**3.4 Challenges to assess ICT/OT risk across organizations**

Although methods and approaches exist to perform RA across organizations. (e.g. a CI/CII sector or a service chain) some practical challenges exist:


**175**

**Figure 3.**

*Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

applications used by each CI/CII operator.

*The EUropean Risk Assessment Methodology (EURAM) approach (source: [38]).*

address these issues [35].

**4. Assessing the OT risk**

• The governance layer.

**4.1 OT threats and vulnerabilities**

may occur at multiple layers as defined by [41]:

a product may be large, e.g. a vulnerability in Microsoft Windows systems or in commonly used OT systems. Such a vulnerability may lead to a high level of risk at the national or even the international level. This risk is difficult to assess since it requires a detailed and well-maintained asset inventory of systems and

mitigating measures for CIIP might be troublesome when the CII ownership, operations and or (operational) jurisdiction are beyond one's national border. Conflict of interests, legal requirements, and procedures may occur. For example, a cloud server operator having its operations in state B should report a cyber security breach to the national authority in that state. However, state A may have made regulation that each CII operator should report security breaches within 24 hours to them. When a CI operator in state A uses such a cloud service, the cloud service could have been designated as CII thereby imposing regulation on the cloud operator in state B. Such cross-border CII issues arise with the diverse national implementations of the EU NIS directive [40], and other CII-related laws. The new EU security strategy intends to

These challenges lead to the necessity to perform RM not only at the company

To identify the main threats and vulnerabilities for the OT environment, a structured approach will be used in distinguishing multiple layers. Threats to OT

level but also across the service chain, and at the sector and national levels.

• *The international nature of part of the CII:* Assessing the risk and taking

*Analyzing the Cyber Risk in Critical Infrastructures DOI: http://dx.doi.org/10.5772/intechopen.94917*

**Figure 3.**

*Issues on Risk Analysis for Critical Infrastructure Protection*

**3.3 Assessment of the cyber risk across organizations**

**3.4 Challenges to assess ICT/OT risk across organizations**

(e.g. a CI/CII sector or a service chain) some practical challenges exist:

ENISA and NIST [25, 33].

sectors [36].

and oil CI subsectors.

tional level.

exist, e.g. [31, 32]. Although these security control frameworks are often sector specific, they can be mapped on common structures or frameworks, see e.g.

One of the important factors to cover in a RA of CI/CII is the risk of ICT/ OT as a vulnerability that may cause disruptions of CI/CII. This may involve the risk of technical failure or human mistakes, but also the cyber risk of malicious attacks. Given the criticality for states, even hybrid conflicts affecting CIs and CIIs are envisioned, see e.g. [34, 35]. An early example is the Crimea conflict. On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting many customers in Ukraine. In addition, there have also been reports of malware found in Ukrainian companies in a variety of their CI

Section 4 below specifically focusses on the cyber risk factors related to OT.

A RA for a specific CI sector is feasible, as was shown by the EUropean Risk Assessment and COntingency planning Methodologies for interconnected energy networks (EURACOM) project [37]. This approach extended the EUropean Risk Assessment Methodology (EURAM) [38] with contingency planning. In particular, chapter 4 of the EURACOM report discusses the cyber threats to the energy CI sector. The methodology is based on a common and holistic approach (end-to-end energy supply chain) for RA, RM and contingency planning across the power, gas,

The seven steps of the EURAM RA methodology are shown in **Figure 3**. The methodology scales from the department level to the operator level, to the CI or CII sector, and national level. Moreover, the methodology may embed the results of other RA methodologies. Risk which cannot be dealt with at a certain level may be input to the next higher level of abstraction. For example, the risk implications of a pandemic or a state actor cyber-attack to a nation cannot be managed alone by a CI operator and must be off-loaded to and managed at the national or even suprana-

Although methods and approaches exist to perform RA across organizations.

• *The risk attached to ICT and OT elements across CI/CII-chains.* Certain CI/CII services are composed of a set of (chained) ICT and OT elements provided and operated by multiple operators. The criticality of certain elements to a CI or CII may be unknown to its operator; therefore, its protection has less priority than required from the national CI protection (CIP) or NIS point of view. It is a challenge to identify such critical elements and to assess the risk attached across the chain. In support of this type of assessments, new methods have been proposed, e.g. the RA method suggested by the Dutch cyber security council which requires the collaboration of all organizations in a supply chain to collectively assess the risk and define the appropriate security

• *Identifying the risk related to critical elements in various CI/CII*: Some ICT and OT products are widely used across many CI and CII sectors and other organizations. The cyber risk attached to a systemic failure or vulnerability of such

**174**

controls [39].

*The EUropean Risk Assessment Methodology (EURAM) approach (source: [38]).*

a product may be large, e.g. a vulnerability in Microsoft Windows systems or in commonly used OT systems. Such a vulnerability may lead to a high level of risk at the national or even the international level. This risk is difficult to assess since it requires a detailed and well-maintained asset inventory of systems and applications used by each CI/CII operator.

• *The international nature of part of the CII:* Assessing the risk and taking mitigating measures for CIIP might be troublesome when the CII ownership, operations and or (operational) jurisdiction are beyond one's national border. Conflict of interests, legal requirements, and procedures may occur. For example, a cloud server operator having its operations in state B should report a cyber security breach to the national authority in that state. However, state A may have made regulation that each CII operator should report security breaches within 24 hours to them. When a CI operator in state A uses such a cloud service, the cloud service could have been designated as CII thereby imposing regulation on the cloud operator in state B. Such cross-border CII issues arise with the diverse national implementations of the EU NIS directive [40], and other CII-related laws. The new EU security strategy intends to address these issues [35].

These challenges lead to the necessity to perform RM not only at the company level but also across the service chain, and at the sector and national levels.
