By Olivier Verack
•
02 Jun, 2023
I have a big thing with architecture. Architecture as in the thing Enterprise architects or Business architects do. However, I’m not talking about the pure IT part but the business part of architecture. Clearly understanding what a company does for a business and not just what systems they are running to support those activities is an important element within the business part. A motto I have been using a lot is ‘If you don’t understand it, model it’ . A sentence I first heard from Luc Alix when I was working on an assignment at the Belgian railways. And at first I was like yeah right, typical EA's doing the modeling for the modeling. But then I got it, and it suits me too as I'm very visually oriented. To be clear, by modeling I don’t mean spending months of modeling things in an EA tool. For me it starts with a whiteboard in our office, some paper or now more often on my Remarkable. Questions that I ask myself about a company are the following: What is their (main) mission? Their reason(s) for existence? And how do they try to realize it? Knowing this information, I go deeper into activities. These activities are often seen as a cycle they go through. For example, what do we want to sell or package, what is the make activity, sales, the delivery, the follow up, the support, how can we make our products better and again and again. The process described here is also the way I prepare myself for a security assessment workshop with a customer. Trying to use my experience in a sector (discussing it with Dieter) and bringing it together on a whiteboard, as often there is no Enterprise architect present, there isn’t even someone with an architectural background. There are only operation managers, IT folks or at best a business representative present. It is however really important to get people to understand the importance of getting an explicit view of previously mentioned activities as these will be the base for a high level risk assessment. A High-level risk assessment is used to have a clear view on what could go wrong with those activities and what would be the impact on the company. Another important term used during High level risk assessments is “risk appetite”. Risk appetite or “ How as a company am I willing to deal with risks and their impact and consequences ”. Every company is different in how they deal with risk. An “enterprise risk matrix” is therefore also a deliverable of a risk assessment workshop. What are the categories that are important and how do we classify potential impact. Being it Financial, production loss, reputation, safety, environmental, legal or other impact. How acceptable is it to lose 1 production site for 1 hour? Or what about 1 site for a week? What is the cost impact of such loss? How acceptable is it to have someone injured or 1 0 persons injured, or even losses of life? How acceptable is it to have a negative environmental impact? And it's only during those workshops that the customer often starts thinking about those consequences. I know it may seem obvious or too much effort, yet these are the things that define how everything will be handled with regards of industrial cybersecurity further down the road. That is also why, even when there is an enterprise risk matrix available, this risk matrix wi ll always be validated with management. Explaining these things and why these are important is part of our job during a risk assessment. Everything explained in this blog post is also part of how the IEC62443 standard handles t he se things. In IEC62443 this is called “ the assessment phas e”, where you have 2 sections: - Business rationale - Risk assessment ( ISA 62443-2-1 provides guidance on these matters ) Unfortunately, “Business rationale” or “why are we doing this” is often forgotten. But honestly, without understanding a company, it is (nearly) impossible to really help them. Summarized: Defining a business rationale and really understanding the company you are trying to help, is a prerequisite for a customized roadmap that will also be understood and given long-term support by management. And long-term support and guidance is what we at Securiacs are aiming for. Yours truly, Olivier