2018 ICS Cyber Security Conference

There are a number of cybersecurity frameworks in use today, notably the NIST Cybersecurity Framework (CSF), OCTIVE, ISA99/IEC62443 and others. Our experience suggests that the way most organization perform framework-based assessments is inconsistent and generally they server as a point-in-time evaluation of risk. This talk looks at the mechanics of performing risk assessments in an Industrial Control environment with the objectives of: -- analytical consistency and reproducibility -- assessing risk across dissimilar plants and processes, and -- developing the ability to track risk improvements over time Additionally, we will discuss success factors in establishing a recurring Risk Assessment Methodology that supports both Operations Management and the C-Level with current information and allows what-if analysis to support decision making.
 
Presentation Objectives
 
The objectives are:

• Provide and understand of what “risk” really means and how to think of risk over time.
• Using a Quantified risk approach vs a Quantitative Risk Assessment
• Using a Risk Framework and scoring approaches
• Why this works!