Chapter four: Risk management
7
Activites
Infrastructure and facilites
Personne!
Information
Figure 4.2 A taxonomy of asset usage.
Within the CIP doctrine, these asset groups can be organized according to the mantra
of personnel, materiel (objects and consumables), infrastructure and facilities, and information
and activities, For the sake of brevity, this will be referred to as the “unique level" in that it
deals with a singularity—one person, one asset, one building, one piece of information, or
one supporting activity. This is essential for effective risk assessment and management.
Many of these will also be the product of work or will require services that support
them. This is the case with various forms of control systems. Again, the business of busi-
ness is to generate wealth, not to operate a control system. The purpose of the control sys-
tem is to help the company generate that wealth effectively, efficiently, and safely. So, when
we are discussing the security around control systems, we are looking at an infrastruc-
ture that most likely supports an organization's critical path (but may not, depending on
what business line it supports), but i, itself, often interpreted as being critical infrastructure
because of the impacts associated with public safety (Figure 4.3).
‘The first layer identifies a general business line; for example, production operations
(the assembly line). There are a series of discrete business functions comprising that busi-
ness line; for example, each of the stations that prepare (paint, fold, drill, etc) components
to be assembled further down the line. Several automated systems (infrastructure and
activities) contribute to the production process by performing a specific task or process.
Each of the systems and processes, as one descends in the diagram, is an asset, and sup-
porting the processes are additional assets as shown. Personnel oversee processes and
intervene as necessary. Information is passed, analyzed by systems, and overseen by
people. All processes take place in facilities and hopefully follow written procedures to
produce, activate, actuate, move, or provide something (activities). Material is consumed,
IT and telecom networks support communications and information exchange. Individual
components (infrastructure) consume materiel, send information, are managed, changed,
or maintained by people, reside in facilities, and perform a function that is essential to the
provision of a mandated good or service.
Considerations for asset valuation
The valuation parameters of these assets can be refined in a number of ways. Remaining
true to the business model, the values of the assets must be linked directly to the business
processes and service delivery/production mandates that they support. Again, scope and
perspective must be considered in asset valuation, since a misstep can lead to significant
errors in the subsequent assessment or management of risk; some assets may turn out to
@)@Secure_ICS