection updates, for fear
theyll jeopardize plant stability.
The result is a growing gap between the
capabilities of attackers and the defenses
pitched against them.

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

Assessing the Risk

To Understand the Risk, We Need a Definition.
What is Risk?
ISO: The potential that a given
threat will exploit vulnerabilities
of an asset or group of assets
and thereby cause harm to the
organization.
NIST: A function of the likelihood
of a given threatsources
exercising a particular potential
vulnerability, and the resulting
impact of that adverse event
on the organization.

Fortunately, organizations such as the International Standards

Organization (ISO) and National Institute of Standards and
Technology (NIST) have developed definitions that are widely
accepted and used.
In both cases, risk is seen as a function of the vulnerability of
an asset, the threat, which is the likelihood an attack will occur,
and the consequence of such an attack being successful.
(cont. next page)

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

Assessing the Risk (cont.)

To Put it Another Way: Risk = Vulnerability 3 Threat 3 Consequence
Through a function of vulnerability, threat and
consequence, we are able to quantify risk. By assigning
a value (whether between 0 and 1, 0-100 or any other
consistent scale) to each element, users derive a
metric that provides a consistent measure of risk and
can be used throughout the organization.

The ultimate aim, of course, is to manage the

risk, and this will be considered in a forthcoming
e-book. However, you cannot manage what you
cannot measure.
This e-book therefore focuses on evaluating the risk,
and requires a thorough understanding of all the
components in the equation above. It is, then, a
four-stage process, looking at each elementthreats,
vulnerabilities and consequencesin turn before
bringing them all together.

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

Step 1: Knowing Your Vulnerabilities

A vulnerability is any
quality of an asset
that could allow it to
be exploited. All
digital assets have
them. Some are
known; some arent.
Some are easier to
exploit than others.

A common source of vulnerabilities is software bugs; 2014s Heartbleed vulnerability

affecting half a million websites, as well as thousands of connected devices, is
just among the most high profile examples.
There are numerous vulnerability assessment (VA) tools to track known vulnerabilities
within applications and operating systems, but these have their limits.
First, VA tools can probe aggressively to test
for vulnerabilities across enterprises, which
may be unsuitable, and unsafe, applied to
network activity in an ICS.
Second, vulnerabilities are frequently the
result not of a particular device or software
suite but poor practices or configurations
weak passwords, group accounts with
administrative privileges, failures to implement
anti-virus programs and host firewalls, and so
on. All of these can be exploited by attackers
to leverage systems for unintended purposes.

Finally, vulnerabilities must be looked at across

operations and processes. Control systems
are not just a collection of individual devices,
but interconnected systems of devices. Poor
access controls on an application running
in a control room, for example, can make the
whole process vulnerable, not just a single
workstation.

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

Step 2: Identifying Threats

It is threats that
turn a vulnerability
into an incident.

Threats may be coincidental or

accidental, simple or complex, and
the result of a wide range of motives.
What they have in common is that
they have the potential to harm
assets...e.g. unauthorized actions,
physical damage, technical failures,
as ISO27005:2011 puts it.

They also exploit vulnerabilities,

and when specific vulnerabilities are
known, it is possible to predict some
of the early signs of threats against
these. Each stage of a cyber
attack typically consists of several
steps, and by scanning for these,
attacks may be detected before an
incident occurs.

(cont. next page)

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

Step 2: Identifying Threats (cont.)

Moving targets:
the importance
of regular review.

Both vulnerabilities and threats evolve

over time. This is most obvious with
threats, with more than 200,000 new
variants of malware (such as viruses,
trojans or worms) identified every day.
But its true of vulnerabilities, too.
First, new devices and applications
bring with them new vulnerabilities.

Second, vulnerabilities are discovered

in areas previously believed to
be secure: Again, Heartbleedcode
that was meant to increase security
showed that the security industrys
strongest assumptions can be
overthrown overnight. It is impossible
to take anything for granted when
it comes to cyber security.
Since new vulnerabilities and threats
emerge and are detected all the time,
both must be continuously reviewed.
(cont. next page)

10

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

Step 2: Identifying Threats (cont.)

Understanding
the relationship
between threats
and vulnerabilities.

When threats align with vulnerabilities,

the risk of a cyber incident increases
significantly. Take the example of the
virus detected and quarantined by
anti-virus software on a control room
server, again. The threat (virus) finds
no vulnerability because the anti-virus
software worked. But the episode
still shows malware is able to access
the server, which should be in a
protected network.

This raises questions of exposure:

If known malware has been found,
could unknown (zero day)
malware also be present? How was
the malware introduced? Could the
detected malware have also been
introduced to other systems? The
threat, although unsuccessful, still
indicates the potential for infection
and therefore contributes to the
overall level of risk.
The relationship between threats
and vulnerabilities is complex, but
with the right tools can be both
understood and managed.

11

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

Step 3: Measuring ConsequencesThe Final Piece

Consequences
put these threats
and vulnerabilities
into perspective.

By identifying assets and the impact

of a potential attack on them, you can
determine the degree to which you
should worry. A vulnerability that could
take a printer offline, for example,
is likely to be less of a concern than a
successful attack on a safety system.
Measuring consequences is not
straightforward. In many cases, they
may correlate closely to costs, typically
through lost production. However,
consequences could be far wider,
encompassing risks to personal safety,
environmental damage, reputational
impacts, legal liabilities or even, as
weve seen, national security concerns.

12

Furthermore, interrelationships in the

plant must again be recognized:
the consequence of an incident cant
be measured solely by the impact
on the specific, compromised device.
A cyber attack may cause a device
or server to fail, but what if it obtains
control of the device or server and
uses it to cause far wider damage?
The potential for impacts to spiral from
the immediate effect of an initial breach
is a vital part of any assessment of
consequences.

2015 Honeywell International Inc.

All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

Step 4: Bringing it Together Measuring Risk

Understanding
and addressing the
preceding elements
gives a plant what
it needs to begin
to make a realistic
assessment of
its risks.

13

It will know the vulnerabilities to

look out for
It will have put in place elements of
threat detection, such as firewalls
on the network and connected
hosts and virus protection
And it will have identified its most
important assets and the potential
consequences of an attack on them.

A solution now available to assist with

ongoing situational awareness is
Honeywells Industrial Cyber Security
Risk Manager.
Risk Managerthe first solution
to proactively monitor, measure and
manage industrial cyber security
risk, providing users of all levels with
real time visibility, understanding and
decision support required for action.
With Risk Manager there is no need
to be a cyber security expert. The
easy-to-use interface allows users
to prioritize and focus efforts on
managing risks that matter most for
reliable plant operations.
2015 Honeywell International Inc.
All Rights Reserved.

The Four-Step Guide to Understanding Cyber Risk

More about Cyber Security

For industrial organizations, identifying
risks is the first stage of the journey
to a more secure system in the face of
increasing attacks. Well consider the
second stage in our forthcoming e-book
on managing the risks.

For More Information

Meanwhile, for more information about Cyber Security,
here are some more resources to help you:
The Essential Guide to Cyber Security: Download this e-book to learn
about the essentials of Industrial Cyber Security and how to approach it.
Honeywell Whitepapers: Honeywell experts have published
various whitepapers on various elements of Industrial Cyber Security.
View the complete list here.
Case Studies: Read and learn from our case studies to know the steps
other industrial customers are taking to tackle cyber attacks.
Visit becybersecure.com

14

2015 Honeywell International Inc.

All Rights Reserved.
May 2015