Skip to main content
The Dragos Blog

09.07.22 | 1 min read

How to Identify Cyber Critical Systems with a Crown Jewel Analysis

Dragos, Inc.

In the recently issued U.S. Transportation Security Administration (TSA) Security Directive Pipeline-2021-02C, owners and operators of critical pipelines and liquified natural gas facilities have been asked to identify their cyber critical systems, defined as: any information or operational technology system or data that, if compromised or exploited, could result in operational disruption

The directive, however, does not provide any guidance on how this must be done or where to start. 

At Dragos, we have helped many clients through this process of identifying cyber critical systems using our consequence-driven model referred to as a “crown jewel analysis.”  

What Is a Crown Jewel? 

A crown jewel is one of the highest-value assets in your industrial control systems (ICS) and operational technology (OT) environment that, if compromised, could cause major impact to the organization. Potential impacts are operational disruptions, financial damage, and threats to human safety.

How Are Crown Jewels Identified? 

Our crown jewel analysis is an easily applied and repeatable scoping model that allows organizations to visualize how an attacker would assess a system to achieve a specific consequence. This enables security analysts to identify starting points for cyber threat hunts, incident response planning, penetration/vulnerability assessments, and define cybersecurity strategies for their ICS environments. 

Dragos’s crown jewel analysis requires an understanding of five layers that contain elements contributing most to functional output (primary purpose), functional dependencies (reliance on other systems to fulfill functional output), and level of exposure. Each layer must be analyzed and understood before progressing to a lower layer. 

Here’s an example of the model applied to the TSA Pipeline-2021-02C requirement to identify cyber critical systems: 

  • Layer 1, System Owner: specific provider that may be targeted (e.g., midstream natural gas company) 
  • Layer 2, Critical System or Sub-System: assets, facilities, networks, and/or operators that provide a specific, collective function and output (e.g., gas transmission) 
  • Layer 3, Critical Function or Sub-Function: key tasks of a system such as heating, cooling, exchanging, pumping, separating, compressing, distributing, storing, etc. 
  • Layer 4, Critical Components: physical asset required to complete a system critical function (e.g., pumps, valves, motors, compressors, etc.) 
  • Layer 5, Controllers: directly connected to the logical and physical network (e.g., remote terminal units, programmable logic controllers, safety instrumented systems, etc.)
  • Layer 6, Crown Jewels: critical data, logical assets, communication paths, and/or control interfaces required to control components and functions (including engineering and operator workstations, leak detection systems, etc.)

Progressing through our consequence-driven crown jewel analysis allows industrial organizations to discover their cyber critical systems, accurately scope their cybersecurity strategies, and perform assessments that analyze and evaluate their overall ICS security postures.  

To learn more about a crown jewel analysis for a midstream natural gas company, download our infographic that offers additional information. 

Ready to put your insights into action?

Take the next steps and contact our team today.