Why Cybersecurity Belongs in Every Process Hazard Analysis

The rise of IIoT-connected equipment has opened new opportunities for attackers. Chemical plant operators can take steps to reduce risks, but fully eliminating threats is highly unlikely, said Matt Pike, a cybersecurity services sales executive at Rockwell Automation.

“There's always going to be a risk somewhere, somehow,” Pike told session attendees. “The true term is mitigate. We want to mitigate as much risk as possible.”

Pike and co-presenter Ramon Farach discussed the concept of “defense in depth,” the idea that operations need layers of protection to safeguard their systems. It’s a combination of built-in safeguards within the process control system, such as alarms or interlocks, along with safety instrumented systems (SIS), relief valves and leak-containment systems if all those preventive measures fail.

The layers are critical because attackers can target various systems, including the safety controls. As an example, Pike cited the 2017 Triton cyberattack at a Saudi petrochemical plant that triggered a Schneider Electric SIS to shut down operations.

“SIS systems are absolutely a growing concern,” said Pike in a follow-up interview with Chemical Processing. “They’re strategically more valuable targets than non-SIS systems but also harder to infiltrate.”

Pike compared an SIS attack to “removing the brakes off of a speeding vehicle.”

Farach and Pike emphasized that existing regulations and standards governing process safety provide a foundation for mitigating such incidents. This includes compliance with the Occupational Safety and Health Administration’s CFR1910.119, which covers certain flammable liquids.

A process hazard analysis, or PHA, is one of the key elements within the standard, requiring that teams evaluate potential hazards within a plant and assign them a value based on frequency and severity.  

“Typically, you'll look at what's the environmental impact if this happens? Farach said. “What's the financial impact to our company if this happens? What's the impact on the community? What's the impact of personnel?”

The PHA team should include, at minimum, a trained facilitator, a subject matter expert for each technology, control-room personnel and a member of the operations team, Farach said. Others to consider include process control engineers, maintenance workers and mechanical engineers.

The next step involves a layer-of-protection analysis, which identifies existing independent protection layers in the facility and any gaps, Farach explained.

Those gaps are where IEC standards like IEC 61508 and IEC 61511come into play.

IEC 61508 requires that equipment manufacturers certify that their products are capable of operating within safety integrity level, or SIL limits. This is a four-level system for rating how reliably a safety function will perform when it's needed.

“It doesn't mean you have an SIS by buying one of these products,” Farach said. “It just means that it's SIL capable.”

The actual design and implementation of a SIS falls under IEC 61511.

“It spells out what you need to do, what calculations you need to approve, what skill levels you need to have for your SIS," Farach said. “It's specific to process industries.”

In the past, cybersecurity wasn’t part of the PHA conversation, said Farach.  

“Cybersecurity wasn't something we even thought about,” he said. “We just took it for granted. We looked at low flow, high pressure, high level, but didn't consider someone taking control of the process from external services.”

Operators should look for equipment that has built-in cybersecurity and meets standards, such as those set by the National Institute of Standards and Technology (NIST) or IEC 62443, an international certification for cybersecurity in industrial automation and control systems, said Pike. Basic security practices and awareness can mitigate some of the most serious breaches. This includes patch management to address vulnerabilities, segmentation of different systems and phishing identification.

Operators must remain vigilant because even safety systems are at risk. Indicators of compromise on SIS systems are not always obvious, Pike said. Some indicators that an SIS has been compromised include unauthorized or unexpected code changes to SIS logic, modified trip setpoints and changes made outside of normal operating hours or managed changes hours, he said.

“The key here is ensuring you have a proper NIST-based cybersecurity program in place to understand the attack surface and vulnerabilities in your environment, detecting anomalies that occur, secure backups of all systems in place and an incident response plan with regular policy reviews and tabletop exercises on that plan,” Pike told Chemical Processing.

For many process manufacturers, the cost of doing nothing can be significant. Insurers now have strict guidelines for cybersecurity and are conducting exhaustive audits to ensure organizations are adhering to recognized standards, Pike said.

“If there's anything that's out of line, either the premiums will be outrageous, or they may just not insure you entirely,” he said.

Corporate boards and international regulatory agencies also are requiring organizations to meet certain cybersecurity standards, Pike added.