Industrial Internet Security Framework v 1.0 | Page 30

Security Framework

5: Managing Risk

standards. IIoT risk assessments are unique in that they include physical consequences of errors
and attacks as well as classic information systems risk.
The most commonly discussed threats come from malicious attackers who wish to disrupt a
system, steal information or cause harm or fear, but even an adequately secured system must
account for failures in the operating environment, such as extreme environmental or weather
conditions. The term threat, then, should be interpreted broadly to include any influence or
incident that would interfere with the normal, intended use of the underlying system.
While it is not practical to anticipate every possible threat, a strong security model that
contemplates broad changes in the operating environment can mitigate the impact of many
unplanned situations.
Identifying threats and consequences requires an understanding of the overall system and its
implementation. The elements of the IIoT system exposed to possible attacks are called its attack
surface. Growth in the number of technologies and increased complexity both increase the attack
surface and vulnerabilities of the system, increasing risk.
Each of these elements may be vulnerable via an attack vector, a mechanism by which an attack
can take place. Attack vectors include physical attacks, networks attacks, attacks against
software, attacks on operators and attacks on the supply chains of the elements that comprise
the system. Each industry has a specific set of attack vectors, as does each class of technology.
The impact of each type of attack depends on the system’s industry, design and business
priorities.
Practitioners carrying out risk assessments should consider physical consequences of threats
related to safety and the consequences of tampering with physical control equipment, as well as
threats to analog and digital control systems.
The existence of some physical components may increase the attack surface by being more
susceptible to tampering. For example, equipment exposed to the public has a greater attack
surface than equipment behind security perimeters at dedicated industrial sites. Moreover,
digital systems designed to prevent equipment damage or injury to workers will warrant
increased attention in the risk assessment process, especially when safety risks are not mitigated
with additional physical protections.
Physical safety systems may mitigate some attacks. Examples include over-pressure valves, flare
stacks, berms and containment systems. Some of the work of assessing the effectiveness of these
physical safety systems in light of attack scenarios may already have been carried out as part of
the system’s safety engineering assessment.
Modern attacks span a wide range of possible means and motives. Approaches to enumerate
cyber threats and attack methods include lists of attack vectors such as OWASP, or the STRIDE
threat identification approach and threat modeling.

IIC:PUB:G4:V1.0:PB:20160926

- 30 -