Following the ISA/IEC 62443 lifecycle process, we aim to AIM - Assess, Implement & Maintain:
The Assess phase starts with a High-Level Cybersecurity Risk Assessment which helps determine the type and extent of risks faced by the Organisation be it Health & Safety, Environmental, Financial, Reputation vis-a-vis the Risk Tolerance criteria. This is followed by a Vulnerability Assessment and a Detailed Cybersecurity Risk Assessment where a Security Level SL (Target) is assigned to each zone / conduit.
Once a SL (Target) has been assigned to a zone /conduit in the Assess phase, we facilitate Implementation of countermeasures such that SL (Achieved) equals or exceeds SL (Target). The SL (Achieved) is determined after the system has been validated against the security requirements for the zone / conduit.
Countermeasures and inherent security properties of devices and systems degrade over time. The security properties relevant to the zones / conduits must be audited and / or tested at regular intervals or whenever a new vulnerability is discovered during the Maintain phase to ensure that SL (Achieved) is better than or equal to SL (Target) at any point in time.
Cybersecurity Risk Assessments
Following the ISA/IEC 62443 methodology, we follow a 3-staged approach to Cybersecurity Risk Assessments:
High-level Cybersecurity Risk Assessment – to identify the worst-case unmitigated risk that the System presents to the Organisation and an Initial Security Level Target (SL-T) for the System under Consideration. This enables a prioritization of Detailed Risk Assessments in Stage 3.
Vulnerability Assesssment – to identify System Vulnerabilities using a combination of GAP, Passive and Active Vulnerability Assessments along with Penetration Testing on a needs basis.
Detailed Risk Assessment – where we combine Consequence and Likelihood to estimate Unmitigated Risk which gets compared with Tolerable Risk and list protective measures to address the gaps, if any.
KAJE Cyber provides training courses and workshops based on ISA/IEC 62443 – Security for Industrial Automation and Control Systems.
Our introductory training courses are:
ICS 101: Cybersecurity Risk Assessments of SCADA / Control Systems
ICS 102: Introduction to Cybersecurity of SCADA / Control Systems
We also develop and deliver customised training packages.
Enjoyable & informative course ...
Found it interesting - something to get us thinking in this space & start asking some initial questions.
Feel there was too much of detail for the purpose our roles; although, the details were good.
Maybe a little too much detail for the group generally (But, I liked it!)
Pies had gone cold at Lunch!