How to Quickly Determine if Safety Functions are Vulnerable to a Cybersecurity Threat
In addition to following cybersecurity principles like backing up everything including the programming in your SCADA, operator interfaces, and industrial controllers, you should consider a Security PHA Review (SPR) of your HAZOPs. An SPR is designed to help you quickly determine if any of your safety functions are vulnerable to a cybersecurity threat.
Many of the cybersecurity practices are difficult to implement in industrial control systems. Chemical manufacturing or refining can be considerably more dangerous than losing intellectual property if you do not know the risks involved.
The SPR process is amazingly easy and much faster than HAZOP studies. It was created as the result of an OT cybersecurity project that we performed at a refinery in Europe a few years ago.
The process basically reviews each Safety Function (SF) to determine if the SF can be compromised by a cybersecurity attack of any nature. Instead of guide words, we ask a basic question “is this SF connected by wire or wireless?” If the answer is yes, then you ask, “what is it connected to and how?” This is where we recognize the team required to perform the SPR. Control system people provide valuable insights into the OT side, and IT professionals offer a different perspective on networking. In addition, a process engineer in the review is very helpful. Why all three are necessary becomes more evident as we proceed below.
In the event that we determine that the SF is connected wirelessly or via a wire, then we can conclude that it can be hacked during an attack, even if it is simply an on/off signal or an analog 0-10vdc or 4-20ma connection to an industrial controller. If the industrial controller is compromised, the analog signal may be wrong for the SF. However, we are compelled to ask one more question, “so what?” Yes, we ask “so what?” to determine if the risk of compromise is really a risk that needs to be addressed. If the answer is “it does not cause a problem if it is compromised in an attack”, then we can mark it as such and move on. Let me explain. Consider a situation where there is another SF like a pressure relief valve that can engage that is not hackable, then the answer to “so what?” makes more sense.
If the answer is “it is a problem if it is compromised”, then we mark it as a risk and assign a Security Level Target (SLT) based on the risk. The SLT comes from the ISA/IEC 62443 Security for Industrial Automation and Control Systems series of standards. However, you will need to decide what SLT is appropriate for a compromised SF, and this needs to be decided before you start your first SPR. For instance, if the SF is determined to require a SIL 1 solution to reduce the risk, then there needs to be a corresponding SLT requirement for that level of risk reduction. Just like SIL levels, SLT gets very expensive the higher the risk reduction required. Look at it like this: if SIL 3 is difficult to obtain, SLT 3 will also be difficult to obtain. It is almost impossible to achieve SLT 4 at this time especially in an OT environment.
But what if the SLT is just too difficult or expensive to implement? Unlike so many other cybersecurity efforts, we consider the process and the equipment as well. We can consider changing the hardware, equipment, or even removing the wire or wireless signal if the cost and effort to obtain the SLT is too high. This gets complicated, so the team doing the review needs specialized skills, which is why I mentioned the need for three different skillsets above. But imagine that you could replace a remotely controlled wired or wireless device with a spring-controlled device. Maybe you could just remove the signal as a possible solution (expertise is required to support that decision). However, these types of changes might cost a fraction of the SLT requirement and might significantly avoid unnecessary operational constraints that IT-based solutions might impose.
I understand at first glance that people in the cybersecurity field think this is not an appropriate solution to consider for a cybersecurity risk. It is unfortunate that we get so fixated on solving problems using technology as the only way to solve cybersecurity problems. This is without stepping back and realizing that there might be a simple solution. Remember, we are not trying to protect everything this way.
I would be wrong not to mention that you still need to conduct your normal cybersecurity assessments and follow appropriate cybersecurity practices.
Security PHA Review Book
Want to know more about Security PHA Review, consider purchasing the ISA book. It is an easy read, and you will know how to perform a SPR by the end of the book. The link for the ISA book site is below.
Jim McGlone, MBA, GICSP
Chief Marketing Officer, Technical Consultant
Security PHA Review co-author
You can contact the author using this https://www.kenexis.com/contact/