Question

A company relies on an ICS to perform equipment monitoring functions that are federally mandated for operation of the facility. Fines for non-compliance could be costly. The ICS has known vulnerabilities and can no longer be patched or updated. Cyber-liability insurance cannot be obtained because insurance companies will not insure this equipment.

Which of the following would be the BEST option to manage this risk to the company's production environment?

A. Avoid the risk by removing the ICS from production
B. Transfer the risk associated with the ICS vulnerabilities
C. Mitigate the risk by restricting access to the ICS
D. Accept the risk and upgrade the ICS when possible

Answer 1

The best option to manage the risk is mitigating it by restricting access and enhancing security measures until an ICS upgrade is possible, as avoiding, accepting, or transferring the risk are not viable options.

Step-by-step explanation:

The best option to manage the risk associated with the company's production environment, given the ICS (Industrial Control System) has known vulnerabilities, would be to mitigate the risk by restricting access to the ICS. This proactive approach would include implementing additional security measures, such as segmenting the network, applying stringent access controls, and monitoring for unusual activity. Avoidance or acceptance of the risk might lead to regulatory non-compliance and fines, while transferring the risk is not viable as cyber-liability insurance is not available for this equipment. Therefore, mitigation is the preferable strategy until the ICS can be upgraded. It is crucial for businesses to maintain a minimum level of security and, if possible, to enhance their security posture with systems like top-tier fire sprinkler systems that could lower insurance rates.