Refining Posture Scoring with Impact Analysis: An In-depth Guide

By Ben Reich, Chief Architect, OTORIO

In my previous post, I explained how vulnerabilities are scored by using the NIST's Common Vulnerability Scoring System (CVSS). The main benefit of using CVSS for this is that the practitioner can standardize all vulnerabilities in the system regardless of whether they are mined from external databases or defined within an organization. 

Security posture assessment, however, involves more than just analyzing vulnerabilities since these need to be placed in context. This is because a vulnerability affecting a critical OT asset should contribute more to overall risk than the same vulnerability residing on a non-critical IT asset.

Impact analysis enables us to place vulnerabilities in context. Once an asset inventory is collected, it is essential to analyze each asset's impact on the business. This enables prioritizing mitigations, thereby addressing the assets that are the most critical to the organization, and is a key step towards end-to-end OT digital security. In this post, we will review the major concepts of impact analysis.

According to NIST documents currently in draft status (NIST IR 8286dß): The process of determining which assets enable the achievement of mission objectives and evaluating the factors that render assets as critical and sensitive, is an extension of standard BIA (business impact analysis) processes that were traditionally used in the domain of business continuity. 

The proposed standard stresses the importance of maintaining a BIA registry in which every asset is listed together with the relevant impact data that determines the asset's impact. This registry will serve as a centralized knowledge management hub of the technology and data used to support the enterprise mission.

Breaking down impact analysis

In order to determine and quantify the business impact of an asset, the practitioner must consider what impact losing the asset would have on various business parameters. Examples of such parameters include measures of business continuity, safety, reliability, production, etc.

However, these parameters are not all equally important. In most organizations, safety is weighted above other factors. Analyzing the relative importance of impact parameters should be embedded into the assessment to improve overall risk calculation.  

In order to calculate overall asset impact, the impact of losing the asset on each business parameter is multiplied by the relative importance of how much value the business places on the particular parameter. The maximum of these weighted values represents a quantified value for the business impact of losing the asset. 

The following table shows a simple calculation of an asset's business impact:

The impact score is the product of the importance of the parameter to the business and the impact of losing the asset or compromising it. The overall Impact calculation for this asset results in an overall score of 0.7 corresponding to the quality parameter that produces that maximum value. This constitutes the overall impact score of losing the asset. 

Calculating Business Vulnerability and Posture

Business vulnerability is calculated by the product* of identifying an individual asset's vulnerability weighted by the impact of that asset, as calculated above. In practical terms, asset importance should be viewed as the potential consequences of the asset being compromised. The complement of business vulnerability is a good measure of security posture. This means that if an asset has a business vulnerability of 0.3 its posture score is 1.0 - 0.3 = 0.7.

Business vulnerability is a factor when calculating risk. It includes all the risk factors that are driven by characteristics of the environment of the assets that make up the organization's network. Another factor of risk (to be discussed in my next posts) includes all the parameters that make up external threats.

This separation between threat and posture is a key best practice for risk calculation. It enables practitioners to construct a measure of risk that is explainable and easy to understand. 

Asset Sensitivity

As discussed in the previous blog post, vulnerabilities are defined in terms of confidentiality, data integrity and asset availability. The calculation of business vulnerability must take these factors into account.  

Let's examine an asset sensitivity example to better understand this.

OT assets are usually less sensitive to attacks involving confidentiality than they are to those involving availability (e.g. denial of service a/k/a DoS). This means that vulnerabilities involving confidentiality should have less impact on business vulnerability than those involving availability. 

This is done by assigning confidentiality, integrity, and availability sensitivity values to the different asset types in the network. These values are used to regulate the final result according to the type of vulnerability. Thus, business vulnerability is the product of three values:

1. Vulnerability
2. Impact
3. Sensitivity of the asset to the type of vulnerability.

Practitioners who manually calculate these values should devise a quantitative or qualitative method of taking these factors into account, depending on the type of report that they produce.

Automated Impact Calculations

Another way of calculating the business impact of assets is through an automated heuristic algorithm that looks at the following data to determine the relative impact:

• Type of asset
• Traffic volume going through the asset
• What is the level of the asset based on the Purdue Model that can be used to determine asset importance based on its enterprise integration level?
• Which protocols are being used by the assets?
• The centrality** of the asset in the network
• What business process does the asset serve based on the impact of the process itself?
  
  

This type of automated calculation takes away much of the manual labor involved in the process described in this post. However, practitioners need to be able to override such an automated calculation in order to accommodate organization-specific knowledge. 

Bottom Line

Impact is an important factor when quantifying business vulnerability, which is the complement of [security] posture. Practitioners should develop a method of quantifying posture that takes the different business parameters into account. 

A process for building a systematic approach to quantifying business impact includes the following steps:

• Determine the business parameters that will be affected by the loss of assets.
• Assign relative importance to the different business parameters.
• Determine asset sensitivity to confidentiality, integrity, and availability
• Devise a consistent way to calculate business vulnerability from asset vulnerability and impact that takes sensitivity and importance into account
• Factor business vulnerability into the calculation of risk.
• If using a system to automate impact calculation, make sure to understand it and be able to override it on critical assets.

Asset impact is crucial in ensuring that posture reinforcement is addressed with correct prioritization. It skews the process of mitigation to the most vulnerable and critical assets of the organization.

__________

*Product is used here for the sake of simplicity. The actual calculation takes asset sensitivity into account when the product is calculated. 

**The centrality of an asset is a measure of its importance based on its network position, the number of nodes it communicates with, and what protocols it uses.