Chapter four: Risk management 7 Activites Infrastructure and facilites Personne! Information Figure 4.2 A taxonomy of asset usage. Within the CIP doctrine, these asset groups can be organized according to the mantra of personnel, materiel (objects and consumables), infrastructure and facilities, and information and activities, For the sake of brevity, this will be referred to as the “unique level" in that it deals with a singularity—one person, one asset, one building, one piece of information, or one supporting activity. This is essential for effective risk assessment and management. Many of these will also be the product of work or will require services that support them. This is the case with various forms of control systems. Again, the business of busi- ness is to generate wealth, not to operate a control system. The purpose of the control sys- tem is to help the company generate that wealth effectively, efficiently, and safely. So, when we are discussing the security around control systems, we are looking at an infrastruc- ture that most likely supports an organization's critical path (but may not, depending on what business line it supports), but i, itself, often interpreted as being critical infrastructure because of the impacts associated with public safety (Figure 4.3). ‘The first layer identifies a general business line; for example, production operations (the assembly line). There are a series of discrete business functions comprising that busi- ness line; for example, each of the stations that prepare (paint, fold, drill, etc) components to be assembled further down the line. Several automated systems (infrastructure and activities) contribute to the production process by performing a specific task or process. Each of the systems and processes, as one descends in the diagram, is an asset, and sup- porting the processes are additional assets as shown. Personnel oversee processes and intervene as necessary. Information is passed, analyzed by systems, and overseen by people. All processes take place in facilities and hopefully follow written procedures to produce, activate, actuate, move, or provide something (activities). Material is consumed, IT and telecom networks support communications and information exchange. Individual components (infrastructure) consume materiel, send information, are managed, changed, or maintained by people, reside in facilities, and perform a function that is essential to the provision of a mandated good or service. Considerations for asset valuation The valuation parameters of these assets can be refined in a number of ways. Remaining true to the business model, the values of the assets must be linked directly to the business processes and service delivery/production mandates that they support. Again, scope and perspective must be considered in asset valuation, since a misstep can lead to significant errors in the subsequent assessment or management of risk; some assets may turn out to @)@Secure_ICS