In line with NIS2 directives and legal obligations under recent regulatory frameworks, companies are increasingly required to conduct thorough and specialized risk assessments in industrial settings to protect critical infrastructure.

For industrial computing systems, a tailored approach to cyber risk assessment is crucial, as these environments often present unique vulnerabilities not seen in standard office systems. While a range of cyber risk assessments is available, traditional methodologies may fall short for industrial settings, which face heightened risk due to their operational complexity and sensitivity to disruptions.

The landscape of industrial automation has evolved significantly from older, proprietary, and isolated systems to today’s interconnected networks. Unlike office computing equipment, which typically follows a 5-year replacement cycle, industrial production systems often remain in operation for 10 to 20 years before being upgraded. This extended lifecycle can result in outdated security measures and increased exposure to vulnerabilities, making industrial systems particularly susceptible to cybersecurity threats.

The primary concern of an industrial environment is the necessity to maintain process and system reliability and protection. The level of securitization (effort and budget) of these systems will depend on several variables, some of which are:

  • What is the criticality of a process within the facility?
  • What will be the potential impact should a process be disrupted or not be available?
  • Do the process run in a stand-alone environment or is it interconnected in a digital network?
  • What is the level of risk posed to a process from cyber-threats (such as ransomware attacks)?
  • How well is a process protected against human error or misuse?

Most of these automation systems often fall outside the operational scope of traditional IT departments and standard security protection. As such, they tend to get lower levels of operational security attention and protection. This is one of the reasons the NIS2 European directive has set a minimum set of requirements for essential and important industrial companies. Conducting cyber risk assessment is an integral activity to identify cyber vulnerabilities, threats and determine approaches to improve cyber protection measures and defenses. This includes identifying system-specific threats and assessing vulnerabilities to ensure compliance and to mitigate potential impacts on public safety, business continuity, and data integrity.

CYRIAS is a for purpose built cyber risk assessment methodology for industrial environments. The methodology and underlying web-based tool provides the following capabilities:

  • Conducting cyber risk assessment workshops with key stakeholders (operations, maintenance, technicians) to gather risk operations details and determine worse case scenarios.
  • Performing cyber risk criticality assessments to quantify potential impact to operations, physical damage, financial loss, health & safety risks, environmental disasters and regulatory noncompliance impact.
  • Performing cyber risk security assessment based on various standards or best practices.
  • Selecting the security controls to assess will depend on the concerns and geographical locations of the end customer.
  • Provision of performance indicators to capture progress and allow for comparison quantification.
  • Reporting including details captured during cyber risk assessments.

The benefits of the above stated encompassing activities and tool capabilities provide an important awareness & training capability to improve the level of cyber security comprehension among the industrial personnel, management and corporate direction.

Contact us if you are interested in a cybersecurity risk assessment for your industrial environment. You can do so by filling in the Secudea Contact Form or by sending us an email to info@secudea.be