Difference between risk assessment and auditing
Risk assessment and auditing share a common purpose: identifying potential issues and assessing their impacts to improve organization governance, risk management, and compliance (GRC) practices. However, the two have distinct differences in their focus and the time they cover. One notable difference is that risk assessment identifies and evaluates potential risks that could affect an organization’s operations, assets, and reputation. This includes identifying threats, vulnerabilities, and potential consequences and assessing the likelihood and impact of each risk. Risk assessments are often conducted in an organization’s risk management process to help them prioritize and allocate resources to mitigate or manage risks (Anthony & Manurung, 2023). On the other hand, auditing is the process of reviewing an organization’s internal controls, policies, and procedures to ensure compliance with legal, regulatory, and internal requirements. The main goal of auditing is to identify areas where the organization may be at risk of noncompliance or inefficiency and to recommend improvements to reduce those risks (Pierre et al., 2018). The second key differences between risk assessment and auditing are their focus. Risk assessments focus on identifying potential risks, while audits focus on evaluating existing controls and processes. The third difference is that risk assessments are often forward-looking, while audits are typically backward-looking. This implies that risk assessments focus on potential future risks, while audits focus on past or present compliance with established standards.
Two Components to Monitor and Attacks to Be Monitored in The ICS Environment
Network traffic and system logs are key components to monitoring the ICS environment. According to Yilmaz et al. (2018), monitoring network communications can help detect anomalies, such as unusual protocols, unexpected ports, or high data transfer volumes. Network traffic monitoring can be essential in detecting potential cyberattacks such as data exfiltration, command and control (C2) communications, and reconnaissance activity. System log monitoring will involve monitoring logs generated by ICS devices and applications. This includes monitoring logs for unusual events, such as failed login attempts, account modifications, and unauthorized access attempts. Monitoring system logs help in detecting potential cyberattacks such as malware infections, privilege escalation attempts, and data theft (Choi et al., 2019).
A tool that will assist in monitoring these components is a Security Information and Event Management (SIEM) system. A SIEM system is useful in collecting logs and network traffic data from multiple sources. It uses correlation rules and analytics to identify and alert security teams of potential incidents (González-Granadillo et al., 2021). Examples of SIEM tools likely to be used include Splunk, LogRhythm, and IBM Q-Radar.
Three Steps for Conducting a Security Audit of ICS System
Conducting an Industrial Control System (ICS) security audit is a critical step in ensuring the system’s security and resilience against potential cyber-attacks. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Audit and Accountability (AU) guide conducting a security audit of an ICS system, and it outlines three key steps that organizations can follow to improve their ICS security posture (Holm et al., 2015). The first step includes Establishing a baseline. Before conducting a security audit of an ICS system, it is essential to establish a baseline. The process involves identifying the assets, system boundaries, critical functions, and operational requirements of the ICS system. This step involves collecting relevant data, such as system architecture diagrams, network diagrams, and system documentation.
The second step is conducting a risk assessment. Once a baseline has been established, the next step is to conduct a risk assessment of the ICS system. This step involves identifying potential threats, vulnerabilities, and impacts affecting the system’s security and resilience. The risk assessment should consider technical and non-technical factors, such as the organization’s policies, procedures, and training (Lykou et al., 2019). The third step involves developing an audit plan. Based on the risk assessment, an audit plan is created that outlines the audit’s scope, objectives, and methods. The plan also includes the criteria for evaluating the ICS system’s security and resilience, as well as the roles and responsibilities of the audit team. The audit plan should be reviewed and approved by relevant stakeholders, including senior management and the IT department.
ICS Tools Available for Auditing the ICS System and How to Use Each Tool to Secure the System
Various ICS (Industrial Control System) tools are available for auditing and securing your ICS system. One of the tools that can help audit the ICS system is the Nmap. Nmap is a network exploration and security auditing tool (Punia & Aggarwal, 2021). The Nmap tool can be used to discover hosts and services on a computer network and create a network map. Also, Nmap can identify open ports and vulnerabilities in the system. Using Nmap to scan the ICS system will help identify potential security holes that attackers could exploit. Once the vulnerabilities are identified, steps can be taken to secure the system and prevent unauthorized access.
The second important auditing tool is Wireshark. Wireshark is a network protocol analyzer. The Wireshark allows one to capture and analyze network traffic in real time and view the packets sent and received by the ICS system (Dodiya & Singh, 2022). Using Wireshark to analyze the network traffic, one can identify suspicious activity or traffic that may indicate a security breach. This can be useful in detecting and preventing attacks on the ICS system. The third tool for auditing is the Nessus. Nessus is a vulnerability scanner that can scan ICS systems for known vulnerabilities and security weaknesses. Nessus tool can also perform compliance audits and ensure the system meets industry standards and regulations (Bonandir et al., 2021). Using Nessus to scan the ICS system, it can identify vulnerabilities that must be addressed and take steps to patch or mitigate them.
Goals And Needs for Disaster Recovery and Incident Response Plans
Disaster recovery and incident response plans are essential to any organization’s overall risk management strategy. The primary goal of these plans is to minimize the impact of unexpected events that can disrupt business operations, cause damage to assets, or threaten the safety of employees and customers (Tyler & Kapucu, 2021). One specific goal and need of disaster recovery and incident response plan is to help minimize downtime caused by an unexpected event. The plan should include strategies for the backup and recovery of critical data, systems, and applications. The second goal and need for disaster recovery and incident response plans is to ensure business continuity. An incident response plan should ensure that critical business functions can operate even during an unexpected event. This calls for identifying key personnel, resources, and dependencies essential for business continuity.
The third goal and need for carrying out a disaster recovery and incident response plans is to help protect assets. Disaster recovery and incident response plans should protect physical and digital assets, including equipment, data, and intellectual property (Du et al., 2020). This requires implementing measures to prevent the loss, theft, or damage to assets during an unexpected event. Lastly, the disaster recovery and incident response plan’s main goal is to help the organization learn to respond quickly and effectively to an unexpected event. This requires establishing clear communication channels and procedures for reporting incidents, assessing the situation, and activating the appropriate response team. Overall, disaster recovery and incident response plans are critical for any organization that wants to protect its assets, ensure business continuity, and respond effectively to unexpected events.
References
Anthony, M., & Manurung, E. T. (2023, January). Evaluation of internal control evaluated based on digital audit of monitoring and risk assessment activities by auditors. In Proceeding of the International Conference on Accounting and Finance (Vol. 1, pp. 174-184).
Bonandir, N. A., Jamil, N., Nawawi, M. N. A., Jidin, R., Rusli, M. E., Yan, L. K., & Maudau, L. L. A. D. (2021, March). A review of cyber security assessment (CSA) for industrial control systems (ICS) and their impact on the availability of the ICS operation. In Journal of Physics: Conference Series (Vol. 1860, No. 1, p. 012015). IOP Publishing.
Choi, J., Kim, H., Choi, S., Yun, J. H., Min, B. G., & Kim, H. (2019, July). Vendor-independent monitoring on programmable logic controller status for ICS security log management. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (pp. 682-684).
Dodiya, B., & Singh, U. (2022). Malicious traffic analysis using Wireshark by collection of indicators of compromise. Int J Comput Appl, 183, 975-8887.
Du, L., Feng, Y., Tang, L. Y., Kang, W., & Lu, W. (2020). Networks in disaster emergency management: a systematic review. Natural Hazards, 103, 1-27.
González-Granadillo, G., González-Zarzosa, S., & Diaz, R. (2021). Security information and event management (SIEM): analysis, trends, and usage in critical infrastructures. Sensors, 21(14), 4759.
Holm, H., Karresand, M., Vidström, A., & Westring, E. (2015). A survey of industrial control system testbeds. In Secure IT Systems: 20th Nordic Conference, NordSec 2015, Stockholm, Sweden, October 19–21, 2015, Proceedings (pp. 11-26). Springer International Publishing.
Lykou, G., Anagnostopoulou, A., Stergiopoulos, G., & Gritzalis, D. (2019). Cybersecurity self-assessment tools: evaluating the importance for securing industrial control systems in critical infrastructures. In Critical Information Infrastructures Security: 13th International Conference, CRITIS 2018, Kaunas, Lithuania, September 24-26, 2018, Revised Selected Papers 13 (pp. 129-142). Springer International Publishing.
Pierre, J., Peters, B. G., & de Fine Licht, J. (2018). Is auditing the new evaluation? Can it be? Should it be?. International Journal of Public Sector Management, 31(6), 726-739.
Punia, V., & Aggarwal, G. (2021). NETWORK FORENSIC TOOL: NMAP A PORT SCANNING TOOL. Advance and Innovative Research, 8(1), 172.
Tyler, J., & Kapucu, N. (2021). Collaborative emergency management: Effectiveness of emergency management networks. Handbook of collaborative public management, 146-163.
Ylmaz, E. N., Ciylan, B., Gönen, S., Sindiren, E., & Karacayılmaz, G. (2018, April). Cyber security in industrial control systems: Analysis of DoS attacks against PLCs and the insider effect. In 2018 6th international istanbul smart grids and cities congress and fair (icsg) (pp. 81-85). IEEE.