Industrial Internet Security Framework v 1.0 | Page 32

Security Framework 5: Managing Risk Repudiation: Denial that a person or device was involved in a particular transaction or event. This refers to the ability (or lack thereof) to trace which person or device was responsible for an event. Information disclosure: Exposure of information to individuals who are not supposed to have access to it. In the Industrial Internet, this could mean sensor data for a smart city in the hands of persons with intentions to launch an attack on the city. Denial of service: This refers to making a particular service unavailable, often through resource consumption or unreliable execution. Elevation of privilege: An unprivileged user gains sufficient access to compromise or destroy an entire system. In elevation of privilege threats, an attacker has penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed. These last six items make up the acronym STRIDE. 5.3 COMMUNICATING RISK Effective business decision-making is an important component of industrial security programs. The costs and benefits of different security risks and defensive postures should be clearly communicated to business decision makers, especially as they are often unfamiliar with the details of security risks and countermeasures. There are three basic methods for communicating risk: Quantitative risk assessment expresses the risk of an incident as the product of probability of that incident occurring and the cost of consequences of the incident. This approach works well for high-frequency, low-impact events. Systems with large numbers of devices, where the cost of compromise is comparatively low, and system compromise occurs frequently enough to produce statistically significant estimates of probability, are well-served by quantitative risk assessment. Quantitative risk assessment is much less effective for communicating the risk associated with low-frequency, high-impact events. For example, in IIoT system where the cost of compromise is high, and there is no way to make statistically significant predictions of the probability of such a disasters occurring in the future. Qualitative risk assessment uses surrogates for cost or probability estimates, and expresses risk as a mathematical function of these qualitative surrogates. For example, the French ANSSI standards1 calculate the importance of an industrial system by assigning a small integer rating to each of consequences, likelihood, system complexity/functionality, connectivity, exposure and accessibility. These rankings are combined arithmetically to produce a number between one and three describing the importance of an industrial control system. Minimum-security measures are then prescribed for each class of control system. Other qualitative systems assign and calculate qualitative metrics for individual risks and kinds of incidents. 1 See [ANSSI-CMKM] IIC:PUB:G4:V1.0:PB:20160926 - 32 -