Security Framework 5: Managing Risk
5.5 METRICS AND KEY PERFORMANCE INDICATORS
Business decision makers should monitor reports on the security of their IIoT systems from the moment the systems are conceived, through their design and creation, and throughout their operation. This should be at the same depth as they monitor other characteristics such as performance, throughput, cost and efficiency. The correct measures and metrics inform decision makers, operators and other stakeholders. The interests and needs of key stakeholders, legal responsibilities from laws, regulations and contracts, as well as norms of behavior in the industrial sectors of the system, should all be taken into consideration in establishing appropriate metrics and baselines( metrics define quantitative results against a baseline and measurements describe an absolute observation). All of these considerations should be reviewed periodically for possible adjustment.
Some of the metrics and measures will be common across verticals; others will be unique. As an example of the former, most industries track security metrics such as the number of detected attack attempts, and the breakdown of those attempts, as well as characterizing successful attacks, incidents, close calls, policy violations and anomalies that have merited investigation. For the latter, in the utility and energy industry, it is important to collect metrics on remote terminal units( RTUs) and sensor outages. The function of those metrics is to identify an outage in an RTU quickly, visualize it on a display and set up a process to investigate whether the outage was malicious or an accident.
Clear and accurate representations( dashboards and other visualizations) of security metrics, including data sources, communications and system capabilities, as well as key performance identifiers allow operational and business personnel to make improved business decisions. Security then becomes a valuable part of the operational process, and its value can be quantified in terms of the costs saved by averting wrong decisions.
Security metrics can set up a continuous feedback loop to identify areas of risk, increase accountability, improve security effectiveness, demonstrate compliance with laws and regulations and provide quantifiable inputs for effective decision making. Such metrics help identify security problems early and assist in faster and more efficient management and governance. Key performance indicators selected for each application also improve the quality of service as issues such as the number of times a capability is disrupted can be identified early, and corrective or compensating measures taken. Dashboards and other visualizations displaying security metrics collected through continuous feedback loops are desirable, but not essential to conduct periodic risk assessments.
5.6 MANAGEMENT CONSIDERATIONS
Managing risk balances the threats against the IIoT system with the security responses that counteract those threats and the risk they represent. Risk management involves ongoing action for making the appropriate decisions based on the security evidence from metrics and key performance indicators( KPIs) as well as monitoring data to prioritize security tasks. Building out a feedback loop to identify security issues attest that those issues have been correctly addressed is highly recommended.
IIC: PUB: G4: V1.0: PB: 20160926- 34-