Toward a New Risk-Informed Approach to Cyber Security

I like the idea of standardising best practise, especially when securing nuclear power plants. This looks so logical that it’s a wonder that it’s taken this long to create…:

[…] The first step in EPRI’s methodology involves characterizing precisely the attack surface of each component in power plant control systems. An attack surface encompasses all the points at which a component can be attacked, including physical, network, and wireless access.

The next step: Identify the possible goals of an attack (such as stealing data or altering configuration files) and the possible exploit sequences (attack strategies), which vary depending on the goals and vulnerabilities.

With a comprehensive understanding of where, why, and how an attacker might strike, the plant operator can plan the most effective defenses.

The third step of the risk-informed approach is to assess each security measure’s ability to protect against, detect, respond to, and recover from the most likely attacks.

“There are lots of potential ways to mitigate each exploit sequence, and you want to apply the most effective combinations,” said Lawrence. “An engineering workstation may have anti-virus software already installed that can effectively detect malware and alert an operator of its presence. But it might not help much with response and recovery.”

A cumulative score is calculated for each security measure based on its effectiveness and ease of implementation. “The score tells you how well protected you are against each exploit sequence,” said Lawrence. “Whether that score is acceptable to a plant operator depends on the asset’s importance and the consequences of a successful attack. Staff at each plant must determine its acceptable risk threshold.”

[…]

Original article here