Security threat risk assessment tools in past decades were typically used to determine security mitigation strategies. Assessment consisted primarily of a paper and pen exercise that intended to compare existing security measures with accepted security practices of the day. A rash of ongoing or heightened security incidents often initiated the “security survey.” Completing these reviews relied on the expertise of a security professional who answered a number of pre-defined questions about practices, such as perimeter security, lighting, alarm systems, guard patrols and access control. These reviews focused on physical security and offered a limited risk management output; they were really a base-lining exercise to align security practices of the day with the plant or facility. IT security did not become involved in risk assessments or surveys until after the new millennium.
Today, within the cyber world, risk assessment has often been used interchangeably with vulnerability assessment. Vulnerability assessment is an important part of a risk assessment, but the two are not equivalent. Increasingly, organizations are practicing governance, risk and compliance (GRC) assessments. Within IT-GRC, we see the formation of an important triad on which risk management relies heavily. Effective governance for IT management, comprehensive risk management and compliance management are necessary to ensure IT risk is properly managed across the enterprise. In fact, each leg of the triad relies on the other. GRC is still a developing practice within the IT world, but it will have an even greater impact as a critical infrastructure (CI) risk management tool if appropriately matured and adapted to CI protection needs.
Manager of Security, Privacy and Safety
British Columbia Hydro & Power Authority
Oversees all aspects of security, privacy and safety within the smart grid program at BC Hydro, Canada’s third largest utility.
Successfully implemented the critical infrastructure protection program for BC Hydro during the 2010 Winter Olympic Games in Vancouver.
Contributes to standards development through ASIS and other organizations. Currently second vice chair of the ASIS Utilities Security Council and chairman of the ASIS Critical Infrastructure Working Group.
Received commendation in 2011 from the Royal Canadian Mounted Police Critical Infrastructure Intelligence Team for his contribution to critical infrastructure protection initiatives.
Typically, GRC management is referenced in the context of information technology needs. Within critical infrastructure applications, this usually translates into a discussion about critical cyber assets, systems and processes that support CI. This may or may not extend into operational technologies (OT) such as SCADA (system control and data acquisition technology. For CI protection, though, there are two pressing concerns when discussing critical infrastructure risk management that GRC management has not yet adapted itself to in a comprehensive way. The first is the need for ongoing, real-time assessment (as opposed to periodic assessment), and the second relates to physical and situational awareness inputs. Without these inputs, GRC assessment has limited effectiveness for CI risk management.
Within critical infrastructure protection management, a constant state of vigilance is not possible or practical; many studies have shown that humans can’t remain on guard for extended periods of time. There should always be baseline vigilance, but protection systems must also be designed to provide automated, advanced alerts that permit an escalation for a defensive posture suitable for advanced, persistent threats. Some escalations may be rudimentary, while others are more complex, such as for a nuclear facility armed resistance or shut-down process. There are even more complex escalation processes that rely on the sharing of intelligence and lead to a coordinated defensive response with police or military. Such escalations normally involve initiation of special security rules, including special access rules, increased patrols, added security posts and vehicle inspections. Regardless, inputs to the ongoing risk assessment are needed in order for effective risk management decisions to be made at any level. Knowledge about targeted hacker threats, terrorist plots or complex malware can help escalate security across any CI sector. Knowledge about adversary capabilities helps to define protection requirements.
GRC assessment, therefore, has two imperatives in order to be effective for CI protection: It must be applicable to the physical environment associated with CI protection (plants, dams, pipelines, buildings, etc.), and it must also be adaptable to environmental triggers and changes that inform risk rankings and result in appropriate assessment, leading to effective risk treatment. GRC cannot be limited to IT and cannot be a series of one-off assessments. GRC requires daily inputs from as many relevant sources as possible to inform the true risk picture. Full situational awareness is necessary during periods of escalated CI protection, such as during the Olympic Games or civil unrest. That means monitoring and managing stresses on the environment across a broad array of infrastructure (border protection, transportation systems, venues, internationally protected persons, etc.) and over a larger geographic footprint. Given the complexities associated with critical infrastructure protection, such as international resource management within climates of social unrest, GRC may need even greater inputs to become a truly effective tool for CI protection.
Information Security's 2012 Security 7 winners:
Wade Baker: Information Security Decisions: From Dogma to Data
Ron Knode: Security Warrior for Cloud Transparency
David Seidl: Security Risk Assessment Process a Team Effort at Notre Dame