Highlights from the Radiflow-CyberProof Joint Webinar: “Understanding and Managing OT Security Risk”

Radiflow’s recent joint webinar with CyberProof, a global security service provider trusted by some of the world’s largest enterprises, covered various aspects of applying business-driven risk assessment and management as a tool for ongoing improvement and optimization of OT security system. Presenters included Rani Kehat,  CISO, Radiflow and Jaimon Thomas, Head of Solutions & Architecture, CyberProof. Ben Chant, Cyber Security Evangelist at CyberProof, moderated the webinar.

You can watch a recording of the webinar here. Following are a few takeaways from the webinar.

Vulnerabilities and risk

Vulnerabilities are usually associated with risk; and indeed, vulnerabilities increase the risk level of a system, since they make it easier for attackers to materialize cyber-threats.

However, this association may create the impression that if there are no vulnerabilities, there’s no risk, which is not the case. Attackers don’t always need vulnerabilities – as an analogy, for a lock made of plastic, the lock material makes up a vulnerability as it’s weaker than metal – but there would still be risk even if they lock were made out of metal since no lock is break-proof.

By the same token, knowing and mapping all vulnerabilities in the SuC (System under Consideration) – which is regardless extremely important to do – doesn’t equate to knowing all the risks in the network or how different attack scenarios eventually play out.

The importance of the IEC 62443 standard being business-driven and Zone-based

IEC 62443 is a framework for managing OT networks, and one of the most prominent features of IEC 62443 is that it’s business-driven, which is manifested in the use of Zones (collections of one or more business units that share the same security requirements). Naturally, critical Zones that are the most impacted by an attack would be assigned a higher assurance target level (on a scale of 1-4), which means they require the most security controls (mitigation measures).

The idea behind business driven security is you don’t want to invest in an OT security control beyond that damage it’s intended to mitigate, or if you’re required by regulation to harden certain industrial activities (e.g. those with a high environmental impact.) So once the maximum tolerable impact for a Zone is established, quantified and monetized, a decision can be made as to how much to invest in protecting that Zone. In addition, Conduits – the connections between Zones as defined in IEC 62443 – are also looked at as a key risk indicator (KRI), as they could be exploited to move threats laterally between zones with different security assurance target levels.

Dividing the SuC into Zones with the same security requirements also helps conducting continuous risk monitoring by MSSPs, since the zones remain constant, and every new device is always installed into a defined Zone; in addition, by framing each Zone’s security needs in terms of its impact on business it becomes much easier to explain to the user what their needs are and where to and not to invest.

Calculating attack success likelihood by combining statistical and simulation data

If we use only a stochastic mathematical process, we could get added information on events and probabilities that have little historical data, but the output of such a process may be so broad and varied that no practical use would come of it.

By using breach attack simulation (BAS) for the initial data point for attack success rate we can narrow down our findings to a practical usage level for threat mitigation and security investment prioritization.

A better analysis method, which Radiflow employs, is combining simulation results and statistical data. To run breach and attack simulations (BAS), Radiflow uses an accurate digital image of the SuC produced by its IDS (Intrusion Detection System) solution (based on the analysis of representative amount of network data traffic captured over a period of time). The digital image includes the network topology, device properties and inter-connections, external connections, ports, protocols, etc. Using a digital image eliminates the innate security threat of running simulations on the production network itself.

Next, business unit information is defined using input for impact and production processes from the user, to describe how device groups relate to actual production processes. This is converted in the Radiflow system to Zones and Conduits, which are automatically assigned, based on their function/criticality, a target security level (which can be fine-tuned by the user).

Digital image-based attack simulations allow running a very large number of iterations, which eventually provides the expected outcomes of many different scenarios. Only then do we apply statistical analysis that gives us the likelihood distribution for low, medium and high probability, that account for the actual characteristics of the SuC, including device-specific vulnerabilities, the SuC’s region and sector, and the mitigation controls already installed on the network.

If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.