By Gregory Hale
There are plenty of ways to get from point a to point b in this world, but when it comes to cybersecurity, having a plan and knowing what is at risk, what truly needs the most protection and understanding the potential outcome is paramount.
Just ask John Cusimano, vice president of cybersecurity at aeSolutions and Andrew Bochman, senior grid strategist at Idaho National Laboratory, as the two security experts explored the strengths and benefits of conducting a Cyber Process Hazard Analysis (CyberPHA) or Consequence-driven Cyber-informed Engineering (CCE) process at the S4x19 conference in Miami Beach last week.
One form of understanding risk is a simple equation: Risk = likelihood x consequence. However, in the ICS world, security experts spend a great deal of effort in risk reduction, but not a large effort in cutting down on consequences.
“In a CyberPHA we leverage processes we had around process safety to bring it into cybersecurity,” Cusimano said. “How do we decide on what consequences could be caused by cyber and drill down on how that could happen. No one person in a facility will understand threats and consequences, it takes a team.”
In a CyberPHA, the user can:
• Document the system
• Conduct a vulnerability assessment
• Partition tje system
• Conduct a risk assessment
• Create mitigation planning
“We identify the worst case consequences and understand how that could happen,” Cusimano said. “That presents a nice picture of an attack scenario.”
In a CyberPHA it is possible to create a systematic approach to assessing ICS cyber risk, he said. Most of the assessment is based on the IEC 62443-3-2 “Security Risk Assessment and System Design” approach. In addition, it leverages established process safety management methods along with integrating multiple engineering disciplines. In the end, it delivers at risk-ranked mitigation plan.
Benefits of the CyberPHA are integration with process risk management provides management with consistent ranking of risk, Cusimano said. In addition, it creates a cross-functional team approach that encourages collaboration, practical solution and buy in.
It also satisfies IEC 61511 SIS security requirements and establishes a baseline to measure improvement, document and justify decisions. It also raises cybersecurity awareness. There is also a proven track record as Cusimano said it has been successfully applied to hundreds of ICSes since 2013.
Bochman, in turn talked about Consequence-driven Cyber-informed Engineering. The goal with this approach, is the change the way engineers, operators and senior leaders understand and mitigate cyber risks in their most critical sytesm and processes.
“When you are charged with protecting a large enterprise, we don’t treat things individually,” Bochman said. “You have to protect the whole thing. You need to find the handful of functions you need to protect.”
In his approach, Bochman said there are four steps:
1. Consequence prioritization, which determines the crown jewels that need protection
2. System of systems breakdown
3. Consequence-based targeting, which gives a kill chain analysis
4. Mitigations and protections, which gives kill chain mitigations
This is a disciplined approach to evaluate complex systems, make determinations about what must be fully safeguarded, and apply proven engineering strategies to isolate and protect industry’s most critical assets.
When it comes to securing critical infrastructure, Bochman said “disruption is OK, destruction I just can’t handle.”