Managing Cybersecurity in the Process Industries E-Book
139,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Fachliteratur
- Sprache: Englisch
The chemical process industry is a rich target for cyber attackers who are intent on causing harm. Current risk management techniques are based on the premise that events are initiated by a single failure and the succeeding sequence of events is predictable. A cyberattack on the Safety, Controls, Alarms, and Interlocks (SCAI) undermines this basic assumption. Each facility should have a Cybersecurity Policy, Implementation Plan and Threat Response Plan in place. The response plan should address how to bring the process to a safe state when controls and safety systems are compromised. The emergency response plan should be updated to reflect different actions that may be appropriate in a sabotage situation. IT professionals, even those working at chemical facilities are primarily focused on the risk to business systems. This book contains guidelines for companies on how to improve their process safety performance by applying Risk Based Process Safety (RBPS) concepts and techniques to the problem of cybersecurity.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 560
Veröffentlichungsjahr: 2022
Ähnliche
Table of Contents
Cover
Title Page
Copyright
List of Figures
List of Tables
Acronyms and Abbreviations
Glossary
Acknowledgments
Managing Cybersecurity in the Process Industries
Preface
Part 1: Introduction, Background, and History of Cybersecurity
1 Purpose of this Book
1.1 Target Audience
1.2 What is Cybersecurity?
1.3 What is Operational Technology (OT)?
1.4 Which industries have OT?
1.5 Scope
1.6 Organization of the Book
2 Types of Cyber‐Attacks, Who Engages in Them and Why
2.1 Types of Cyber‐Attacks
2.2 Who Commits Cybercrimes and Their Motives
2.3 Summary
3 Types of Risk Receptors/Targets
3.1 What is Cybersecurity Risk
3.2 What are Common Cybersecurity Targets?
3.3 Types of Cybersecurity Consequences
3.4 Summary
4 Threat Sources and Types of Attacks
4.1 Non‐Targeted Attacks
4.2 Targeted Attacks
4.3 Advanced Persistent Threats (APT)
4.4 Summary
5 Who Could Create a Cyber Risk? Insider vs. Outsider Threats
5.1 Insider Cybersecurity Risk
5.2 Outsider Cybersecurity Risk
5.3 Summary
6 Case Histories
6.1 Maroochy Shire
6.2 Stuxnet
6.3 German Steel Mill
6.4 Ukrainian Power Grid
6.5 NotPetya
6.6 Triton
6.7 Düsseldorf Hospital Ransomware
6.8 SolarWinds
6.9 Florida Water System
6.10 Colonial Pipeline Ransomware
6.11 Summary
Part 2: Integrating Cybersecurity Management into the Process Safety Framework
7 General Model for Understanding Cybersecurity Risk
7.1 Cybersecurity Lifecycle
7.2 Integrated Cybersecurity and Safety Lifecycle
7.3 NIST Cybersecurity Framework
7.4 Summary
8 Designing a Secure Industrial Automation and Control System
8.1 The Disconnect between IT and OT Risk Management
8.2 Inherently Safer vs. Inherently More Secure
8.3 Defense‐in‐Depth
8.4 Network Segmentation
8.5 System Hardening
8.6 Security Monitoring
8.7 Risk Compatibility Assessment
8.8 Summary
9 Hazard Identification and Risk Analysis (HIRA)
9.1 Use of Process Safety Tools to Identify and Manage Cybersecurity Risk
9.2 Qualitative Methods
9.3 Quantitative Methods
9.4 How to Prioritize Risk Reduction Measures?
9.5 Revalidation/Reassessment
9.6 Summary
10 Manage the Risk
10.1 Management Approach
10.2 Initial Steps
10.3 Cybersecurity Culture
10.4 Compliance with Standards
10.5 Cybersecurity Competency
10.6 Workforce Involvement
10.7 Stakeholder Outreach
10.8 Process Knowledge Management
10.9 Operating Procedures
10.10 Safe Work Practices
10.11 Management of Change
10.12 Asset Integrity and Reliability
10.13 Contractor Management
10.14 Training and Performance Assurance
10.15 Operational Readiness
10.16 Conduct of Operations
10.17 Emergency Management
10.18 Incident Investigation
10.19 Measurements and Metrics
10.20 Auditing
10.21 Management Review and Continuous Improvement
10.22 Summary
11 Implementing a Holistic Approach to Safety and Cybersecurity
11.1 Cybersecurity Management Systems (CSMS)
11.2 Integrating CSMS with Process Safety Management
11.3 Summary
Part 3: Where Do We Go from Here?
12 What's Next? A Look at Future Development Opportunities
12.1 Cybersecurity Adoption Trends
12.2 Emerging Technologies
12.3 Summary
13 Available Resources
13.1 Local, Regional, and Global Topics
13.2 Cybersecurity Incident Repositories
13.3 Competency Requirements and Training Availability
13.4 Administration vs. Accountability Functions
13.5 Summary
Appendix A Excerpt from NIST Cybersecurity FrameworkExcerpt from NIST Cybersecurity Framework
Appendix B Detailed Cybersecurity PHA and LOPA ExampleDetailed Cybersecurity PHA and LOPA Example
B.1 System Basis
B.2 Initial Risk Assessment
B.3 Detailed Risk Assessment (Cyber PHA/HAZOP)
B.4 LOPA/Semi‐Quantitative SL Verification
Appendix C Example Cybersecurity MetricsExample Cybersecurity Metrics
Appendix D Cybersecurity Sample Audit Question ListCybersecurity Sample Audit Question List
Appendix E Management System Review ExamplesManagement System Review Examples
References
Index
End User License Agreement
List of Tables
Chapter 1
Table 1‐1 RBPS Accident and Cybersecurity Event Prevention Pillars
Chapter 3
Table 3-1 Considerations for Consequence Risk Table
Chapter 4
Table 4-1 Attack Characteristics by Threat Source Type
Table 4-2 Cyber Kill Chain® Steps and Description
Table 4-3 Attack Characteristics by Threat Source Type
Chapter 5
Table 5-1 Sub‐Groups of Insider Cyber activities
Chapter 6
Table 6-1 Major Victims of NotPetya Attack
Chapter 7
Table 7-1 IEC 62443 Security Levels (SL)
Table 7-2 Lifecycle Steps for Process Safety and Cybersecurity
Table 7-3 NIST Framework Functions and Categories
Chapter 8
Table 8-1 Differences Between IT and OT
Table 8-2 Attack Surface
Table 8-3 Common Cybersecurity Protections
Table 8-4 Typical SIEM Features and Descriptions
Chapter 9
Table 9-1 Process Safety and Cybersecurity Techniques
Table 9-2 Example Severity Matrix
Table 9-3 Example Likelihood Matrix
Table 9-4 Example Corporate Risk Matrix
Table 9-5 Risk Ranking to Security Level Target
Table 9-6 Initial Risk Assessment Worksheet
Table 9-7 Threat Definition Examples
Table 9-8 Threat Likelihood by Threat Source
Table 9-9 Detailed Risk Assessment Worksheet
Table 9-10 Cybersecurity Checklist
Table 9-11 Example Cybersecurity FMEA for Safety PLC
Table 9-12 Target Attractiveness Estimates
Table 9-13 Cybersecurity Countermeasures and Estimated PFD
Table 9-14 Semi‐Quantitative SL Verification Worksheet
Table 9-15 HIRA RBPS Principles and Cybersecurity Considerations
Chapter 10
Table 10-1 Cybersecurity Culture
Table 10-2 Industry Codes, Standards, and Practices
Table 10-3 Compliance with Standards
Table 10-4 Cybersecurity Competency
Table 10-5 Workforce Involvement
Table 10-6 Stakeholder Outreach
Table 10-7 Process Knowledge Management
Table 10-8 Operating Procedures
Table 10-9 Safe Work Practices
Table 10-10 Management of Change
Table 10-11 Asset Integrity and Reliability
Table 10-12 Contractor Management
Table 10-13 Training and Performance Assurance
Table 10-14 Operational Readiness
Table 10-15 Conduct of Operations
Table 10-16 Incident Response Plan Considerations
Table 10-17 Emergency Management
Table 10-18 Incident Investigation
Table 10-19 Leading Indicator Metrics
Table 10-20 Measurements and Metrics
Table 10-21 Auditing
Table 10-22 Cybersecurity Assessment Stages
Table 10-23 Management Review
Chapter 11
Table 11-1 Example RACI Chart for Cybersecurity Lifecycle Activities
Table 11-2 Example IACS Cybersecurity Audit Checklist
Table 11-3 Example Cybersecurity Lifecycle Procedures/Templates
Chapter 13
Table 13-1 IACS Cybersecurity Practices, Standards, and Regulations
Table 13-2 Cybersecurity Competency Requirements Example
Table 13-3 Certification or Certificate
Appendix A
Table A-1 Example NIST Framework Structure
Appendix B
Table B-1 Example Severity Matrix
Table B-2 Example Likelihood Matrix
Table B-3 Example Corporate Risk Matrix
Table B-4 Risk Ranking to Security Level Target
Table B-5 Threat Definition Examples
Table B-6 Threat Definition Examples and Likelihoods
Table B-7 Consequence Definition per Threat
Table B-8 Consequence and Severity Definition per Threat
Table B-9 Cybersecurity HAZOP Worksheet with Countermeasures
Table B-10 Countermeasure Effectiveness
Table B-11 Completed Cybersecurity HAZOP Worksheet
Table B-12 Target Attractiveness Estimates
Table B-13 Cybersecurity Countermeasures and Estimated
Table B-14 Semi‐Quantitative SL Verification Worksheet
Table B-15 Severity Level and Tolerable Frequency
Appendix D
Table D‐1 Cybersecurity Sample Audit Checklist
List of Illustrations
Chapter 1
Figure 1‐1 Major Industrial Cybersecurity Events in the Last Decade
Figure 1‐2 Cybersecurity Management System Pillars
Figure 1‐3 OT Reference Model
Chapter 4
Figure 4‐1 Distributed Denial of Service Attack Diagram
Figure 4‐2 Man‐in‐the‐Middle Attack Diagram
Chapter 6
Figure 6‐1 Simplified Maroochy Shire SCADA System
Figure 6‐2 Petrochemical Site Simplified Network Architecture
Chapter 7
Figure 7‐1 Assess Phase
Figure 7‐2 Implement Phase
Figure 7‐3 Maintain Phase
Figure 7‐4 NIST Framework Aligned with Integrated Lifecycle
Chapter 8
Figure 8‐1 IT vs. OT Priorities
Figure 8‐2 Hierarchy of Controls
Figure 8‐3 Defense‐in‐Depth for Cybersecurity
Figure 8‐4 Example Network Architecture with Extreme Connectivity
Figure 8‐5 Example Network Architecture with Complete Separation
Figure 8‐6 Example Network Architecture with DMZ (Single Firewall)
Figure 8‐7 Example Network Architecture with DMZ (Dual Firewall)
Figure 8‐8 Network Segmentation with Data Diodes
Figure 8‐9 Combined Control and Safety Engineering Workstation
Figure 8‐10 Separate Control and Safety Engineering Workstations
Figure 8‐11 Separate Control and Safety Zones with Data Diode
Figure 8‐12 Multi‐Step Remote Access to IACS Systems
Figure 8‐13 Ring Configuration for Unmanned Remote Operations
Figure 8‐14 Extending Logical Networks to Remote Sites
Chapter 9
Figure 9‐1 Determining the Scope of Cybersecurity Assessments
Figure 9‐2 Process Safety and Cybersecurity Analysis Considerations
Figure 9‐3 Initial Risk Assessment Methodology
Figure 9‐4 Detailed‐Level Risk Assessment Methodology
Figure 9‐5 Network Architecture for FMEA
Figure 9‐6 Cybersecurity Vulnerability Methodology
Figure 9‐7 Bow Tie Diagram
Figure 9‐8 Example Cybersecurity Bow Tie Diagram
Figure 9‐9 Swiss Cheese Model
Figure 9‐10 Semi‐Quantitative SL Verification Methodology
Chapter 10
Figure 10‐1 Example Job Cyber Assessment
Chapter 11
Figure 11‐1 Implementing Holistic Cybersecurity and Safety Approach
Figure 11‐2 Continuous Improvement Process for CSMS
Chapter 12
Figure 12‐1 Zero‐Trust Architecture
Figure 12‐2 Simple Example of Software Bill of Materials
Chapter 13
Figure 13‐1 Drivers for Facility Risk Management
Appendix B
Figure B‐1 Simplified Isomerization Process Flow Diagram
Figure B‐2 Simplified Network Architecture
Figure B‐3 Identification of System Under Consideration
Figure B‐4 Device Selection
Figure B‐5 Consequence Severity Ranking
Figure B‐6 Likelihood Ranking
Figure B‐7 Initial Risk Ranking
Figure B‐8 Security Level Target
Figure B‐9 Initial Risk Assessment Results
Figure B‐10 Updated Zone and Conduit Diagram
Figure B‐11 BPCS Zone for Detailed Risk Assessment
Figure B‐12 Updated Risk Ranking
Figure B‐13 Updated Security Level Target
Figure B‐14 Likelihood with Countermeasures
Guide
Cover
Table of Contents
Title Page
Copyright
List of Figures
List of Tables
Acronyms and Abbreviations
Glossary
Acknowledgments
Managing Cybersecurity in the Process Industries
Preface
Begin Reading
Appendix A Excerpt from NIST Cybersecurity Framework
Appendix B Detailed Cybersecurity PHA and LOPA Example
Appendix C Example Cybersecurity Metrics
Appendix D Cybersecurity Sample Audit Question List
Appendix E Management System Review Examples
References
Index
End User License Agreement
Pages
ii
iii
iv
xi
xii
xiii
xiv
xv
xvi
xviii
xix
xx
xxi
xxiii
xxiv
xxv
xxvi
xxvii
xxix
xxx
xxxi
xxxii
xxxiii
xxxiv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
19
20
21
22
23
24
25
26
27
28
29
30
31
33
34
35
36
37
38
39
40
41
42
43
44
45
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
65
66
67
68
69
70
71
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
403
399
404
395
391
392
393
394
396
397
398
400
401
402
405
406
407
408
409
410
411
412
413
414
415
416
417
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
437
438
439
440
This book is one in a series of process safety guidelines and concept books published by the Center for Chemical Process Safety (CCPS). Refer to www.wiley.com/go/ccps for full list of titles in this series.
It is sincerely hoped that the information presented in this document will lead to a better safety record for the entire industry; however, neither the American Institute of Chemical Engineers, its consultants, CCPS Technical Steering Committee and Subcommittee members, their employers, their employers' officers and directors, nor exida, and its employees and subcontractors warrant or represent, expressly or by implication, the correctness or accuracy of the content of the information presented in this document. As between (1) American Institute of Chemical Engineers, its consultants, CCPS Technical Steering Committee and Subcommittee members, their employers, their employers' officers and directors, and exida and its employees and subcontractors, and (2) the user of this document, the user accepts any legal liability or responsibility whatsoever for the consequence of its use or misuse.
Managing Cybersecurity in the Process Industries
A Risk‐Based Approach
CENTER FOR CHEMICAL PROCESS SAFETY
of the
AMERICAN INSTITUTE OF CHEMICAL ENGINEERS
120 Wall Street, 23rd Floor • New York, NY 10005
This edition first published 2022
© 2022 the American Institute of Chemical Engineers
A Joint Publication of the American Institute of Chemical Engineers and John Wiley & Sons, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.
The rights of CCPS to be identified as the author of the editorial material in this work have been asserted in accordance with law.
Registered Office
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA
Editorial Office
111 River Street, Hoboken, NJ 07030, USA
For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.
Wiley also publishes its books in a variety of electronic formats and by print‐on‐demand. Some content that appears in standard print versions of this book may not be available in other formats.
Limit of Liability/Disclaimer of Warranty
While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or service the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
Library of Congress Cataloging‐in‐Publication Data is Applied for:
ISBN: 9781119861782
Cover Design: Wiley
Cover Images: © Alexander Supertramp/Shutterstock, Travel mania/Shutterstock
List of Figures
Figure 1‐1 Major Industrial Cybersecurity Events in the Last Decade
Figure 1‐2 Cybersecurity Management System Pillars
Figure 1‐3 OT Reference Model
Figure 4‐1 Distributed Denial of Service Attack Diagram
Figure 4‐2 Man‐in‐the‐Middle Attack Diagram
Figure 6‐1 Simplified Maroochy Shire SCADA System
Figure 6‐2 Petrochemical Site Simplified Network Architecture
Figure 7‐1 Assess Phase
Figure 7‐2 Implement Phase
Figure 7‐3 Maintain Phase
Figure 7‐4 NIST Framework Aligned with Integrated Lifecycle
Figure 8‐1 IT vs. OT Priorities
Figure 8‐2 Hierarchy of Controls
Figure 8‐3 Defense‐in‐Depth for Cybersecurity
Figure 8‐4 Example Network Architecture with Extreme Connectivity
Figure 8‐5 Example Network Architecture with Complete Separation
Figure 8‐6 Example Network Architecture with DMZ (Single Firewall)
Figure 8‐7 Example Network Architecture with DMZ (Dual Firewall)
Figure 8‐8 Network Segmentation with Data Diodes
Figure 8‐9 Combined Control and Safety Engineering Workstation
Figure 8‐10 Separate Control and Safety Engineering Workstations
Figure 8‐11 Separate Control and Safety Zones with Data Diode
Figure 8‐12 Multi‐Step Remote Access to IACS Systems
Figure 8‐13 Ring Configuration for Unmanned Remote Operations
Figure 8‐14 Extending Logical Networks to Remote Sites
Figure 9‐1 Determining the Scope of Cybersecurity Assessments
Figure 9‐2 Process Safety and Cybersecurity Analysis Considerations
Figure 9‐3 Initial Risk Assessment Methodology
Figure 9‐4 Detailed‐Level Risk Assessment Methodology
Figure 9‐5 Network Architecture for FMEA
Figure 9‐6 Cybersecurity Vulnerability Methodology
Figure 9‐7 Bow Tie Diagram
Figure 9‐8 Example Cybersecurity Bow Tie Diagram
Figure 9‐9 Swiss Cheese Model
Figure 9‐10 Semi‐Quantitative SL Verification Methodology
Figure 10‐1 Example Job Cyber Assessment
Figure 11‐1 Implementing Holistic Cybersecurity and Safety Approach
Figure 11‐2 Continuous Improvement Process for CSMS
Figure 12‐1 Zero‐Trust Architecture
Figure 12‐2 Simple Example of Software Bill of Materials
Figure 13‐1 Drivers for Facility Risk Management
Figure B‐1 Simplified Isomerization Process Flow Diagram
Figure B‐2 Simplified Network Architecture
Figure B‐3 Identification of System Under Consideration
Figure B‐4 Device Selection
Figure B‐5 Consequence Severity Ranking
Figure B‐6 Likelihood Ranking
Figure B‐7 Initial Risk Ranking
Figure B‐8 Security Level Target
Figure B‐9 Initial Risk Assessment Results
Figure B‐10 Updated Zone and Conduit Diagram
Figure B‐11 BPCS Zone for Detailed Risk Assessment
Figure B‐12 Updated Risk Ranking
Figure B‐13 Updated Security Level Target
Figure B‐14 Likelihood with Countermeasures
List of Tables
Table 1‐1 RBPS Accident and Cybersecurity Event Prevention Pillars
Table 3‐1 Considerations for Consequence Risk Table
Table 4‐1 Attack Characteristics by Threat Source Type
Table 4‐2 Cyber Kill Chain
®
Steps and Description
Table 4‐3 Attack Characteristics by Threat Source Type
Table 5‐1 Sub‐Groups of Insider Cyber activities
Table 6‐1 Major Victims of NotPetya Attack
Table 7‐1 IEC 62443 Security Levels (SL)
Table 7‐2 Lifecycle Steps for Process Safety and Cybersecurity
Table 7‐3 NIST Framework Functions and Categories
Table 8‐1 Differences Between IT and OT
Table 8‐2 Attack Surface
Table 8‐3 Common Cybersecurity Protections
Table 8‐4 Typical SIEM Features and Descriptions
Table 9‐1 Process Safety and Cybersecurity Techniques
Table 9‐2 Example Severity Matrix
Table 9‐3 Example Likelihood Matrix
Table 9‐4 Example Corporate Risk Matrix
Table 9‐5 Risk Ranking to Security Level Target
Table 9‐6 Initial Risk Assessment Worksheet
Table 9‐7 Threat Definition Examples
Table 9‐8 Threat Likelihood by Threat Source
Table 9‐9 Detailed Risk Assessment Worksheet
Table 9‐10 Cybersecurity Checklist
Table 9‐11 Example Cybersecurity FMEA for Safety PLC
Table 9‐12 Target Attractiveness Estimates
Table 9‐13 Cybersecurity Countermeasures and Estimated PFD
Table 9‐14 Semi‐Quantitative SL Verification Worksheet
Table 9‐15 HIRA RBPS Principles and Cybersecurity Considerations
Table 10‐1 Cybersecurity Culture
Table 10‐2 Industry Codes, Standards, and Practices
Table 10‐3 Compliance with Standards
Table 10‐4 Cybersecurity Competency
Table 10‐5 Workforce Involvement
Table 10‐6 Stakeholder Outreach
Table 10‐7 Process Knowledge Management
Table 10‐8 Operating Procedures
Table 10‐9 Safe Work Practices
Table 10‐10 Management of Change
Table 10‐11 Asset Integrity and Reliability
Table 10‐12 Contractor Management
Table 10‐13 Training and Performance Assurance
Table 10‐14 Operational Readiness
Table 10‐15 Conduct of Operations
Table 10‐16 Incident Response Plan Considerations
Table 10‐17 Emergency Management
Table 10‐18 Incident Investigation
Table 10‐19 Leading Indicator Metrics
Table 10‐20 Measurements and Metrics
Table 10‐21 Auditing
Table 10‐22 Cybersecurity Assessment Stages
Table 10‐23 Management Review
Table 11‐1 Example RACI Chart for Cybersecurity Lifecycle Activities
Table 11‐2 Example IACS Cybersecurity Audit Checklist
Table 11‐3 Example Cybersecurity Lifecycle Procedures/ Templates
Table 13‐1 IACS Cybersecurity Practices, Standards, and Regulations
Table 13‐2 Cybersecurity Competency Requirements Example
Table 13‐3 Certification or Certificate
Table A‐1 Example NIST Framework Structure
Table B‐1 Example Severity Matrix
Table B‐2 Example Likelihood Matrix
Table B‐3 Example Corporate Risk Matrix
Table B‐4 Risk Ranking to Security Level Target
Table B‐5 Threat Definition Examples
Table B‐6 Threat Definition Examples and Likelihoods
Table B‐7 Consequence Definition per Threat
Table B‐8 Consequence and Severity Definition per Threat
Table B‐9 Cybersecurity HAZOP Worksheet with Countermeasures
Table B‐10 Countermeasure Effectiveness
Table B‐11 Completed Cybersecurity HAZOP Worksheet
Table B‐12 Target Attractiveness Estimates
Table B‐13 Cybersecurity Countermeasures and Estimated
Table B‐14 Semi‐Quantitative SL Verification Worksheet
Table B‐15 Severity Level and Tolerable Frequency
Table D‐1 Cybersecurity Sample Audit Checklist
Acronyms and Abbreviations
5G
Fifth generation technology standard for cellular networks
AIChE
American Institute of Chemical Engineers
API
American Petroleum Institute
APT
Advanced Persistent Threat
AWIA
America's Water Infrastructure Act
BAS
Building Automation System
BMS
Burner Management System
BPCS
Basic Process Control System
CCPS
Center for Chemical Process Safety
CEMS
Continuous Emissions Monitoring Systems
CFATS
Chemical Facility Anti‐Terrorism Standards
CFR
Code of Federal Regulations
C‐IRP
Cybersecurity Incident Response Plan
CISA
Cybersecurity & Infrastructure Security Agency
CISO
Chief Information Security Officer
CMMS
Computerized Maintenance Management Systems
CMR
Countermeasure
CMS
Configuration Management Systems
COTS
Commercial off the Shelf
CRC
Cyclic Redundancy Check
CSA
Cybersecurity Assessment
CSMS
Cybersecurity Management System
CVA
Cybersecurity Vulnerability Assessment
CVSS
Common Vulnerability Scoring System
DCS
Distributed Control System
DDoS
Distributed Denial of Service
DMZ
Demilitarized Zone
DNS
Domain Name System
DoS
Denial of Service
FAT
Factory Acceptance Test
FERC
Federal Energy Regulatory Committee
FMEA
Failure Modes and Effects Analysis
HAZOP
Hazard and Operability Study
HIPPS
High Integrity Pressure Protection System
HIRA
Hazard Identification and Risk Analysis
IACS
Industrial Automation and Control Systems
IDS
Intrusion Detection System
IEC
International Electrotechnical Commission
IETF
Internet Engineering Task Force
IIoT
Industrial Internet of Things
IoA
Internet of Automation
IoT
Internet of Things
IP
Internet Protocol
IPL
Independent Protection Layer
IPS
Intrusion Prevention System
ISA
International Society of Automation
ISAC
Information Sharing and Analysis Center
ISO
International Organization for Standardization
IT
Information Technology
KPI
Key Performance Indicator
LAN
Local Area Network
LOPA
Layer of Protection Analysis
MAC
Media Access Control
MCC
Motor Control Center
MDR
Managed Detection and Response
MFA
Multi‐factor Authentication
MITM
Man‐in‐the‐Middle
MOC
Management of Change
MTSA
Maritime Security Act
NCSC
National Cyber Security Center
NERC
North American Electric Reliability Council
NERC CIP
North American Electric Reliability Corporation Critical Infrastructure Protection
NIST
National Institute of Standards and Technology
NTIA
National Telecommunications and Information Administration
NVD
National Vulnerability Database
OS
Operating System
OSHA
Occupational Safety and Health Administration
OT
Operational Technology
PFD
Probability of Failure on Demand
PHA
Process Hazard Analysis
PKI
Public Key Infrastructure
PLC
Programmable Logic Controller
PSCAI
Process Safety Controls Alarms and Interlocks
PS‐ERP
Process Safety Emergency Management Plan
PSM
Process Safety Management
PSSR
Pre‐startup Safety Review
QRA
Quantitative Risk Analysis
RaaS
Ransomware as a Service
RACI
Responsible, Accountable, Consulted, Informed
RAGAGEP
Recognized and Generally Accepted Good Engineering Practice
RAN
Radio Access Network
RBPS
CCPS Risk Based Process Safety
RDP
Remote Desktop Protocol
RIK
Replacement‐In‐Kind
RTU
Remote Terminal Units
SAT
Site Acceptance Test
SBOM
Software Bill of Materials
SCADA
Supervisory Control and Data Acquisition
SDN
Software‐Defined Networking
SIEM
Security Information and Event Management
SIEMS
Security Information and Event Management System
SIF
Safety Instrumented Function
SIL
Safety Integrity Level
SIS
Safety Instrumented System
SL
Security Level
SOC
Security Operation Center
SOP
Standard Operating Procedure
SUC
System Under Consideration
SVA
Security Vulnerability Assessment
SWP
Safe Work Practices
UK HSE
United Kingdom Health and Safety Executive
VLAN
Virtual LAN (Local Area Network)
VPN
Virtual Private Network
WAN
Wide Area Network
Glossary
This Glossary contains Process Safety terms unique to this CCPS publication. The CCPS Process Safety terms in this publication are current at the time of issue. For other CCPS Process Safety terms and updates to these terms, please refer to the CCPS Process Safety Glossary [1].
Audit
A systematic, independent review to verify conformance with prescribed standards of care using a well‐defined review process to ensure consistency and to allow the auditor to reach defensible conclusions.
Backdoor
Any connection (often covert) that allows authorized or unauthorized users to bypass existing security measures and establish a high level of access to a software application, computer system, or network.
Bow Tie Model
A risk diagram showing how various threats can lead to a loss of control of a hazard and allow this unsafe condition to develop into a number of undesired consequences. The diagram can also show all the barriers and degradation controls deployed.
Competency
A PSM program element associated with efforts to maintain, improve, and broaden knowledge and expertise.
Computer virus
A common type of malware that inserts itself into a legitimate program or application and modifies the program or application.
Conduit
Logical grouping of communication assets that protects the security of the channels it contains. (Connections between security zones.)
Continuous Improvement
Doing better as a result of regular, consistent efforts rather than episodic or step‐wise changes, producing tangible positive improvements either in performance, efficiency, or both. Continuous improvement efforts usually involve a formal evaluation of the status of an activity or management system, along with a comparison to an achievement goal. These evaluation and comparison activities occur much more frequently than formal audits.
Cyber Kill Chain
®
A model for identifying the steps that adversaries must complete to achieve their objective in a cybersecurity attack on an IACS
[2]
.
Cybersecurity
Prevention of illegal or unwanted penetration of, or interference with, the intended operation of an industrial automation and control system using computer‐based systems.
Cybersecurity Hygiene
Basic cybersecurity practices (that can be followed by any authorized user) to protect the health of computer systems.
Cybersecurity Management System
Program designed by an organization to maintain the cybersecurity of the industrial automation and control system considering requirements for personnel security, cybersecurity procedures, and necessary documentation.
Firewall
Inter‐network connection device that restricts data communication traffic between two connected networks
[3]
Hazard and Operability Study (HAZOP)
A systematic qualitative technique to identify process hazards and potential operating problems using a series of guide words to study process deviations. A HAZOP is used to question every part of a process to discover what deviations from the intention of the design can occur and what their causes and consequences may be. This is done systematically by applying suitable guidewords. This is a systematic detailed review technique, for both batch and continuous plants, which can be applied to new or existing processes to identify hazards.
Information Technology (IT)
Hardware and software used to store, retrieve, transmit, or manipulate data or information in systems connected to the internet.
Layer of Protection Analysis (LOPA)
An approach that analyzes one incident scenario (cause‐consequence pair) at a time, using predefined values for the initiating event frequency, independent protection layer failure probabilities, and consequence severity, in order to compare a scenario risk estimate to risk criteria for determining where additional risk reduction or more detailed analysis is needed. Scenarios are identified elsewhere, typically using a scenario‐based hazard evaluation procedure such as a HAZOP Study.
Malware
Malicious software, designed to interfere with the expected functionality of a computer, system, or network.
Operational Technology (OT)
Hardware and software that detects or causes a change through the direct monitoring and/or control of industrial equipment.
Phishing
A fraudulent attempt to obtain sensitive information such as usernames and passwords by impersonating a trustworthy entity, often conducted via email.
Process Safety Controls Alarms and Interlocks (PSCAI)
Safeguards implemented with instrumentation and controls, used to achieve or maintain a safe state for a process, and required to provide risk reduction with respect to a specific hazardous event
[4]
Replacement‐In‐Kind (RIK)
An item (equipment, chemical, procedure, etc.) that meets the design specification of the item it is replacing. This can be an identical replacement or any other alternative specifically provided for in the design specification, as long as the alternative does not in any way adversely affect the use of the item or associated items.
Risk Profile
Characterization of the nature and levels of threats faced by an organization considering the likelihood and impact of a security incident. A risk profile supports determination of control measures based on the effectiveness for different types of risks.
Risk Receptor
The entity experiencing harm such as a company, an individual, or the public.
Script Kiddie
Unskilled hacker who lacks the ability to write sophisticated programs on their own but can use readily available hacking tools to execute attacks.
Social Engineering
Methods used in cybersecurity attacks to obtain confidential data by tricking individuals into revealing secure information. (Phishing is a sub‐type of social engineering.)
Spoofing
The process of disguising an unknown, often malicious source as a trusted and known source.
Watering Hole
A strategy used in cybersecurity attacks, where a website is compromised and used to infect those who visit the website with malware.
Zero‐Day Vulnerability
Weakness or vulnerability in computer‐software that is unknown to the system supplier and security professionals.
Zone
Grouping of logical and/or physical assets that share common security requirements.
Zone & Conduit
Architecture diagram for a network or system that identifies the security zones and conduits based on network segmentation devices.
Acknowledgments
The American Institute of Chemical Engineers (AIChE) and the Center for Chemical Process Safety (CCPS) express their appreciation and gratitude to all members of the Managing Cybersecurity in the Process Industries, A Risk‐based Approach Subcommittee for their generous efforts in the development and preparation of this important guideline. CCPS also wishes to thank the subcommittee members’ respective companies for supporting their involvement during the different phases in this project.
Subcommittee Members:
Seshu Dharmavaram, Chair
Air Products and Chemicals, Inc.
Hafiz Zeeshan Ahmed
Tronox – Australia
Blake Benson
ABS Group
John Biasi
1898 & Co.
Denise Chastain‐Knight
exida
John Cusimano
Deloitte & Touche LLP
Chris DaCosta
Air Products
Felix Azenwi Fru
National Grid
Anil Gokhale
CCPS
Azmi B Hashim
Petronas
Kathy Kas
Dow
Walid Khayate
AON – Canada
Rafael Martinez
FMC – Barcelona
Dave Moore
AcuTech
Divyang Shah
Reliance Industries Limited
David Thaman
PPG – retired
Lu Yi
IRC
Jeff Young
Syngenta
Rich Santo
AcuTech
Jim Petrusich
Go‐Arc Israel
The book committee wishes to express their appreciation to Patrick O'Brien, exida, Denise Chastain‐Knight, exida, Shawn Statham, exida, Steve Gandy, exida, Mike Medoff, exida, and Iwan van Beurden, exida, for their contributions in preparing the guideline's draft manuscript.
Before publication, all CCPS books are subjected to a peer review process. CCPS gratefully acknowledges the thoughtful comments and suggestions of the peer reviewers. Their work enhanced the accuracy and clarity of this guideline.
Although the peer reviewers provided comments and suggestions, they were not asked to endorse this guideline and did not review the final manuscript before its release.
Peer Reviewers:
Spencer Casey Bitz, CISSP
OneNeck IT Solutions
Randy Woods
Dow
Craig Fisher
BP (UK)
Sharul A Rashid
Petronas
Managing Cybersecurity in the Process Industries
A Risk‐Based Approach
is dedicated to
Dennis Hendershot
Dennis Hendershot has been a mentor for several generations of process safety professionals, through his long‐time involvement in the Loss Preventions Symposium, to the founding of CCPS in 1985, to his expertise in Inherently Safer Technologies (IST) and even in “retirement”. It was no coincidence that former Secretary of State James Baker selected Dennis to serve on his panel to investigate the BP Texas City incident.
Always willing to help wherever needed, Dennis’ calm demeanor and obvious expertise, combined with a unique way of communicating even the most complex topics clearly and understandably have made him an icon in process safety circles.
From 2005 until 2019 he served as the staff consultant and editor for the Process Safety Beacon, generating a new monthly publication like clockwork. Dennis always had a wealth of ideas that need attention and always had more than sufficient material to make the Beacon a ‘must read’ for thousands and thousands of readers across the globe. He continues to follow his passion for the Beacon by anchoring the development of the Book of Beacons.
Dennis is an AIChE Fellow and CCPS emeritus. CCPS is proud to dedicate this newest work to Dennis, as a small token of recognition for all he has given and continues to give to the process safety community.
Anil Gokhale & Pete Lodal
Preface
As this text was being finalized, the United States was again responding to a ransomware attack, this time against Colonial Pipeline. Although the disruptions to the public were minimal, and a significant portion of the ransom recovered by the FBI, it again pointed out the increasing threat of cyber‐attacks against critical infrastructure, businesses, and governmental agencies. Like all near‐miss events, the Colonial Pipeline incident is yet another “free” wake‐up call pointing out the need for ever stronger and more robust cyber protections.
This book is intended to provide a framework for such protection in the process and related industries. One of the key concepts emphasized here is the relationship of, and differences between Information Technology (IT) and Operational Technology (OT). The gap between the two has been widely debated for the last 10 years but the fundamental issues remain, primarily due to lack of skill overlap. While both areas share similar protection goals against cyber‐attacks, the risk‐based assessment outlined in this text highlights significant differences, and how some approaches to IT security are simply not sufficient in the OT space.
Multiple audiences should find this book useful. For those who are looking for an overall framework, or who have managerial responsibilities in the cybersecurity world, the risk‐based approach articulated here provides a management structure for evaluating, detecting, preventing, and responding to OT cyber‐related attacks. For those who simply want to increase their knowledge of the topic, Chapters 1 and 6 (overview and case histories) provide a succinct overview of the subject, with real‐world examples of what could happen if sufficient measures are not in place. And, for the practitioner, who will have to design, implement, test, and improve OT cybersecurity systems, this text provides methods and references to identify, evaluate, and implement effective solutions.
Cybersecurity did not exist 40 years ago. Its evolution has paralleled the increasing use of logic devices to improve process control, and overall process safety. As DCS vendors abandoned proprietary platforms in favor of commonly available ones, it served a commercial competitive goal. Like many other technologies, this migration to more computer and computer‐like controls has improved process safety immensely, while creating an unintended by‐product, namely the ability to do harm in a chemical process at a distance. This is an evolving topic, but the authors and the CCPS committee who have created this text believe that this book sets a workable, risk‐based approach for addressing the issue of cybersecurity in the process industries.
The American Institute of Chemical Engineers (AIChE) has helped chemical plants, petrochemical plants, and refineries address the issues of process safety and loss control since 1967. Through its ties with process designers, plant constructors, facility operators, safety professionals, and academia, the AIChE has enhanced communication and fostered improvement in the high safety standards of the industry. AIChE's publications and symposia have become an information resource for the chemical engineering profession on the causes of incidents and the means of prevention.
The Center for Chemical Process Safety (CCPS), a directorate of AIChE, was established in 1985 to develop and disseminate technical information for use in the prevention of major chemical accidents. CCPS is supported by a diverse group of industrial sponsors in the chemical process industry and related industries who provide the necessary funding and professional guidance for its projects. The CCPS Technical Steering Committee and the technical subcommittees oversee individual projects selected by the CCPS. Professional representatives from sponsoring companies staff the subcommittees and a member of the CCPS staff coordinates their activities.
A successful process safety program relies upon committed managers at all levels of a company, who view process safety as an integral part of overall business management and act accordingly.
September 2021
Peter N. Lodal
D&H Process Safety
Kingsport, TN
Part 1Introduction, Background, and History of Cybersecurity
1Purpose of this Book
Cybersecurity has quickly become an essential component in maintaining the safe and continued operations of industrial facilities. A survey of industrial control system operators in 2019 showed that 59% had experienced a cybersecurity incident in the past year [5]. The increase of cybersecurity incidents is not a phenomenon limited to a few specific companies or only the largest corporations. Over the last ten years, numerous attacks on automation systems such as those listed in Figure 1‐1 continue to demonstrate that industrial facilities of all types and sizes are vulnerable to cybersecurity attack, and that these cyber‐attacks can have significant financial, environmental, and process safety related consequences [6].
Figure 1‐1 Major Industrial Cybersecurity Events in the Last Decade
Over the past 20 years, the conversation has moved from “Who could possibly target control systems for a cybersecurity attack?” to a continuing discussion of the many recent breaches and attacks. What has led to this drastic increase in cybersecurity attacks on industrial control systems? The following list provides several factors that could account for this increase:
Increased interconnectivity of industrial control systems
Increased convergence of OT and IT systems
Increased use of Internet Protocol in OT applications
Increased requirements for remote access
Increased number of readily available hacking tools
Desire to target critical infrastructure for political motives
Increase in number of threat agents with skills to target control systems
Better identification of cybersecurity attacks
Increase in known software vulnerabilities
Increase in known vulnerabilities in legacy systems
Lack of sufficient cybersecurity awareness and training
Potential for significant financial gain
Desire to gain recognition of skills by targeting control systems
While no single cause drives the increase in cybersecurity attacks, it is likely that many of the factors in this list are contributing to the continually evolving cybersecurity landscape.
The purpose of this book is to introduce a risk‐based approach for Managing Cybersecurity in the Process Industries and to help organizations design and implement more effective cybersecurity management system programs that are aligned with existing process safety management systems. This approach includes methods for:
Understanding cybersecurity risk for the process industry,
Integrating cybersecurity management into the existing process safety framework, and
Developing a path forward for the future of cybersecurity for the process industry.
The risk‐based approach helps to provide an optimum comparison between cybersecurity risk and process risk so that informed decisions can be made. Not all hazards and risks are equal, and it is important to focus time and resources on the higher risks. Cybersecurity risk for the process industry can vary greatly, from potential business impact arising from denial of service or ransomware to the devastating real‐world impact of a targeted attack that compromises process control and safety systems. The potential of cybersecurity attacks on the process industry to result in safety consequences represents a fundamental shift in approach from traditional IT cybersecurity concerns. Adopting this approach for cybersecurity will help all industries that manufacture, use, or handle hazardous chemicals or energy to:
Develop their approach to cybersecurity incident prevention.
Continuously improve their management system effectiveness.
Employ cybersecurity management for non‐regulatory processes using risk‐based design principles.
Integrate the cybersecurity business case into an organization's business processes.
Focus their resources on higher risk activities.
This approach for cybersecurity management builds on the Guidelines for Risk Based Process Safety (RBPS) [7] and the RBPS Management System Accident Prevention Pillars:
Table 1‐1 RBPS Accident and Cybersecurity Event Prevention Pillars
RBPS Accident Prevention Pillars
Cybersecurity Event Prevention Pillars
Commit to process safety
Commit to cybersecurity
Understand hazards and risk
Understand cybersecurity hazards and risk
Manage risk
Manage cybersecurity risk
Learn from experience
Learn from experience
These pillars remain central for preventing cybersecurity incidents. Leveraging existing risk assessment and management techniques to address cybersecurity reduces the time required to deploy a robust cybersecurity program and improves the alignment between process safety risk management and cybersecurity risk management. The following considerations for cybersecurity outline key steps for addressing cybersecurity risk through the RBPS pillars.
Top management commitment to cybersecurity is a pre‐requisite to successful implementation. Without strong leadership and clear organizational commitment to improving cybersecurity, it is very difficult to make improvements. In addition to driving cybersecurity initiatives, management support is also helpful for establishing a robust cybersecurity culture. Cybersecurity culture is based on awareness (understanding of the cybersecurity impacts of employee actions) and hygiene (understanding of basic security best practices); with these two components in place, conscientious cybersecurity behavior can be promoted. After cybersecurity culture has been established, ongoing management support is critical for sustaining focus on cybersecurity excellence.
Organizations that understand cybersecurity hazards and risk are better able to allocate limited resources in the most effective way. Due to the many misconceptions about cybersecurity for the process industry, developing an accurate understanding of the potential risks is particularly important. This is a necessary step for incorporating cybersecurity risk into the business plan to lower the overall risk level of the organization and maintain safe and continuous operations.
Managing cybersecurity risk consists of multiple phases including the identification and analysis of cybersecurity risk, designing of cybersecurity protections, implementation of cybersecurity detection systems and procedures for responding to cybersecurity incidents, and recovering from cybersecurity incidents. Strategies such as implementing a cybersecurity lifecycle can help organizations to reduce unexpected downtime and decrease the potential for adverse cybersecurity impacts.
Learning from experience requires monitoring and acting on internal and external challenges. Common internal challenges include previous cybersecurity incidents and near misses, while external challenges include events at similar facilities, industries, technologies, and increased threat activity. Despite an organization's best efforts in implementing cybersecurity management, with the continually evolving threat landscape, cybersecurity attacks are more a question of “when” than “if.” Responding effectively to these situations and improving defenses in the future are critical aspects of cybersecurity management. An effective approach for learning from real world experience is to:
Apply industry best practices
Correct deficiencies identified from internal incidents
Apply lessons learned from other organizations
Monitoring Key Performance Indicators (KPIs) for cybersecurity throughout the life of the facility can provide useful information about how an organization's cybersecurity approach changes over time. In addition to tracking KPIs, periodic audits/assessments of the current level of cybersecurity drive continuous improvement and sustained results.
The pillars of the risk‐based approach for cybersecurity are shown in Figure 1‐2:
Figure 1‐2 Cybersecurity Management System Pillars
Adapted from [7]
Focusing on the pillars of the risk‐based approach for cybersecurity should enable an organization to improve its cybersecurity effectiveness, reduce the frequency and severity of cybersecurity incidents, and improve its long‐term safety, environmental, and business performance. If the process control system is not secure, it cannot be operated safely. The risk‐based approach helps avoid gaps and inconsistencies in the security approach to prevent common cause failures of the control and safety systems.
1.1 Target Audience
This risk‐based approach for Managing Cybersecurity in the Process Industries is written for practitioners of the process safety lifecycle including process safety practitioners, process control engineers, instrumentation engineers, maintenance engineers, and process engineers, and others. For simplicity, these roles are referred to as process safety professionals throughout the remainder of this book. Additionally, this book is written for key stakeholders whose decisions can impact the implementation of the process safety lifecycle. The goal of this book is to improve awareness and resilience against cybersecurity attacks by leveraging existing techniques for process safety management. Although process safety professionals have a detailed understanding of process risk and operational technology for maintaining operations, they generally have limited experience with cybersecurity considerations. As such, before diving into the specifics of integrating cybersecurity and process safety management it is necessary to outline the fundamental aspects of cybersecurity.
1.2 What is Cybersecurity?
The IEC 62443‐1‐1 standard [3] defines security as:
Measures taken to protect a system.
Condition of a system that results from the establishment and maintenance of measures to protect the system.
Condition of system resources being free from unauthorized access and from unauthorized or accidental change, destruction, or loss.
Capability of a computer‐based system to provide adequate confidence that unauthorized persons and systems can neither modify the software and its data nor gain access to the system functions, and yet ensure that this is not denied to authorized persons and systems.
Prevention of illegal or unwanted penetration of, or interference with, the proper and intended operation of an industrial automation and control system.
Essentially, security refers to the ability to protect something from various threats, and cybersecurity is focused on protection from unauthorized access for computer‐based systems. Although cybersecurity is a relatively new concept, security in the broader sense has been relevant for as long as there have been things worth protecting.
One common analogy for security is that of the medieval castle. These strongholds of defense were designed with security at their core. The moat, walls, and towers were the measures taken to protect something of value from various threats, such as bandits or attacking armies. This example introduces a key concept for designing with security in mind: defense‐in‐depth. Defense‐in‐depth is the principle of maintaining independence across security measures, so that if one layer of defense is compromised, the others remain intact.
Moreover, for a moat to be effective, a drawbridge must grant access to authorized visitors. For security to be maintained, it is important that a gate is also included. This ensures that even if the drawbridge is compromised and cannot be raised, rendering the moat ineffective, the security measures of the wall and gate remain uncompromised.
It is important to note that the defenses of castles only worked until technology advancements such as gun powder and modern weaponry enabled the walls to be breached easily. Similarly, cybersecurity defenses must be maintained and kept technically current; otherwise, they become obsolete and ineffective against attackers.
The three main types of security are physical, personnel, and cyber. These three types of security are closely related and must be implemented together to develop a robust, integrated security policy. It is insufficient to evaluate only one area of security. To truly secure a facility from cyber risk, personnel and physical security must be evaluated in combination with cybersecurity.
1.2.1 What do Process Safety Professionals know about Cybersecurity?
Often when people (including process safety professionals) hear the term cybersecurity, they picture a hooded figure in a dark room “hacking” personal information on an IT network. These “stereotypical” attacks may consist of stealing a user's password using phishing emails (emails designed to trick users into giving personal information and passwords to an attacker) with fake links or attachments that result in downloading/executing malware when clicked. These attacks could lead to identity theft or compromised financial information. Although these are types of cybersecurity attacks that happen on a regular basis, they do not provide the full cybersecurity picture for the process industry. Modern cyber‐attacks can go far beyond stealing personal data and have the potential to inflict significant harm on personnel, equipment, and the environment.
A 2014 cybersecurity attack on a German steel mill highlights just how dangerous attacks on control systems can be. Attackers gained access to the corporate network through a phishing campaign intended to compromise operator accounts. They were then able to access the control network and caused multiple process controls to fail. As a result, a furnace at the steel mill was prevented from shutting down, which resulted in significant equipment damage. Fortunately, the site was able to identify the hazardous scenario and evacuate nearby personnel; however, similar incidents of industrial furnaces have resulted in loss of life [8].
1.2.2 What should Process Safety Professionals know about Cybersecurity?
The attack on the German steel mill introduces one of the fundamental differences between Information Technology (IT) and Operational Technology (OT) cybersecurity: attacks on OT can have physical impacts. These differing consequences are a primary driver for the conflicting IT and OT cybersecurity priorities.
For IT security, performance and confidentiality are paramount and outages, while undesirable, are acceptable. This is not true for the process industry, where the need for availability and integrity of the control and safety systems outweighs all other considerations. The priorities are not the only difference between OT and IT cybersecurity, and additional information on these differences is provided in Chapter 8.
Understanding the impact of OT cybersecurity attacks on the process control system is essential for process safety professionals. Particularly striking about the cybersecurity impact on process safety is the possibility for a cybersecurity attack to result in the common cause failure of multiple systems. Industry examples such as the German Steel Mill attack [8], Stuxnet [9], and the Saudi petrochemical facility attack [10] have shown that attackers target both the control and safety/protective functions to achieve the maximum consequence. (Additional information on these and other cybersecurity case studies are included in Chapter 6.) The potential for cybersecurity attacks to trigger the initiating event of a hazard and bypass multiple protection layers can lead to significant unmitigated risk if sufficient security protections are not in place.
Cybersecurity poses new challenges, but by leveraging existing risk assessment and risk management models with new insights, cybersecurity risk can be effectively evaluated. To support this approach, several tools and techniques have been developed for process safety professionals. The following list includes available industry best practice references and regulatory requirements:
Guidelines for Risk Based Process Safety
[7]
NIST Cybersecurity Framework
[11]
IEC 62443
[12]
ISA TR84.00.09
[13]
Chemical Facility Anti‐Terrorism Standards: Critical Infrastructure, United States
[14]
NERC CIP: Power, United States
[15]
AWIA: Water and Wastewater, United States
[16]
Further discussion of the NIST cybersecurity framework and the IEC 62443 standard is provided in Chapter 7 as a baseline approach for adopting cybersecurity.
In the United States, OSHA's Process Safety Management (PSM) regulation, 29 CFR 1910.119 [17], is often viewed as synonymous with process safety. For many companies in the process industry, application of the IEC 61511 standard is used to demonstrate that OSHA safety requirements related to Safety Instrumented Systems are met. The updated IEC 61511 standard [18] released in 2016 does include new cybersecurity requirements. Any company claiming compliance with the IEC 61511 standard is now expected to complete mandatory cybersecurity activities, including a cybersecurity risk assessment for the Safety Instrumented System (SIS) and all connected networks. Many organizations conduct IT risk assessments of the corporate network, but these studies do not often focus on OT assets such as safety or control systems. As a result, a separate OT focused risk assessment is typically needed to comply with the IEC 61511 requirements.
The growing inclusion of cybersecurity requirements in regulations and international standards serves to underline the fundamental importance of cybersecurity for process safety engineers. Cybersecurity incidents have become a credible threat to controls, alarms, and SIS. Cybersecurity needs to be assessed since attacks can lead to common cause failure for all safety functions (SIFs) in an SIS. Without sufficient cybersecurity protection, traditional protection layers such as Basic Process Control System (BPCS) interlocks, SIS interlocks, and alarms cannot be relied on to raise operator awareness of an unsafe condition or automatically bring the process to the safe state. Simply put ‐ without security, there is no safety.
1.3 What is Operational Technology (OT)?
OT cybersecurity is focused on the protection of operational technology, such as automation systems, industrial control systems, process control networks, and supervisory control and data acquisition systems, from compromise. This book includes information on OT cybersecurity as it relates to the process industry.
Operational Technology (OT) is any hardware or software that detects or causes a change directly to industrial equipment, assets, processes, and events. Essentially, OT systems are capable of monitoring, controlling, and/or performing safeguarding of physical equipment. Common types of OT equipment/systems include:
Basic Process Control System (BPCS)
Safety Instrumented System (SIS)
Programmable Logic Controllers (PLCs)
Distributed Control System (DCS)
Supervisory Control and Data Acquisition (SCADA)
Fire and Gas Detection Systems
Allocation and Custody Metering System
Motor Control Centers (MCCs)
Burner Management Systems (BMS)
Building Management/Automation Systems (BAS)
Alarm Management System
Continuous Emissions Monitoring Systems (CEMS)
Machine Monitoring Systems (MMS)
Pipeline Leak Detection Systems (PLDS)
Terminal Automation System
Often, many of these different types of OT components are used in the same OT network to control a variety of different process equipment. Building a reference model, such as the one in Figure 1‐3, is often helpful to show the interaction of OT equipment and more clearly illustrate the OT interface with the traditional IT network.
Figure 1‐3 OT Reference Model
Source: IEC 62443‐1‐1 [3]
The traditional OT system is made up of levels 0 through 3:
Levels 0 (process) contains the physical equipment being controlled or monitored by the OT network (e.g., actuated valve, pressure transmitter).
Level 1 (basic control) contains the components that interface directly with process equipment, including the programmable logic controllers responsible for basic control (e.g., BPCS, DCS) and for safety and protection (e.g., SIS, BMS, safety PLC).
Level 2 (area control) contains the site monitoring and local display (e.g., CEMS, operator workstations) that provide additional information about the components in level 1 and 0. Elements of supervisory control (e.g., SCADA) are also considered in this level.
Level 3 (site operations) contains operations/systems management that are not directly interfacing with equipment from level 1 (e.g., building management). In some applications, elements of supervisory control are also a part of level 3.
The assets in levels 1‐3 have the potential to cause changes at level 0 and affect the physical process; as such, they need to be considered when addressing cybersecurity. When smart devices such as smart transmitters or valve positioners are used in level 0, they need to also be considered in the cybersecurity risk assessment.
Level 4 is composed of the enterprise systems that traditionally make up an internet connected IT network (or corporate wide area network (WAN)/local area network (LAN)). It is important to protect these systems to achieve overall security; however, these enterprise systems are outside the scope of this guideline.
Level 3.5 (the demilitarized zone or DMZ) is often implemented in networks as a buffer between the IT network and the OT network to prevent direct traffic between the two systems. Often, the ownership of the DMZ is shared between IT and OT teams, and it is an important aspect in securing the perimeter security of the OT network. This is another area where coordination and a close working relationship between IT and OT team members is needed to achieve the organizations cybersecurity goals. More information on the use of a DMZ to improve network segmentation is provided in Chapter 8.
Another term that has become increasingly popular in industry, is Industrial Automation and Control Systems (IACS) . IACS is another name for OT and is defined in the IEC 62443 standard as “a collection of personnel, hardware, and software that can affect or influence the safe, secure, and reliable operation of an industrial process” [3]
