Cyber PHA Secures Safety

Thursday, October 19, 2017 @ 03:10 PM gHale

By Gregory Hale
When ensuring a safety system is protecting the right areas, professionals need to understand what risks are involved to protect the plant. The same is true in securing a safety system.

“Modern control systems and safety systems are complex, intelligent, programmable, and highly networked systems,” said John Cusimano, director of industrial cybersecurity at aeSolutions Wednesday during a webcast entitled, “If it isn’t secure, it isn’t safe.”

IT/OT Convergence, a SANS Focus
ICSJWG: Putting Numbers Behind Risk
ICSJWG: Change in Security Approach Needed
Power Grid Compromise

“(Systems) are highly integrated, which can be very beneficial, but it also opens them up to vulnerabilities if they reside on the same network and communicate with the same servers,” Cusimano said. “So, it is possible that a single vulnerability might be able to disable multiple layers of protection. That is what we want to look for when we are doing a cyber risk assessment for a facility, we want to determine if there are any scenarios like that and how we can protect against them. That is why you have to do a separate cybersecurity study to make sure those possibilities do not exist.”

While security issues have been around for a little bit, more companies are just now starting campaigns around cybersecurity, Cusimano said. One case in point is Sunoco Logistics, which Cusimano said is one of the more progressive companies focusing on cyber.

In addition to having control systems and safety systems being very complex, intelligent, programmable, and highly networked, there are other challenges facing users.

For instance, it is very common for them to be integrated and residing on the same network and communicate to the same servers/workstations/applications. That could enable a single vulnerability to disable multiple layers of protection. What is at issue, Cusimano said, is HAZOPS and LOPA studies typically do not take into account cyber impacts on initiating event frequency or effectiveness of safeguards.

Safety Best Practices
In the end, security professionals need to borrow from safety experts.

Process safety is the discipline around preventing process incidents, fires, explosions, accidental releases of dangerous materials in process facilities such as chemical plants, refineries, oil and gas production.

It focuses on the design and engineering of facilities, maintenance of equipment, alarm handling, control systems, procedures and training around making sure it is possible to identify process hazards and have mitigating controls in place.

“We want to make sure we have appropriate layers of protection,” he said. “We have a process we are controlling and that is controlled by basic automaton control system. Variables may exceed certain thresholds and that would generally raise a process alarm, where a board operator would respond to that and change a set point to bring the process under control. If that failed to happen, then another layer of protection would be the safety shutdown systems, which can be hardwired manual systems, or they can be automated instrumented systems. These respond automatically if the parameter continues to go outside of normal operating conditions and approach dangerous conditions like high pressure, high temperature, or high flow.”

Layers of Protection
The science around making sure there are adequate layers of protection starts with a process hazard analysis (PHA), which is an organized systematic assessment of potential hazards in the industrial process.

“It has been around for decades and is a standard practice in facilities covered by OSHA, EPA or other governmental organizations,” Cusimano said.

These studies, or assessments, focus on equipment, but it is not focused on people that would attack a system via cyber.

“You have to do a separate cybersecurity study to find vulnerabilities,” Cusimano said. “There may be pathways that make it possible for the control system to be compromised and it could go in and make the safety system vulnerable.”

Assessing Risk
The user could start with a modified HAZOP they would use for a safety scenario.

“It is important for management to have a scale like this so when they are looking at risks across the organization, they have some way of ranking them and identifying which ones are more severe and need to be addressed with higher priority.”

That is where a cyber risk assessment or cyber PHA comes into play.

“It is important for management to have a scale like this so when they are looking at risks across the organization, they have some way of ranking them and identifying which ones are more severe and need to be addressed with higher priority.”
— John Cusimano

A cyber PHA is a systemic approach aligned with standards where you could apply additional countermeasures to fix a security risk.

Vulnerability assessment starts with understanding system you are going to evaluate. A user would look at:
• Evaluation of control system design
• As built or as found drawings
• Analysis of network communications understanding what devices are talking to what devices
• Analysis of network devices
• Analysis of servers/workstations
• Analysis of ICS devices
• Partition system into zones and conduits
• Review policies and procedures
• Recommend mitigations

The methodology behind the cyber PHA gives the user a systemic approach to assess ICS cyber risk. The beauty is the cyber folks don’t have to reinvent the wheel as they can use an approach similar to a PHA/HAZOP. By doing this assessment, it would satisfy the new IEC 61511 security risk assessment requirement. In addition, by applying the cyber PHA, it can help at Process Safety Management (PSM) regulated companies.

The benefits for using the cyber PHA include:
1. Use of process PHAs and corporate risk matrix assures consistent consequences and risk analysis
2. Cross functional, collaborative team approach yields a more accurate risk assessment
3. Prioritized recommendations and plan
4. Prioritize activities and resources
5. Establish a baseline to measure improvement
6. Document and justify decisions
7. Risk register and risk profile
8. Raise cybersecurity awareness

“This can get everybody on the same page and helps eliminate gaps between IT and OT,” Cusimano said. “In the end, it will get the team together to solve a common problem.”

Leave a Reply

You must be logged in to post a comment.