Identifying and classifying the riskiest devices in operational technology (OT)-heavy environments is crucial for maintaining operational integrity and security. How should an organization classify these devices? What should classification look like? Who should participate in the classification process? In this article, I will attempt to answer these three questions.
Classifying the riskiest devices in an organization can be very challenging. However, there is an excellent resource that organizations can adopt to help with this process. In 2023, MITRE released its Crown Jewels Analysis (CJA) for Industrial Control Systems. This method involves identifying devices whose failure or compromise can lead to mission failure, as defined in the Department of Defense (DoD) Defense Acquisition Guidebook. These devices, known as "crown jewels," can be logic-bearing or non-logic-bearing devices that contain microelectronic components, firmware, and software, according to MITRE .
An organization can use the DoD's mission-level impact categories to classify devices. It should be based on the criticality of the devices to the mission or business operations. Devices can be categorized into different levels of impact:
Level I: Total Mission Failure - "Failure of these devices results in complete mission failure."
Business Equivalent: Total Operational Shutdown
Example: A critical manufacturing execution system (MES) or process control system (PCS) goes down, halting all production, leading to significant financial losses and disruption of supply chains.
Level II: Significant Degradation - "Failure significantly degrades mission capabilities."
Business Equivalent: Major Operational Disruption
Example: A Cyber-Attack that leads to the failure of a primary Supervisory Control and Data Acquisition (SCADA) server disrupts real-time monitoring and control of manufacturing processes. This results in delayed detection and response to production anomalies, causing significant delays and inefficiencies in the production schedule and potentially leading to costly production downtime and safety hazards.
Level III: Partial Capability Loss - "Failure results in partial loss of capabilities, but workarounds are possible."
Business Equivalent: Reduced Operational Efficiency
Example: A malfunction in a specific machine or production line requires manual intervention or task rerouting, slowing overall productivity but allowing operations to continue.
Level IV: Negligible or No Loss - "Failure has negligible or no impact on the mission."
Business Equivalent: Minimal Operational Impact
Example: A non-essential auxiliary system fails, such as a building's environmental controls. Its loss does not significantly affect core business functions or production.
Identifying and classifying the riskiest devices in various operational environments is crucial for maintaining security and operational integrity. The devices that pose the highest risks are typically those essential for production, manufacturing, data acquisition, control systems, voltage regulation, water purification, remote monitoring, traffic management, railway signaling, patient monitoring, and diagnostics.
Organizations within each sector must establish a comprehensive assessment process to determine the criticality and vulnerabilities of these devices. This involves understanding each device's specific functions and dependencies, conducting thorough risk assessments, and prioritizing resources to address the highest risks. By following this approach, organizations can effectively safeguard their most critical assets and ensure the reliability and resilience of their operations.
Energy Sector:
Criteria Development: Organizations in the energy sector can develop criteria based on the criticality of devices to power generation, transmission, and distribution. They might use MITRE's CJA for ICS to identify devices whose failure could lead to mission failure (MITRE CJA, p. 5).
Risk Assessment: Conduct risk assessments to identify vulnerabilities in transformers, ICS, and centralized data systems.
Prioritization: Prioritize resources to secure the most critical devices, such as those used for voltage regulation and power distribution.
Water and Wastewater Systems:
Criteria Development: Water quality engineers and process control specialists can establish criteria based on the impact of device failure on water purification and distribution processes.
Risk Assessment: Identify vulnerabilities in programmable logic controllers (PLCs), remote terminal units (RTUs), and SCADA systems that monitor and control water treatment facilities.
Prioritization: Allocate resources to address the highest risks, ensuring the safety and reliability of water and wastewater systems.
Transportation Sector:
Criteria Development: Traffic and railway signal engineers can develop criteria based on the impact of device failure on traffic management and railway signaling systems.
Risk Assessment: Assess risks associated with traffic management systems, traffic lights, and railway signaling devices.
Prioritization: Focus on securing the devices that are critical for ensuring smooth scheduling and safety of transportation operations.
Healthcare Sector:
Criteria Development: Biomedical engineers and clinical IT specialists can create criteria based on the criticality of devices to patient care and diagnostics.
Risk Assessment: Identify vulnerabilities in patient monitoring systems, medical imaging devices, and centralized data systems.
Prioritization: Prioritize resources to secure the essential devices for continuous patient monitoring and diagnostics, ensuring patient safety and data integrity.
Organizations should assemble a team of experts to participate in the classification process. This team, composed of engineers, operators, OT/ICS security professionals, management and executives, and regulatory and compliance officers, must bring a wealth of knowledge and experience to the table, ensuring a comprehensive and effective classification process.
General Experts:
Engineers and Operators: Document known dependencies and criticality of assets.
OT/ICS Security Professionals: Provide insight into potential vulnerabilities.
Management and Executives: Ensure alignment with organizational goals and resource allocation.
Regulatory and Compliance Officers: Ensure adherence to industry standards and regulations.
Sector-Specific Experts:
Energy Sector:
Power System Engineers: Specialized in designing and operating electrical power systems.
Grid Operators: Oversee the real-time operations of the power grid.
Energy Policy Analysts: Understand regulatory frameworks and policy implications.
Water and Wastewater Systems:
Water Quality Engineers: Focus on maintaining water purity and safety.
Process Control Specialists: Manage and optimize treatment processes.
Environmental Compliance Officers: Ensure compliance with environmental regulations.
Transportation Sector:
Traffic Engineers: Design and manage traffic control systems.
Railway Signal Engineers: Specialize in the safety and efficiency of railway signaling systems.
Transportation Safety Analysts: Assess risks and develop safety protocols.
Healthcare Sector:
Biomedical Engineers: Design and maintain medical devices and systems.
Clinical IT Specialists: Oversee IT systems integration in healthcare settings.
Healthcare Compliance Officers: Ensure compliance with healthcare regulations and standards.
Each organization will have different budgets and personnel allocated toward the security of their OT and IT environment. Prioritization of time and money should be based on these limitations by focusing on the most critical devices identified in the classification process. This involves:
Risk Assessment: Conducting thorough risk assessments to identify vulnerabilities and potential impacts.
Resource Allocation: Allocating resources to address the highest risks first.
Continuous Monitoring: Implementing continuous monitoring to promptly detect and respond to threats.
To measure the effectiveness of the classification and mitigation efforts against cyber-attacks or exploitation, organizations can adopt sector-specific approaches to ensure accurate and meaningful assessments:
Track Incident Response Times: Measure how quickly cyber incidents are detected and resolved.
Monitor System Performance: Assess the resilience and reliability of critical devices under cyber-attack conditions.
Conduct Regular Security Audits: Ensure compliance with cybersecurity measures and identify vulnerabilities, providing a thorough and robust security framework.
Energy Sector:
Cyber Attack Response Drills: Conduct regular drills simulating cyber-attacks on the power grid to evaluate preparedness and response capabilities.
Intrusion Detection Systems (IDS) Effectiveness: Monitor and evaluate the performance of IDS in detecting and mitigating cyber threats.
Access Control Audits: Regularly assess the effectiveness of access control measures in preventing unauthorized access to critical systems.
Water and Wastewater Systems:
SCADA System Monitoring: Implement continuous monitoring of SCADA systems for signs of cyber intrusions or anomalies.
Network Segmentation Effectiveness: Evaluate the effectiveness of network segmentation in limiting the spread of cyber-attacks.
Incident Reporting and Analysis: Maintain a robust incident reporting and analysis system to identify trends and improve response strategies.
Transportation Sector:
Vulnerability Assessments: Conduct regular vulnerability assessments of traffic management and railway signaling systems.
Patch Management Effectiveness: Monitor the effectiveness of patch management processes in mitigating known vulnerabilities.
Cybersecurity Awareness Training: Evaluate the impact of cybersecurity awareness training programs for personnel.
Healthcare Sector:
Medical Device Security Testing: Perform regular security testing on medical devices to identify and mitigate vulnerabilities.
Data Integrity Monitoring: Monitor the integrity of patient data to detect and respond to tampering or unauthorized access.
Compliance with Healthcare Cybersecurity Standards: Regularly assess compliance with industry-specific cybersecurity standards and guidelines
Classifying and prioritizing the riskiest devices in OT-heavy environments is essential for maintaining operational security and integrity. Organizations can identify and safeguard their most critical assets by leveraging the MITRE CJA for ICS and DoD Acquisition Guidebook structured classification based on mission-level impact categories. Involving a cross-functional team with general and sector-specific experts ensures a comprehensive assessment of device criticality and vulnerabilities. This collaborative approach aligns with organizational goals and meets industry standards and regulatory requirements.
To measure the effectiveness of classification and mitigation efforts against cyber-attacks, organizations must adopt sector-specific approaches, including tracking incident response times, monitoring system performance, and conducting regular security audits. Sector-specific strategies, such as cyber-attack response drills in the energy sector and continuous SCADA system monitoring in water and wastewater systems, provide targeted insights into the resilience and reliability of critical devices. By prioritizing limited resources and implementing continuous monitoring, organizations can enhance their overall cybersecurity posture, ensuring their systems' safety and operational reliability across various critical infrastructure sectors.
Dan Ricci is founder of the ICS Advisory Project, an open-source project to provide DHS CISA ICS Advisories data visualized as a dashboard to support vulnerability analysis for the OT/ICS community. He retired from the U.S. Navy after serving 21 years in the information warfare community.
