Why and how to conduct an OT security assessment ?

Why and how to conduct an OT security assessment ?

This guide details all the critical step to conduct an effective OT security assessment. Leveraging the ISA 63443 Standard the methodology.

What is an OT Security Assessment?

An OT Security Assessment consists in auditing an existing site and getting of sense of assets, people and processes in places. It involves identifying risks and vulnerabilities, analyzing threats, assessing the impact of potential impact of security incidents, reviewing compliance with industry standards, evaluating the effectiveness of existing security controls, and providing recommendations for improvement.

Why conduct an OT Security Assessment?

Evaluating the security of an industrial environment / critical infrastructure has long been a standard practice, but the landscape of cyber threats is undergoing a profound and rapid transformation, particularly due to the increasing convergence of Information Technology (IT) and Operational Technology (OT).

On the backbone of COVID and Industry 4.0, many factories have embarked on digitalization efforts. These initiatives often focus on enhancing the connectivity of machines and assets. This increased connectivity has resulted in a notable shift: 23% of cyber attacks are now targeting OT environments and critical infrastructure and therefore industrial control systems.

The absence of thorough risk assessments can lead to a multitude of consequences. These include regulatory non-compliance, operational disruptions, heightened vulnerability to cyber attacks, financial losses, loss of intellectual property, resource misallocation, and reputational damage.

Drivers to do an OT risk assessment can vary depending on industries and companies goals

  • Regulatory Requirement Specific to the Industry: Compliance with industry-specific regulations often necessitates an OT risk assessment. Companies must adhere to these OT compliance to avoid penalties and to maintain operations within legal frameworks.
  • Depends of its own Operational Risk: Identifying and understanding the cyber threats associated with operational technology are necessary. An OT risk assessment helps in recognizing potential disruptions to operations and the consequences they may have on the company's performance and safety.
  • Providing Internal and External Assurance: Conducting a risk assessment gives stakeholders assurance that the company is aware of its risk landscape and is taking appropriate measures to manage it. This assurance can be critical for investors, customers, and partners.
  • Justifying (Non) Investment Decisions: An OT risk assessment can provide the necessary insights to support or refute investment decisions in security measures or other operational technologies. It helps to prioritize resource allocation by highlighting areas of critical need or those with lower risk profiles.

What are the critical steps while conducting an OT Security Assessment ?

In this section, we have implemented the methodology as outlined in the ISA 62443-3-2 standard. A detailed description of this approach is provided in the following text.

Here you can have an overview of the methodology :

ot-security-assessment-methodology-iec-62443 (1)


ZCR 1 - Identify the System Under Consideration (SUC):

In this initial phase, the goal is to create a picture of the systems within the OT environment, and how they are linked. It is about running an asset discovery & inventory in order to have a complete picture of the system in question, mapping its architecture, cataloging all network components (physical and software), and listing critical assets. Moreover, it is essential to take into account the company policies and applicable regulations, as well as the guidelines related to the thresholds of potential impact the organization is willing to accept.

ZCR 2 - Perform an Initial Cybersecurity Risk Assessment:

At this stage, a company will run a first evaluation of their cyber risks. This involves reviewing pre-existing OT risk assessments and cross-referencing them with an enterprise risk matrix to identify vulnerabilities and potential threats. This initial assessment is fundamental to establish a reference frame for the subsequent steps.

ZCR 3 - Partition the SUC into Zones and Conduits:

As a reminder ISA defines Zones and Conduits as following:

Zone: consists of the grouping of cyber assets that share the same cybersecurity requirements

Conduit: consists of the grouping of cyber assets dedicated exclusively to communications, and which share the same cybersecurity requirements

So, the aim of this step is to segment the system into various zones and conduits (network segmentation), which can facilitate risk management by isolating them and dealing with them in a segmented manner. This requires a deep understanding of standards, policies, supplier guidelines, as well as criticality analyses of the system's different elements.

ZCR 4 - Does the Initial Risk Exceed the Tolerable Risk?

This step acts as a checkpoint to determine whether the risk identified in the initial assessment is acceptable to the company. If the risk is above the tolerance threshold, additional measures must be considered to reduce it to an acceptable level.

Here is an example of risk matric proposed by the Standard IEC 62443:



ZCR 5 - Perform a Detailed Cybersecurity Risk Assessment:

If the initial vulnerability assessment indicates a high risk, a detailed assessment is necessary. This involves a more thorough analysis to specifically identify where and how risks could materialize and to develop strategies to mitigate or transfer these risks.

ZCR 6 - Document Cybersecurity Requirements, Assumptions, and Constraints:

Here, the focus is on the formal documentation of cybersecurity requirements for the system, including the assumptions upon which these requirements are based and the constraints that might affect their implementation. This documentation will serve as a reference for security measures to be implemented and for future security audits.

ZCR 7 - Asset Owner Approval:

Before any cybersecurity measures are implemented, it is vital that the asset owner (the person or group responsible for the evaluated system) reviews and approves the risk assessment and the resulting recommendations. This ensures that the decisions made are aligned with the business objectives and operational capabilities of the company.

What are the critical point to successfully conduct an OT Security Assessment ?

#1 Treating the Exercise as an Iterative Process, Not a One-Time Activity

Viewing an OT Security Assessment as an ongoing, iterative process is crucial. Cyber threats evolve constantly, and so must the defense strategies. By treating the assessment as a continuous activity, organizations can stay ahead of emerging threats, security gaps and therefore adapt to technological advancements, and consistently refine and improve their security posture. This approach also allows for the regular updating of risk assessments and the integration of new findings and industry best practices over time.

#2 Involving the right stakeholders at the right moments

In order to have the most exhaustive ot security assessment it is important to identify and involve individuals who have a direct or indirect impact on OT security. It includes OT engineers, operators, network engineer, IT personnel, security teams, business / finance analyst, top management, security vendors, head of industrial processes…In fact, being able to assess the cyber operation risk requires many skills. Thus, their involvement at critical stages such as scoping, data collection, and implementation of recommendations ensures buy-in and effective execution of security strategies

#3 Have an exhaustive mapping of the zones

Successful OT cybersecurity assessment hinges on thoroughly mapping all OT systems within the assessment scope. This includes detailing OT networks, devices, and their interconnections, focusing on the physical layout, data flows, and network segments. Understanding 'Zones'—distinct areas with specific functionalities or risk levels—is crucial. This comprehensive mapping identifies potential / critical vulnerabilities and interaction points within the OT infrastructure, guiding where to place critical security controls and how to mitigate risks effectively.

#4 Stay realistic with the suggestions and control implementation

It's essential to ensure that the recommendations and controls suggested during the assessement are realistic and feasible for the organization**. This includes considering the operational, financial, and resource constraints. Recommendations should be practical, achievable, and aligned with the organization's objectives and capabilities.** Unrealistic or overly ambitious suggestions can lead to implementation failures, leaving critical / potential vulnerabilities unaddressed.

About Trout Software

Trout Software has developed tools to enable business and IT teams to strengthen the cybersecurity of their environments - both IT and OT - and to accelerate their certification processes (documenting security policies and collecting evidence). The company is based in France with offices in Dublin and New York, and works with customers such as Thales, Orange and Signal Iduna.

Get notified about Trout articles

Receive an email when our team releases new content.