SANS ICS Security Summit 2023
A Cross-Sector Methodology for Ranking OT Cyber Scenarios and Critical Entities
Speaker: Danielle Jablanski, OT Cybersecurity Strategist, Nozomi Networks
Critical infrastructure cyber protection correlates 16 different sectors with no way to actually compare a standardized metric from a municipal water facility in Wyoming to a large commercial energy provider in Florida to a rural hospital in Texas to a train operator in New York. Hypothetical scenarios are quickly convoluted with technical contingencies, competing priorities, overlapping authorities, analysis gaps, and a domino effect of potential cascading real world consequences. This complex tapestry of risk is shared by a myriad of stakeholders with a mission to avoid cyber scenarios which cause physical impacts, environmental impacts, and harm or loss of life. This paper, written for the Atlantic Council, discusses the limitations in current standards for prioritization and associated methodology, focusing on operational technology (OT), and outlines a methodology for prioritizing scenarios and entities across sectors and local, state, and federal jurisdictions. This methodology has two primary use cases:
1. A way to rank relevant cyber scenarios to prioritize for a single entity, organization, facility, or site in scope, allowing any entity, organization, facility, or site to choose scenarios to exercise based on analysis beyond cyber incident severity
2. A Standardized Priority Score which can be used to compare different entities, locations, facilities, or sites within a given jurisdiction.
View upcoming Summits: www.sans.org/u/DuS