Analyzing cyber-security risks in an industrial control environment

The invention claimed is: 1. A method of analyzing cyber-security risks (risks) in an industrial control system (ICS) including a plurality of networked devices, comprising: providing a processor and an associated memory storing a cyber-security algorithm located in a level of said ICS that is between a business-level and a device-level that includes at least one of actuators and sensors, said processor running said cyber-security algorithm and implementing: data collecting to compile security data comprising at least vulnerability data including said risks regarding said plurality of networked devices by scanning said plurality of networked devices; processing said security data using a rules engine which associates a numerical score to each of said risks; aggregating data including ranking said risks across said plurality of networked devices and arranging said risks into a plurality of security zones that each group together ones of said plurality of networked devices that can freely communicate with one another without an intervening router or firewall to indicate where a cyber-attack might spread if any one of said plurality of networked devices in said group is compromised, and displaying at least a portion of said plurality of security zones on a user station. 2. The method of claim 1 , wherein said security data further comprises threat level data relating to a degree to which vulnerabilities in said vulnerability data are likely to be exploited, and consequence data relating to a degree of impact felt if the respective one of said plurality of networked devices were successfully exploited. 3. The method of claim 1 , wherein said aggregating data further includes aggregating categories of a security state of said plurality of networked devices. 4. The method of claim 1 , further comprising generating guidance text with each of said risks including possible causes, potential impact to said ICS and recommended actions, and displaying said guidance text on said user station. 5. The method of claim 1 , further comprising discovering said plurality of networked devices. 6. The method of claim 5 , wherein said discovering comprises multi-pass discovering. 7. The method of claim 1 , wherein said rules engine is part of a rules engine and aggregation module having an internal set of rules for normalizing said vulnerability data, further comprising normalizing said vulnerability data. 8. The method of claim 1 , wherein said data collecting monitors said plurality of networked devices essentially continuously for events with security implications including a plurality selected from the group consisting of virus detection, WINDOWS authentication failures, and monitoring include anti-virus, application whitelisting, WINDOWS security events, network security including state of switches, routers, firewalls, and intrusion detection/prevention systems, backup status, patching status and asset policies. 9. The method of claim 1 , further comprising generating a risk value for each of said plurality of security zones. 10. A software product, comprising: a non-transitory machine readable storage media having code stored therein, said code including executable instructions, which, when executed by a computing device, cause the computing device to implement a cyber-security algorithm for analyzing cyber-security risks (risks) in an industrial control system (ICS) including a plurality of networked devices, that includes a device-level including at least one of actuators and sensors, said code including: code for data collecting to compile security data comprising at least vulnerability data including said risks regarding said plurality of networked devices by scanning said plurality of networked devices; code for processing said security data using a rules engine which associates a numeric score to each of said risks; code for aggregating data including ranking said risks across said plurality of networked devices and arranging said risks into a plurality of security zones that each group together ones of said plurality of networked devices that can freely communicate with one another without an intervening router or firewall to indicate where a cyber-attack might spread if any one of said plurality of networked devices in said group is compromised, and code for displaying at least a portion of said plurality of security zones on a user station. 11. The software product of claim 10 , wherein said security data further comprises threat level data relating to a degree to which vulnerabilities in said vulnerability data are likely to be exploited, and consequence data relating to a degree of impact felt if the respective one of said plurality of networked devices were successfully exploited. 12. The software product of claim 10 , wherein said aggregating data further includes aggregating categories of a security state of said plurality of networked devices. 13. The software product of claim 10 , further comprising code for generating guidance text with each of said risks including possible causes, potential impact to said ICS and recommended actions, and displaying said guidance text on said user station. 14. The software product of claim 10 , further comprising code for discovering said plurality of networked devices. 15. The software product of claim 14 , wherein said discovering comprises multi-pass discovering. 16. The software product of claim 10 , wherein said rules engine is part of a rules engine and aggregation module having code for an internal set of rules for normalizing said vulnerability data. 17. The software product of claim 10 , wherein said code for data collecting monitors said plurality of networked devices essentially continuously for events with security implications including a plurality selected from the group consisting of virus detection, WINDOWS authentication failures, and monitoring include anti-virus, application whitelisting, WINDOWS security events, network security including state of switches, routers, firewalls, and intrusion detection/prevention systems, backup status, patching status and asset policies. 18. The software product of claim 10 , further comprising code for generating a risk value for each of said plurality of security zones.