Cybersecurity is playing an increasingly important role in process safety systems. This became quite apparent with the cyber-attack on a safety system late in 2017 that ultimately ended in the safe shutdown of a Middle Eastern petrochemical facility. Process safety systems provide the last line of defense to shut down a plant safely in the event of an abnormal situation. Attacks on safety systems have the potential to cause real harm in the physical world, so it’s important that ICS/SCADA cybersecurity policy include rational approaches to process safety systems.
However, the scope of safety and cybersecurity goes well beyond process safety systems alone. Across the industrial and infrastructure worlds, an increasing number of end users are adopting more sophisticated strategies for risk management. This drives closer cooperation and convergence between the safety and cybersecurity disciplines.
This convergence manifests itself in several ways. An increased focus on risk management helps end users justify increased spending on cybersecurity. Many end users are adopting the concepts of process hazard analysis (PHA) and hazard operability analysis (HAZOP). Suppliers are obliging with cyber-focused services that incorporate key concepts from PHA and HAZOP. These include layers of protection analysis (LOPA) and risk matrices that analyze the consequence and severity of actions in operating environments.
Cost and Impact of Cyber Incidents vs. Safety Incidents
At the operational technology (OT) level, both cybersecurity- and safety-related projects can be challenging to cost justify and thus gain approval. Both domains protect against what could happen to help avoid a cyber-attack or plant incident. The financial impact of either could be massive.
The BP Deepwater Horizon oil spill, for example, is estimated to have cost the company $65 billion in cleanup costs, legal fees and fines.
The cost of cyber incidents can be just as damaging, with a simple ransomware attack costing an average of $5 million for companies across the board. The impact on industrial plants and facilities, however, is much greater. In 2017, a Tokyo-area Honda plant was forced to shut down because of WannaCry ransomware. In this case, the plant controls were not compromised, but the ransomware attack was virulent enough to shut down operations in a plant that produces around 1,000 vehicles a day.
Even if a refinery or chemical plant is able to shut down safely when faced with a cyber incident, as we saw in the Middle East in 2017 with the TRISIS/TRITON malware incident, a single unplanned shutdown can wipe out the profits of a refinery or petrochemical plant for the entire year.
Increased Focus on Risk Management
For many end users in manufacturing and critical infrastructure, cybersecurity policy focuses on countering potential threats by reducing exposure to phishing, beefing up password security, etc. ARC Advisory Group’s maturity model for cybersecurity enables end users to measure their own overall level of security and sophistication. Many end users are realizing, however, that they cannot possibly address every threat all the time and are thus looking at the science of risk management to help prioritize their efforts.
Cyber Risk No Longer Exclusive of Physical Risk
Significantly, cybersecurity risk is no longer limited to the cyber world but can have very real consequences in the physical world. These risks exist along a spectrum of severity that ranges from simple unplanned downtime in operations to a plant explosion or release of hazardous materials. Stuxnet, which proved that physical assets like nuclear centrifuges can be destroyed through cyber-attacks, gave birth to this realization. And even though the initial attack resulted in a safe plant shutdown, TRITON/TRISIS malware showed that process safety systems could be compromised and reprogrammed maliciously so as not to shut down a plant or process in case of an abnormal situation.
Since the malware and attackers will only get more sophisticated over time, we can no longer view safety and cybersecurity as separate domains.
Standard Risk Management Approaches from the IT World
The IT world is no stranger to standard risk management approaches for cybersecurity. FAIR (Factor Analysis of Information Risk), for example, is an established international standard quantitative model for cybersecurity and operational risk. It provides a model for understanding, analyzing,and quantifying information risk in financial terms.
The FAIR approach for risk management has been adopted by RiskLens, a provider of cyber-risk quantification software that helps achieve digital resiliency by managing cyber risk from the business perspective. FAIR is supported by an open consortium of which The Open Group is a key member and supporter. The Open Group has also introduced the Open FAIR Body of Knowledge, together with a certification program for risk analysts.