Abstract: A method includes detecting a storage device. The method also includes performing a check-in process so that the storage device is recognizable by one or more protected nodes within a protected system and not recognizable by nodes outside of the protected system while the storage device is checked-in. The method further includes storing data associated with one or more cyber-security threats on the storage device. The method may also include detecting the storage device a second time and retrieving audit data on the storage device, where the audit data identifies which of the one or more protected nodes accessed the data on the storage device. The method may further include performing a check-out process so that the storage device is recognizable by the nodes outside of the protected system and not recognizable by the one or more protected nodes within the protected system while the storage device is checked-out.

Abstract: A method includes detecting a storage device and determining whether the storage device has been checked-in for use with at least a protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes retrieving, from the storage device, data associated with at least one of (i) one or more applications executed by the protected node and (ii) one or more services provided by the protected node. The data is used to alter a configuration or operation of at least one of: the one or more applications and the one or more services.

Abstract: A system includes one or more protected nodes within a protected system, where each protected node is configured to be coupled to a storage device. The system also includes a server configured to perform a check-in process so that one or more files on the storage device are (i) accessible by the one or more protected nodes within the protected system and (ii) not accessible by nodes outside of the protected system while the storage device is checked-in. The server is also configured to perform a check-out process so that the one or more files on the storage device are (i) accessible by the nodes outside of the protected system and (ii) not accessible by the one or more protected nodes within the protected system while the storage device is checked-out. The server could be configured to modify a file system of the storage device during the check-in process.

Abstract: A method includes detecting a peripheral device at a protected node. The method also includes determining whether the peripheral device has been checked-in for use with at least the protected node and determining whether the peripheral device or a device type has been whitelisted or blacklisted. The method further includes granting access to the peripheral device in response to (i) determining that the peripheral device has been checked-in and has not been blacklisted or (ii) determining that the peripheral device or the device type has been whitelisted, even if the peripheral device has not been checked-in. In addition, the method includes blocking access to the peripheral device in response to (i) determining that the peripheral device has not been checked-in and has not been whitelisted or (ii) determining that the peripheral device or the device type has been blacklisted, even if the peripheral device has been checked-in.

Abstract: A method includes identifying multiple devices or groups of devices in an industrial process control and automation system. The method also includes, for each device or group of devices, (i) obtaining impact values identifying potential effects of a failure or compromise of the device or group of devices due to one or more cyber-security risks and (ii) identifying a consequence value using the impact values. Multiple impact values associated with different categories of potential effects are obtained, and the consequence value identifies an overall effect of the failure or compromise of the device or group of devices.

Abstract: This disclosure provides an apparatus and method for near-real-time export of cyber-security risk information, including but not limited to in industrial control systems and other systems. A method includes monitoring, by a risk manager system, a plurality of connected devices that are vulnerable to cyber-security risks. The method includes detecting a cyber-security risk to one or more of the devices being monitored. The method includes identifying an external system to be notified of the detected cyber-security risk. The method includes sending cyber-security risk data to the external system according to the detected cyber-security risk and at least one filtering option.

Abstract: This disclosure provides an apparatus and method for deployment assurance checks for monitoring industrial control systems and other systems. A method includes identifying, by a risk manager system, a plurality of connected devices that are vulnerable to cyber-security risks. The method includes determining devices to be monitored from the plurality of connected devices. The method includes evaluating system resource usage, by the risk manager system, on each device to be monitored. The method includes providing recommendations to a user as to whether or not the user should proceed with the monitoring, based on the evaluation.

Abstract: A method includes identifying multiple devices or groups of devices in an industrial process control and automation system. The method also includes, for each device or group of devices, (i) obtaining impact values identifying potential effects of a failure or compromise of the device or group of devices due to one or more cyber-security risks and (ii) identifying a consequence value using the impact values. Multiple impact values associated with different categories of potential effects are obtained, and the consequence value identifies an overall effect of the failure or compromise of the device or group of devices.

Abstract: This disclosure provides an apparatus and method for providing possible causes, recommended actions, and potential impacts related to identified cyber-security risk items. A method includes identifying, by a risk manager system, a plurality of connected devices that are vulnerable to cyber-security risks. The method includes identifying, by the risk manager system, cyber-security risks in the connected devices. The method includes, for each identified cyber-security risk, identifying by the risk manager system at least one possible cause, at least one recommended action, and at least one potential impact. The method includes displaying, by the risk manager system, a user interface that includes a summary of the identified cyber-security risks.

Abstract: This disclosure provides systems and methods for tying cyber-security risk analysis to common risk methodologies and risk levels. A method includes identifying a plurality of connected devices that are vulnerable to cyber-security risks and identifying cyber-security risks in the connected devices. The method includes assigning a risk level to each of the risks and comparing the risk levels to a first threshold and to a second threshold. The method includes assigning each identified cyber-security risk to a risk classification and displaying a user interface that includes a notification according to the identified cyber-security risks and the corresponding assigned risk classifications.

Abstract: A system and method for analyzing cyber-security risk inter-dependencies in a control system having networked devices. The system includes a central server that has a processor and a memory device in communication with the processor. The memory device stores inter-device dependencies and quantified individual risks for each of the networked devices. The memory device also stores a dynamic quantification of risk (DQR) program. The central server is programmed to implement the DQR program. Responsive to observed cyber behavior, the central server changes one or more of the quantified individual risks to generate at least one modified quantified individual risk. The inter-device dependencies for a first of the networked devices and the quantified individual risk for at least one other of the networked devices reflecting the modified quantified individual risk are used to dynamically modify the quantified individual risk for the first device to generate an inter-device modified quantified individual risk.

Abstract: A method of analyzing cyber-security risks in an industrial control system (ICS) including a plurality of networked devices includes providing a processor and a memory storing a cyber-security algorithm. The processor runs the cyber-security algorithm and implements data collecting to compile security data including at least vulnerability data including cyber-risks (risks) regarding the plurality of networked devices by scanning the plurality of devices, processing the security data using a rules engine which associates a numerical score to each of the risks, aggregating data including ranking the risks across the plurality of networked devices and arranging the risks into at least one logical grouping, and displaying the logical grouping(s) on a user station.