5 Steps to a Zero-Cost Industrial Security Risk Assessment

For some, it’s not difficult to justify a third party security risk assessment and the steep remediation price tag that comes with it. For the rest of us, here’s an assessment we can’t afford NOT to do.

Sept. 6, 2013

5 min read

Industrial Security is the hot topic today. No one denies that the threats are out there. If you’ve been tasked with figuring out a viable security plan to protect the company from whatever risks it may face, it’s also likely that you’ve been handed little to no budget to enact the plan. Yet you still face the mandate to keep production running if and when you put your plan into action.

After doing some due diligence on creating a security plan, if you’re like many manufacturers, you’ve likely come to the conclusion that you can’t afford a third party risk assessment or the plans they hinted at laying out for you. But you know you can’t afford to do nothing.

It’s important at this point to realize you're not out of options. One of the options open to everyone is a zero-cost industrial security risk assessment. Though this approach isn’t for everyone, it may be just what you need.

As you read on about the zero-cost industrial security risk assessment process detailed below, keep in mind that no security measures are 100% foolproof; and the best security requires that you monitor, evaluate, and improve your plans regularly.

Determine who should help with the assessment.

It’s critical to realize that you’ll need the different perspectives that come from working with others who don’t see your business from the same viewpoint as you. Consider a person from each type of job that works with your company’s equipment and systems, along with IT, an executive, and an outsider (if you have the budget for it). Remember that you’ll need to keep the entire group thinking as objectively as possible. As leader of this project, you can decide when to involve the whole group and when to limit the activities to just a few, provided you get everyone’s objective input and insight from the outset.

Determine what’s most important.

This is a good brainstorming exercise for the group. To conduct this exercise, put security out of your mind and simply create a list of the most critical assets that your company must protect in order to be successful. These don’t need to be the most expensive machines or the highest paid employees. Instead, they may include:

Machinery that is commonly the critical path in production;
A few workers with skills you can’t do without for even one day;
The business system that keeps raw materials, finished product and orders flowing; and/or
The secret recipe at the core of making your most valued product.

Key questions to ask in this brainstorming session are:

What’s most important to maintain production?
What assets/systems would be considered vulnerable?
If you were paid only on your ability to keep our company producing, what would keep you up at night?

Prioritize and list the largest risks for each asset.

The risks you identify may include non-security related items. For example, key employees may become ill, injured, or leave the company for another job. Key pieces of equipment may be more at risk from the unintended actions of poorly trained employees. Pieces of the business system may be more vulnerable to fail during power surges or outages. Security may also be listed as a valid concern. We suggest you find ways to address each of the highest priority non-security related items on your list. Before giving the list of assets that don’t seem to have an associated security risk to your team of fix-it specialists, go through the list again and make sure you’ve considered everything. Then be sure to get the most diverse and critical input as possible. Ask the group what kinds of security issues might exist for each asset on the list. Be sure to ask, “What SHOULD we be afraid of?” If the answers you’re getting are even remotely plausible, then put that asset on the “security” list.

Prioritize the security list assets.

This prioritization process should follow these four steps:

How easy is it to access and affect the asset (you may need outside help to determine this);
How long would the asset and/or production be unavailable if this happened;
How likely is it that someone would want to maliciously affect this asset;
How likely is it for someone to breech your security measures without ill intent, but could accidentally impact the asset.

All you need is a simple chart to record and score the issues on this list.

Determine what current security mechanisms, actions, policies and procedures are protecting each asset.

This step is pretty straightforward and simply requires that you and the team objectively assess and determine the effectiveness of your existing security plan.

Putting It Into Action

Once you’ve completed these 5 steps, you’ll have everything you need to create a practical, affordable and effective security plan. You’ll have a reasonable list of assets that need protection, and a prioritized list of potential security vulnerabilities for each.

In addition, you’ll have a list of non-security issues that you can use to justify the value and priority of your security needs. Since you’ve involved others from different roles, you’ve got a chance to put something in place that everyone can live with. And if you’ve involved executive management from the start, you’ve paved the way for management support and—hopefully—budget for the actions you’ll need to take.

Your next steps are to determine how many of the high priority assets you’ve identified need to be protected and how to protect them. If this list is long and you’re not sure how to get it all done, plan on a phased approach and secure the first or most vulnerable set of assets on your list in phase one.

Finally, if you’re not sure how to put the most effective protection in place, give Belden a call. We offer a broad array of physical and cybersecurity products designed for the industrial world, as well as expertise from our Tofino Security group, which makes it their business to share practical security advice.

Related Links