There are a number of cybersecurity frameworks in use today, notably the NIST Cybersecurity Framework (CSF), OCTIVE, ISA99/IEC62443 and others. Our experience suggests that the way most organization perform framework-based assessments is inconsistent and generally they server as a point-in-time evaluation of risk. This talk looks at the mechanics of performing risk assessments in an Industrial Control environment with the objectives of: -- analytical consistency and reproducibility -- assessing risk across dissimilar plants and processes, and -- developing the ability to track risk improvements over time Additionally, we will discuss success factors in establishing a recurring Risk Assessment Methodology that supports both Operations Management and the C-Level with current information and allows what-if analysis to support decision making.
Presentation Objectives The objectives are:
- Provide and understand of what “risk” really means and how to think of risk over time.
- Using a Quantified risk approach vs a Quantitative Risk Assessment
- Using a Risk Framework and scoring approaches
- Why this works!
