How to Identify Cyber Critical Systems with a Crown Jewel Analysis

In the recently issued U.S. Transportation Security Administration (TSA) Security Directive Pipeline-2021-02C, owners and operators of critical pipelines and liquified natural gas facilities have been asked to identify their cyber critical systems, defined as: any information or operational technology system or data that, if compromised or exploited, could result in operational disruption.
The crown jewel analysis methodology provides a structured approach to this critical asset analysis.
The directive, however, does not provide any guidance on how this must be done or where to start. At Dragos, we have helped many clients through this process of identifying cyber critical systems using our consequence-driven model referred to as a “crown jewel analysis.”

A crown jewel is one of the highest-value assets in your industrial control systems (ICS) and operational technology (OT) environment that, if compromised, could cause major impact to the organization. Potential impacts are operational disruptions, financial damage, and threats to human safety.

OT asset prioritization is essential because not all systems carry equal risk or operational importance. By identifying cyber critical systems in ICS environments first, organizations can allocate security resources more effectively and develop targeted protection strategies for their most valuable assets.

Our crown jewel analysis is an easily applied and repeatable scoping model that allows organizations to visualize how an attacker would assess a system to achieve a specific consequence. This enables security analysts to identify starting points for cyber threat hunts, incident response planning, penetration/vulnerability assessments, and define cybersecurity strategies for their ICS environments.

Dragos’s crown jewel analysis requires an understanding of six layers that contain elements contributing most to functional output (primary purpose), functional dependencies (reliance on other systems to fulfill functional output), and level of exposure. Each layer must be analyzed and understood before progressing to a lower layer.
Here’s an example of the model applied to the TSA Pipeline-2021-02C requirement to identify cyber critical systems:

• Layer 1, System Owner: specific provider that may be targeted (e.g., midstream natural gas company)
• Layer 2, Critical System or Sub-System: assets, facilities, networks, and/or operators that provide a specific, collective function and output (e.g., gas transmission)
• Layer 3, Critical Function or Sub-Function: key tasks of a system such as heating, cooling, exchanging, pumping, separating, compressing, distributing, storing, etc.
• Layer 4, Critical Components: physical asset required to complete a system critical function (e.g., pumps, valves, motors, compressors, etc.)
• Layer 5, Controllers: directly connected to the logical and physical network (e.g., remote terminal units, programmable logic controllers, safety instrumented systems, etc.)
• Layer 6, Crown Jewels: critical data, logical assets, communication paths, and/or control interfaces required to control components and functions (including engineering and operator workstations, leak detection systems, etc.)

Progressing through our consequence-driven crown jewel analysis allows industrial organizations to discover their cyber critical systems, accurately scope their cybersecurity strategies, and perform assessments that analyze and evaluate their overall ICS security postures.
To learn more about a crown jewel analysis for a midstream natural gas company, download our infographic that offers additional information.