By Gregory Hale
Safety can learn from security and security can learn from safety, but now security can help protect safety by conducting a cyber-safety assessment.
Sound confusing? Just ask John Cusimano.
“We are seeing more and more attacks on OT (operational technology),” said Cusimano, director of industrial cybersecurity at aeSolutions during a Tuesday talk at the 14th Global Congress on Process Safety at the 2018 AIChE Spring Meeting in Orlando, FL. “The threat system has changed. It used to be pneumatics and analog systems. Now we are seeing a more digital platform.”
While the outside pipes, valves still remain the same, the underpinning technologies controlling them have changed considerably.
“We have layers of protection. We have process control systems and safety instrumented systems (SIS),” Cusimano said. “When we put safety and control on the same network, there is the potential for common cause issues. We have to make sure they are properly designed.”
The end result is everyone wants to make sure bad things don’t happen to the systems.
“Modern control systems are very complex,” he said. “We need to identify cyber threats and possibilities to find the consequences.”
That is where security professionals can borrow a valuable tool from safety experts: A process hazard analysis (PHA).
A cyber PHA can help cut down on one of the issues facing control and safety system security these days, which is the challenge of turf wars from various domains.
Who is in Charge?
Between IT, Automaton, OPS, and safety, no one seems to be taking charge of securing the control systems.
Before anyone takes responsibility, though, systems need to go through a cyber PHA, a systematic approach to establish cyber risk.
By conducting a cyber PHA security professionals find:
• It is similar to a PHA/HazOp in safety
• Satisfies new IEC 61511 security risk assessment and it is aligned with IEC 62443
• Creates a map of the system by using zones and conduits
• Breaks it down to assess threats, vulnerabilities and risks
A cyber PHA is not something done in a vacuum. Multiple people from different departments need to come together.
Cusimano broke the cyber PHA process down into six parts.
1. Kick off
3. Analyze system
In the kick off, this is where a team ends up created.
In the assess phase, everyone walks through the system, pulling together an asset inventory. “No one person knows everything about the system,” Cusimano said.
In the analyze the system part, you are creating the zones and conduits diagrams where you catalog vulnerabilities.
In the workshop stage, this is where you study with a cross functional team and try to understand threat scenarios in each zone. This is where various domains can start to come together and work as a team.
“Cyber PHA is very effective at bringing these teams together,” Cusimano said. “This allows you to take a risk-based approach and allows you to prioritize your investments to decide which solution is the right one.”
In the mitigate phase, it identifies risk and integrates with process safety and identifies hidden risk. It also fosters culture change, he said.
As Cusimano has said before a cyber PHA is a systemic approach aligned with standards where you could apply additional countermeasures to fix a security risk.
Vulnerability assessment starts with understanding system you are going to evaluate. A user would look at:
• Evaluation of control system design
• As built or as found drawings
• Analysis of network communications understanding what devices are talking to what devices
• Analysis of network devices
• Analysis of servers/workstations
• Analysis of ICS devices
• Partition system into zones and conduits
• Review policies and procedures
• Recommend mitigations
The methodology behind the cyber PHA gives the user an approach to assess ICS cyber risk. The beauty is the cyber folks don’t have to reinvent the wheel as they can use an approach similar to a PHA/HAZOP. By doing this assessment, it would satisfy the new IEC 61511 security risk assessment requirement. In addition, by applying the cyber PHA, it can help at Process Safety Management (PSM) regulated companies.
The benefits for using the cyber PHA include:
1. Use of process PHAs and corporate risk matrix assures consistent consequences and risk analysis
2. Cross functional, collaborative team approach yields a more accurate risk assessment
3. Prioritized recommendations and plan
4. Prioritize activities and resources
5. Establish a baseline to measure improvement
6. Document and justify decisions
7. Risk register and risk profile
8. Raise cybersecurity awareness
“If it isn’t secure, it isn’t safe,” Cusimano said.