It is becoming more common for industrial customers to have concern for and awareness of both cyber and physical...
security threats to their industrial control systems and enterprise IT. This is especially true in light of the WannaCry and Petya ransomware attacks that have been in the news recently.
A customer's initial action may be to evaluate their options for system security, and they often ask for an industrial control systems (ICS) security inspection. These inspections are often viewed as audits by the customer; however, the customer is better off with an assessment, instead.
What is the difference between security assessments and security audits? The differences are pretty substantial, and each yields a different level of scrutiny and different sets of actionable results. Also, each gives management a different sense of how bad their security is -- or isn't.
Security audits versus security assessments
To understand the differences between security assessments and security audits, there are a few points to consider. The first is that the purpose of a security audit is to compare the results against a specific standard or set of standards, and to find specific gaps where the standard is not being met or achieved.
In an audit, the inspector compares the customer's activities against a particular list of requirements in an industry standard. Basically, the audit identifies whether or not the customer complies with these requirements, but not necessarily whether the customer exceeds them.
The problem with this approach is that the customer needs to identify the standard they expect to follow, and the auditor needs to have the knowledge and capability to identify if the standard requirement is truly being satisfied or not. Unfortunately, the auditor tends not to look beyond the standard's requirements for areas needing attention. An audit looks for minimum achievement.
It has been my own personal experience that industrial customers outside the North American electric power and transmission and oil/gas industries don't normally know with which standards they should comply. Therefore, the audit may not even be of value, since the customer has never worked toward a standard anyway.
The second point to consider is that security assessments are about understanding the customer's security posture. The goal of the assessment is to enable the inspectors to use their experience and practical knowledge in conjunction with other recognized standards and guidelines for ICS cyber and physical security, and to look for ways the customer can achieve a higher level of performance, and not simply meet minimum compliance. The assessment is not a strictly pass or fail approach, but is instead intended to give the customer a sense of the current security reality.
Security assessments also normally provide different gradients of risk to the facility and its operations. For instance, an assessment may categorize the risk findings as critical impact, high impact, medium impact or low impact. The assessment should also nominally provide feedback to the customer on identified strengths, as well as informational findings that are outside the scope of the security assessment. Basically, an assessment gives the customer a list of actions to take to mitigate issues and to achieve a more ideal situation rather than simply satisfying a minimum requirement in a standard.
Finally, consider that security standards can be used and cited during an assessment. However, for an assessment, the experience of the assessor can also identify the quality of achieving a standard. This is beneficial to the customer, as they can gauge the effort and resources necessary to correct a problem.
References to use for security assessments
Security audits are conducted against a specific standard or set of standards, but that doesn't imply that assessments are not permitted to use any type of standards or guidelines. On the contrary, the more knowledge and experience an assessor has in the area of cyber and physical controls for ICS, the better off the customer is.
Therefore, assessors still often rely on selected documents to help with assessment performance. Some excellent resources for these assessments include "Cyber Security Assessments of Industrial Control Systems" from the U.K. Centre for the Protection of National Infrastructure and the U.S. Department of Homeland Security; the National Institute of Standards and Technology's "Guide to Industrial Control Systems (ICS) Security;" "Security for Industrial Automation and Control Systems;" "Information Technology -- Security Techniques -- Code of Practice for Information Security Management;" and the information provided on the Industrial Control Systems Cyber Emergency Response Team website. But, don't forget, the assessment does not necessarily use these as compliance checklists.
Learn how mobile application assessments can boost enterprise security
Find out how a vendor risk assessment can help enterprise security
Check out how the WannaCry ransomware affects ICS networks