Agile risk assessment at industrial scale

Operational technology (OT) systems now connect operations and maintenance equipment to information technology (IT) infrastructures. Doing so enables increased automation and real-time, data-driven decision making. Increased connectivity also amplifies risk, exposing critical infrastructure systems—and entire operations—to new opportunities for cyber attack.

Traditionally, assessing system risk has been a manual process conducted near the end of system development. The approach is costly in terms of time and labour, disruptive to the built system, and the results are inconsistent and unrepeatable. KDM Analytics Blade Risk Analysis Solution addresses this gap in cybersecurity with automated risk assessment that supports iterative Agile development.

Automation means that, for the first time, risk assessments can be conducted at industrial scale, where each subsequent project is exponentially more efficient due to reuse of rules and templates. Teams of people with specialized skills working on multiple projects can further increase productivity and dramatically reduce the cost of risk assessments.

For the first time, risk assessments can be conducted at industrial scale, where each
subsequent project is exponentially more efficient due to reuse of rules and templates.

The solution excels when integrated into the lifecycle management experience of a cyber system, especially so in the context of Model-Based Systems Engineering (MBSE) and digital engineering. It empowers design teams and security officers to focus on risk mitigation and system assurance as they build rather than incurring the cost and disruption of obtaining and addressing risk assessment information after-the-fact.

Iterative minimum viable mitigation

The Blade Risk Analysis Solution is based on a systematic, repeatable, and traceable methodology that helps engineers identify the minimum viable mitigation strategy to implement high-priority safeguards and controls. When the solution is integrated into the digital engineering process, it follows the lifecycle of system engineering, integrating risk assessment and mitigation throughout system development. This iterative approach supports Agile methodologies and minimizes the impact of risk assessment by addressing vulnerabilities as they arise. With ranked mitigation options provided throughout the development process, design teams can rapidly consider and integrate safeguards as they go.

With ranked mitigation options provided throughout the development process,
design teams can rapidly consider and integrate safeguards as they go.

In comparison to conducting risk assessment and mitigation in a “big bang” approach post-development, the Agile use of the Blade Risk Analysis Solution also helps ensure a more secure system outcome by building-in risk mitigation rather than tacking it on after the system is in a solid state.

Top-down, bottom-up analysis

The solution is comprehensive and can be integrated from the architecture and design phase through all stages of software development. It comprises two products: Blade RiskManager (BRM) provides a system-level, top-down risk analysis. Blade OneReport (BOR) provides detailed bottom-up vulnerability analysis based on the system architecture. The total solution provides evidence-based analytics that reveal:

• How a system can be attacked,
• Threats and undesired events that can impact operations,
• Impacts of those attacks,
• Prioritized list of actions based on evidence to precisely target risk management efforts.

Because it is automated, repeatable, and rapid, the solution can run numerous risk analyses throughout the software development cycle, as follows:

• BRM is deployed early, at the system architecture and design phase as well as any time the architecture is modified. The risk model is updated automatically every time a digital twin of the system is changed.


• BOR—which integrates with commercial and open-source software development tools—is deployed periodically during the system build and can be cadenced with Agile sprints.

The Blade Risk Analysis Solution enables system development organizations to automate, prioritize, and quantify cybersecurity risk. It stores, assesses, manages, and traces all evidence regarding operational and system risk and identified vulnerabilities.

Using the intelligence provided by the comprehensive risk analysis, engineering teams are empowered to focus on the path forward from the risk information the solution generates. Integrating the solution into the software development lifecycle provides greater security at lower system impact compared to costly and regressive post-development, “big-bang” risk analysis.

Engineering teams are empowered to focus on the path forward from the
risk information the solution generates.

Automation allows for the integration of continuous risk analysis into the development life cycle. It brings industrial-scale practices to security engineering and risk compliance by dramatically reducing the cost of risk assessments and as well as the cost of training.

The Blade Risk Analysis Solution is an industrial-scale technology of particular interest to organizations that routinely perform multiple risk assessments for families of systems, and re-certifications.

For details and a product demonstration, visit www.kdmanalytics.com.