Industrial Internet Security Framework v 1.0 | Page 27

Security Framework

5: Managing Risk

5 MANAGING RISK
Maintaining business value requires safeguarding the business investment in Industrial Internet
of Things (IIoT) systems and protecting their operations from risk. Risk, the effect of uncertainty
on objectives, takes into consideration the likelihood of an event occurring along with the impact
of that event were it to occur. Elements of security risk that address the likelihood of an event
occurring include threats and threat actors that may attempt to exploit vulnerabilities in the
system unless countermeasures are deployed to mitigate the risk. Threats may be inadvertent
(from hazards) or intentional (from attackers). Several elements of risk define the impact of an
event, including the value of the asset (for example, the replacement cost of equipment or the
revenue loss from equipment downtime), reputation damage, potential liability concerns, and
physical and safety consequences of misoperating physical processes.
As it is not feasible to eliminate all risk from a system, we must manage risk so security
investments are balanced against the effect of undesirable outcomes. This balancing must be
grounded in a realistic assessment of the threats, the risks they pose and how they might prevent
the system from fulfilling its intended functions. Costs must be evaluated and a rational selection
of implementation choices made to deliver an acceptable return on investment.
It is possible to proceed with no security, and accept all the risk. It is also possible to spend
exorbitant sums on security to the point that it no longer justifies the security gains. To manage
risks, the organization should evaluate them, decide which parts of a security program in which
to invest, deploy and periodically reevaluate both risks and the effectiveness of the program.
Security risk can be addressed in a variety of ways:
Risk avoidance seeks to eliminate the risk entirely to avoid all exposure. Often, complete risk
avoidance can only be achieved by removal of the functionality causing the risk.
Risk mitigation implements compensating measures to reduce the impact of unavoidable threat.
Mitigation is the most applicable strategy when risk avoidance cannot be achieved. It is
implemented with a systematic approach to software security, audit and patch management.
Risk transferal transfers risk to a third-party. Most commonly this is in the form of insurance,
where the risk is accepted by the third-party in return for payment. Transferring risk is a common
technique for high-impact, low-frequency incidents that have unacceptably high mitigation costs.
Risk transfer may also be achieved by passing the costs on to customers, or as an aspect of
outsourcing.
Risk acceptance does not reduce the risk; it simply means one accepts it. This strategy is usually
applied when the cost of the mitigation exceeds the cost of an adverse incident, should such an
incident occur.
Residual risk is the risk that remains after all countermeasures have been implemented. When
all known vulnerabilities are removed, there are still unknown ones. Risk may remain due to
incorrect assumptions about system security or trusted personnel. Residual risk must be tracked
to prioritize additional security operations, justify the security choices made and determine when
IIC:PUB:G4:V1.0:PB:20160926

- 27 -