Classifying & Ranking Risks in Industrial Networks: Process & Examples

Instructor: Giorgos-Nektarios Panayotidis

George-Nektarios has worked as a tutor and student consultant for five years and has a 4-year university degree in Applied Informatics.

In this lesson, we will look into the risk assessment and management in Industrial Networks. We will delve into specific related courses of action: risk ranking and classification with the help of a few examples.

Day to Day Risks

Let us imagine that you find yourself babysitting a toddler nephew in your home. You find yourself thinking of the potential hazardous areas or spots in your house and how the toddler may be possibly harmed in certain circumstances. Naturally, you would first think of the most dreadful out of them all and make sure you have secured them so that the little one cannot do anything too reckless with them. Such hazards might be items to choke on, sharp instruments, sockets, steep staircases and the like. After that, you would look for secondary possible dangers lurking, such as open windows with drafts of cold air and more. In a few words, you would spontaneously categorize the hazards so that you take appropriate measures.

Similar is the case with risk assessment in industrial networks, as the procedures of ranking and classification are put to use, which is what we will be looking into in this lesson.

Risk Assessment

The document NIST SP 800-30 is a special and impactful publication regarding risk management by the US National Institute of Standards and Technology (NIST), according to which there are four steps to be consecutively followed:

  • Risk Framing (acknowledgement/definition)
  • Risk Assessment
  • Risk Response
  • Risk Monitoring

What we are interested in this particular lesson is exclusively the second step of the process, that is, risk assessment, which includes two elements: Risk Classification and Risk Ranking.

Risk Classification

Risk classification in industrial systems is considered synonymous with the DREAD model. DREAD was popularized by Microsoft and is in fact an acronym according to which security risks for such systems are classified. DREAD stands for the following:

Damage potential

It is related to confidentiality of sensitive information or even ''owning the box'', in that the adversary gains full admin privileges.

Reproducibility

This is a measure of the ease of reproduction and the authorization rights one needs to relaunch the attack.

Exploitability

Exploitability is a metric evaluating the programming skills necessary, the time and the sophistication of the tools needed in order to launch the attack.

Affected users

This is measure of the percentage of users that the attack is bound to have an impact on and the number of features and configurations affected.

Discoverability

Lastly, discoverability is a measure of the noticeability or obscurity of the bug caused by the attack.

Risk Ranking

The aforementioned DREAD model isn't only used for risk classification purposes. It is also used for rating or ranking the hazards in each class according to the severity of each. Please note that the ranking itself is qualitative. More specifically, the guidelines the ranking makes use of is as below:

High

A ''High'' rating accompanies the most potentially disastrous risks. An attack which grants the highest authorization, which is readily launched, which needs very low programming skills etc. is rated as such.

Medium

A ''Medium'' rating is used when the respective hazard is moderate. In other words, according to the risk classification, there is a moderately severe leak of sensitive info, the attack could be reproduced or exploited without too much time, authorization privileges or programming skills etc.

Low

A ''Low'' rating in turn implies a relatively small risk: sophisticated tools are required to exploit the attack, its impact is very obscure or requires admin privileges in order to discover it and the like.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account
Support