Properly Prioritizing Level 0 and Level 1 Security

<p><a href= "https://www.linkedin.com/pulse/awareness-purdue-level-0-1-insecurity-dale-peterson/" target="_blank" rel="noopener">We have resolved the issue on whether the ICS security community knows that almost all Purdue Reference Model Level 0 and Level 1 devices, and the protocols that communicate with them, lack authentication</a>. They know this. The next question is what to do about it from an OT / ICS risk management perspective. I'll break the answer into two parts. This article will cover efficient risk reduction prioritization, and next week's article will cover the recommended security controls.</p> <p>In a perfect world with unlimited resources, all Level 0 and Level 1 devices would have a set of security controls. New devices would come with the security controls and deployed devices would be upgraded. Since resources are limited and ICS cybersecurity risk reduction options are plentiful, deciding the priority of risk reduction actions is important.</p> <p>This is similar to evaluating the risk reduction provided in applying security patches in ICS. It is a good security practice to apply all security patches that mitigate vulnerabilities. However as shown in <a href= "https://www.linkedin.com/pulse/ics-patch-what-patch-when-dale-peterson/" target="_blank" rel="noopener">ICS-Patch: What To Patch When In ICS</a>, there is a large variance in the risk reduction achieved in various asset / patch pairs. The small percentage of patches that result in significant risk reduction should be applied asap, and the large percentage of patches that result in almost no risk reduction should be deferred and applied primarily when needed to keep the product in a supported state.</p> <p>Similar to ICS-Patch, a decision tree is a good way to look at the prioritization of securing Level 0 and Level 1 devices, see diagram below.</p> <p><img src= "https://assets.libsyn.com/secure/show/99465/Level_0_1_Decision_Tree_Drawing.jpg" alt="" width="800" height="450" /></p> <p>Exposure is the most important factor in determining