Cybersecurity Risk Assessment
A rational strategy for protecting technology assets
By Tracy Barbour
Northrim Bank's Douglas Frey (left), VP Security and Business Continuity Manager; and aeSolution's John Cusimano, Director of Industrial Cybersecurity.
Images courtesy of Northrim Bank and aeSolutions
Organizations of all types and sizes have been rocked by security breaches and other cyber attacks, including large corporations (Merck, Maersk, and FedEx), government agencies, and even a credit reporting bureau (Equifax). And given the growing threat from botnets, malware, ransomware, worms, and nefarious hackers, companies need an organized method for assessing and addressing cybersecurity risks.
Cybersecurity is the technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. A cybersecurity risk assessment identifies the gaps in an organization’s critical risk areas and determines actions to close them. The evaluation typically involves considering the primary types of information being handled—whether Social Security numbers, credit or debit card numbers, patient records, industrial control system data, designs, or human resources data—and then making a priority list of what needs to be protected.
Cybersecurity assessment also entails identifying where information assets reside, such as file servers, workstations, laptops, removable media, smartphones, and databases, and then classifying them. The top-rated assets are further considered for additional risks they may face from threats such as identity spoofing, data tampering, information disclosure, or denial of service. From there, an organization can weigh the probability of a threat actually being carried out against a particular asset and the potential impact of a successful cybersecurity attack. A cybersecurity risk assessment exercise can take anywhere from one full day for smaller organizations to several days or weeks for larger firms. The cost of an assessment can run tens of thousands of dollars, depending on the size and complexity of the system as well as the time involved making the assessment.
Ultimately, a cybersecurity risk assessment can yield a comprehensive, prioritized ranking by risk of threats and vulnerabilities that can help organizations create a strategy for sensible risk mitigation. They can then focus their efforts on the most critical areas and avoid spending resources on security technologies or activities that are less essential and irrelevant to addressing the highest risks.
The Assessment Process
Cybersecurity risk assessments are often done by an organization’s IT department or their internal audit groups. However, many organizations opt to use outside consultants. There are arguments for both approaches, says John Cusimano, CISSP, GICSP, CFSE. Cusimano is the director of industrial cybersecurity for Applied Engineering Solutions (aeSolutions), a provider of industrial process safety, cybersecurity, and automation lifecycle solutions and tools. “The main thing is the person facilitating the assessment should have some independence from the group that actually designs and operates the system,” he says. “You want a third party that can come in with no biases...You want as close to the real version of the truth as you can get.”
That’s the type of service aeSolutions strives to provide its clients. The company specializes in industrial control system (ICS) cybersecurity or what is often referred to as operational technology (OT) cybersecurity. The primary service it offers is a combination of vulnerability and gap assessment followed by a formal risk assessment. The vulnerability and gap assessment involves physically visiting a site and gathering data about the system and operational practices. The data, such as Windows system information, network configurations, and packet captures, is collected passively to ensure that there is no possible impact to production.
“We then analyze the data offsite and prepare up-to-date network diagrams, dataflow diagrams, zone and conduit diagrams, and a vulnerability register,” Cusimano says. “This information is then used in the risk assessment phase of the process. We refer to our ICS cybersecurity risk assessment process as a Cyber Process Hazard Analysis, or CyberPHA, because it links cybersecurity vulnerabilities and threats to process safety consequences to identify realistic cyber risks. The result provides management with a roadmap highlighting a ranked set of risks, prioritized recommendations, and a mitigation plan.”
When conducting assessments, aeSolutions will evaluate an entire enterprise or the security of a particular system at one facility. aeSolutions also makes a distinction between IT (laptops, printers, and accounting systems) and OT (computers and networks that control production). Most companies assess IT and OT separately because the systems and the personnel who support them are very different, Cusimano says.
A cybersecurity risk assessment cannot be performed without a solid understanding of the system being assessed, Cusimano says. This means having up-to-date network diagrams and system inventory, an understanding of data flows, an understanding of how the system is configured and maintained, and site specific operational practices. “This homework must be done up front before sitting down to perform a risk assessment,” he says. “The risk assessment must incorporate input from personnel who are familiar with the configuration and operation of the system so they can reasonably estimate the consequences and severity of compromise.”
Northrim Bank Prioritizes Risk Assessment
Cybersecurity risk assessments are particularly critical for organizations that manage highly sensitive and private information, such as hospitals and financial institutions. At Northrim Bank, for example, cybersecurity risk assessments are extremely important. And they are completed on a frequent basis, according to Vice President, Security and Business Continuity Manager Douglas Frey.
In fact, whenever Northrim is contemplating a new network, hiring a new vendor, or making other significant changes, it conducts a risk assessment. This is an essential part protecting valuable assets like customer information as well as the bank’s reputation, brand, business secrets, and funds. “Any time our landscape changes, we look for potential risks,” Frey says. “It’s like a process we’ve baked into our culture.”
Northrim makes cybersecurity risk assessment a priority that starts at the top with its board of directors. And it trickles down to the lowest employee because they are the ones who often times have to implement the controls that are established for security.
As a financial institution, Northrim is heavily audited and examined. The bank is continuously conducting internal as well as external risk assessments, Frey says. Its staff contains an architecture and cybersecurity manager backed by a team of highly skilled engineers, technicians, and other professionals who constantly test and monitor the bank’s system. In addition, their work is regularly checked externally by state and federal examiners.
So exactly what kind of security breaches and other risks is Northrim trying to prevent? The answer: countless. There’s no shortage of the type of attacks that bad actors could use to breach the system. And those risks change daily. That’s why the bank’s system features multiple layers of defense. “If one layer doesn’t stop the risk, another layer can control it,” Frey says. “Those layers of defense are the key to protecting against a wide array of threats as well as future threats.”
A Decision-Making Tool
A cybersecurity risk assessment is primarily an exercise for management. It can help them determine the potential exposure of their assets, how well protected they are, and the consequences of a security breach. And it can be used as a decision-making tool to help managers identify what their worst vulnerabilities are and how to address them. This can help organizations get the most bang for their buck when spending money on security. Without a cybersecurity risk assessment, a company could either spend way too much money on security or spend money in the wrong areas and still wind up getting attacked. “What companies are trying to optimize is how much they spend versus how much risk reduction they achieve,” Cusimano says. “There’s typically a break-even point.”
aeSolutions uses tailored methodologies to help organizations identify and address their cybersecurity risk concerns. The company, which specializes in control system security (or operational technology) for production facilities such as oil and gas companies, pipelines, and refineries, helps clients who are often concerned about protecting against a process safety, loss of production, or interruption of service. For example, a pipeline would want to ensure no one tampers with the Supervisory Control and Data Acquisition (SCADA) or control systems that regulates the functioning of values, pumps, and other elements. Such a data breach could result in major safety and health problems.
Cusimano emphasizes that a cybersecurity risk assessment does not have to be done all at once; it can be broken into phases. A multi-phased approach can be ideal for larger companies with numerous facilities involved and small companies concerned about funding. “For larger companies, we often do a pilot assessment on a typical system or facility,” he says. “Then they [clients] review the results and decide how they want to scale that across their operation. For smaller companies, we break the assessment into phases, starting with a vulnerability phase. We’ll always encourage them to follow through and perform all the phases of the project when they can, as every phase yields good information.”
No One-Size-Fits-All Solution
Cyber risk assessment requires a completely customized approach because every company’s computer network is different, Frey says. Some companies allow mobile phones to connect to their network; some allow iPads to connect; and some allow people to dial in remotely. The key to addressing these different scenarios is to ensure layers of defense are in place and adequate enough to provide protection. “It’s not as simply as installing a program and calling it good,” he says. “There’s no one-solution-that fits all, except perhaps with some of the simplest companies.”
Northrim applies multifaceted tactics with its cyber risk assessment plan. It uses the industry-specific Federal Financial Institutions Examination Council (FFIEC) cybersecurity assessment framework as a foundation. The FFIEC offers a Cybersecurity Assessment Tool (CAT) to help financial institutions identify cybersecurity risks and determine their preparedness. The CAT—which tailors its guidance specifically for banks and credit unions—consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.
The Inherent Risk Profile addresses the level of risk posed to the institution by technologies and connection types; delivery channels; online/mobile products and technology services; organizational characteristics; and external threats. Institutions can use their completed profile to categorize their risk in levels ranging from least inherent to most inherent.
The Cybersecurity Maturity component of the CAT helps institutions measure the level of risk (from baseline to innovative) and corresponding controls. Cybersecurity Maturity includes statements to determine whether the institution’s behaviors, practices, and processes support cybersecurity preparedness within five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience.
Northrim Bank also employs cybersecurity techniques from the SANS Institute (officially the Escal Institute of Advanced Technologies) and the Center for Internet Security. SANS is a private, for-profit company that specializes in information security training. “We feel this hybrid approach gives us the flexibility to counter many threats while remaining focused on threats in the financial sector,” Frey says.
However, business continuity and resilience plans would be totally incomplete without incorporating some type of insurance, Frey says. Therefore, Northrim carries insurance coverage written by Lloyds of London to round out its cybersecurity efforts. “We carry enough insurance to help restore our systems, maintain customer confidence, and assist our customers with identity theft service,” he says.
No Single Silver Bullet
Organizations should be careful when choosing a provider to conduct a cybersecurity risk assessment. Cusimano advises companies to avoid selecting a vendor who, in addition to providing the risk assessment service, offers cybersecurity products. “It’s like hiring a general contractor to perform a home inspection,” he says.
As another word of advice: Cusimano cautions against being lured by “silver-bullet” solutions from vendors with good sales pitches. “There really is no single silver bullet,” he says. “Take your time and understand where the real vulnerabilities and risks are and put together a plan to address those.”
However, companies must go beyond just developing a risk assessment plan. They need to “operationalize” their risk assessment plan down to the lowest levels, which includes employees using good passwords, not discussing sensitive information at public forums, and other prudent practices, Frey says.
Today, everything is connected through technology. And security-related weaknesses exist across a wide spectrum of platforms and devices, ranging from smartphones and home computers to gas pumps. But the biggest security weakness is people, Frey says. Every day people are being lured into clicking on a link or opening a malicious attachment, possibly giving control of that system to potential hackers. “We must all do a better job against social engineering,” he says.
Tracy Barbour has been an Alaska Business contributor since 1999. As a former Alaskan, she is uniquely positioned to offer in-depth insight and enjoys writing about a variety of topics.