Hybrid warfare is now (sadly) a reality, and the threat of digital attacks has placed national & local infrastructure assets on heightened alert, however there is a wealth of information available to help evaluate your cyber security vulnerabilities & measures.
The UK Health & Safety Executive (HSE) operational guidance (OG-0086) includes two clear statements associated with the Cyber Security of Industrial Automation Control Systems (IACS):
- In order to defend a system, it is first important to know what needs to be defended.
- Risk assessment, definition of the required countermeasures and on-going management of the countermeasures can only be achieved if the full scope of the IACS is understood and documented.
A common way to evaluate the IACS is to used a modified HAZOP/PHA approach with different deviations, however, like many techniques, this only provides analysis and may not be an effective way to continuously monitor the presence and performance of your technical and organisational measures.
Many of these measures rely on non or less technical personnel, so it’s vital that all IACS stakeholders (users) fully appreciate the impact of their acts, omissions or errors.
Using Data Integrity cards, cyber security knowledge (guidance) is visualised in a familiar, accessible & memorable way.
Sample cards are shown below:
The knowledge silos of Information Technology (IT), Operational Technology (OT) and Physical Technology (PT) are (sadly) a common & persistent challenge, therefore the cards can be supplemented & complemented by bowties to more fully understand the Threats & Consequences, the associated Barriers & (critically) their vulnerabilities i.e. to evolve Analysis into Assurance.
The use of cyber security bowties is not new, however they may focus only on the logical assets and not fully assess the relationships with, and indirect impact on, physical assets.
CHASE (Computer Hazard And Security Evaluation) is the application of bowtie techniques which exploits key features of BowTieXP including:
- Bowtie Chaining & Relationship Diagrams
- Audits & Surveys
- Systems & Parts
The concept is summarised in the following extract from a webinar hosted by CGE Risk Management:
This offers significant advantages over worksheets and helps measure & sustain the effectiveness of elements critical to the integrity of your data & functionality.
For more information on Data Integrity cards and/or CHASE bowties – please contact us.
If you’d like to subscribe to future updates, please submit your email address below – many thanks for your interest.