Lesson 3B – Risks, Threats, and Vulnerabilities

This lesson introduces the concepts of risk, threats, vulnerabilities, and capabilities from the process perspective of industrial control systems.

Learning Objectives
  • Define risk, threat, vulnerability, and capability
  • Use Risk Priority Number (RPN) to assess and prioritize risks
  • Use the Risk Equation to assess and compare risks
  • Identify and describe threat actors that seek to target industrial control systems
  • Explain why a process perspective to cybersecurity may provide added value
Files
Lesson 3B – Risks, Threats, and Vulnerabilities Lesson Plan
CPI_Module3_Lesson3B_Presentation.pptx
Laboratory Exercise 3B – Risk Analysis & Prioritization

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0002: * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • K0008: Knowledge of applicable business processes and operations of customer organizations.
  • K0048: Knowledge of Risk Management Framework (RMF) requirements.
  • K0084: Knowledge of structured analysis principles and methods.
  • K0101: Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0149: Knowledge of organization's risk tolerance and/or risk management approach.
  • K0169: Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.
  • K0612: Knowledge of what constitutes a “threat” to a network.
  • K0329: Knowledge of statistics.
  • S0027: Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • S0034: Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system
  • S0085: Skill in conducting audits or reviews of technical systems.
  • S0256: Skill in providing understanding of target or threat systems through the identification and link analysis of physical, functional, or behavioral relationships.
  • S0359: Skill to use critical thinking to analyze organizational patterns and relationships.
  • A0040: Ability to translate data and test results into evaluative conclusions.
  • A0106: Ability to think critically.
  • A0118: Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
  • A0119: Ability to understand the basic concepts and issues related to cyber and its organizational impact.
* NSA/DHS Center of Excellence (CAE) KUs Addressed
  • Basic Data Analysis
  • Basic Scripting or Introductory Programming
  • Probability and Statistics
  • Industrial Control Systems

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit:

KSAs: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

KUs: https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_2019_Knowledge_Units.pdf