Last updateWed, 25 Nov 2020 4pm

Trends & Forecasts

Highlights from VMA’s 2019 Leadership Forum

John HillenValve industry executives gathered in Toronto last month to network, exchange ideas and learn about diverse topics relating to their leadership, including economic issues, digitization of enterprises and how to adapt as a leader in a changing organization.

VALVE Magazine: Readers’ Choice 2018

Happy New Year to our VALVE Magazine readers and contributors. Because our content is created exclusively for and by our own readers, it’s thanks to you that VALVE continues to provide valuable information on technical matters, standards updates and best business practices.

Hopefully, you’ve had time to peruse most of the features offered over the past year. In case you ran short of time, here is a great opportunity to catch up on the best of the best. Enjoy these, our Readers’ Choice 2018 articles from both the print edition and features created specifically for the web.

John Spears: Advisor to the “Oil Patch”

Many people in the valve industry recognize the name John Spears because he has been a featured speaker at VMA’s Market Outlook for many years. Attendees and those who read what VMA reports in VALVE Magazine and online rely on Spears thoughts on the oil and gas industry and where it’s headed to keep them up to date on “the oil patch,” the term he uses for the industry.

Few know, however, just how deep his roots lie.

Looking Toward 2019 at Power Gen and Valve World

Two recent events over the last month brought together valve manufacturers and end users, and VMA members and staff were there to learn all that’s new in the industry.

In late November, the biennial Valve World Expo was held again in Dusseldorf, and, according to Stephane Meunier, director of international business development at Cowan Dynamics, the show proved the valve industry is still strong. “Despite a reduced number of exhibitors, the show was very well attended,” he said. Older companies showcased some of their newest technology alongside some new names to the global valve and actuator industry. “With many of the industry leaders pursuing various realignment activities, the pulse was indicative of an exciting 2019 ahead.”

Jumpstart Cyberthreat with High-Level Risk Assessments

Cybersecurity is a major concern for industrial control systems, but the continually evolving nature of the field and the sheer amount of existing threats and vulnerabilities make it a daunting task to figure out where to begin addressing cybersecurity concerns.

It could be argued that currently the biggest cybersecurity challenge for industrial networks is not the multitude of cyberthreats, but the inability to effectively identify and mitigate cybersecurity risk. Inaccurately identifying the risks can result in the use of a system that is both costly and still vulnerable to attack. This article will focus on a practical example for a high-level risk assessment that forms the basis for effective management of cybersecurity risk.


The International Electrotechnical Commission (IEC) 62443 standard provides performance-based guidelines for improving the security of Industrial Automation and Control Systems (IACS) systems. IEC 62443 outlines a lifecycle approach to: analyze cybersecurity risk, design and implement countermeasures to mitigate this risk, and operate and maintain the IACS securely.

Analysis, the first phase of the lifecycle, is based on the completion of two risk assessments: high-level risk assessment and detailed risk assessment. The purpose of the first risk assessment is to quickly understand the severity of consequences per device in the event of a breach and to identify the highest areas of risk in the IACS that require a more thorough detailed risk assessment.

High-level risk assessments provide an entry point into the cybersecurity lifecycle and jumpstart the further deployment of cybersecurity activities.

figure 1

Example: Styrene Chemical Facility

In our example we will look at a medium-sized bulk chemical plant that converts 1,3-butadiene through a two-stage reaction to provide high-purity styrene. Before diving into the high-level risk assessment, it is important to define a plant as the physical basis for the evaluation with the key inputs for the assessment:

  • Hazards identified during the process hazard assessment: Styrene plants have several physical hazards including: flammable, toxic and reactive chemicals; the potential for runaway exothermic reactions; and potential rupture of reaction vessels and other process equipment. These hazards can have serious safety, business and environmental consequences, which must be considered when looking at the ultimate consequence of cybersecurity attacks.
  • Corporate risk criteria: These define the boundaries between an unacceptable risk for an organization and what is tolerable risk. These risk criteria are typically documented in the form of a risk matrix or risk graph and are the guidelines used to evaluate risk during the assessment.
  • Device inventory list: Often the device inventory for the IACS will be documented in a network diagram showing the connections between devices on the control network. A simplified diagram showing the equipment for the styrene plant is shown in Figure 2.

figure 2


The first step for the high-level risk assessment is to determine the worst-case consequence per device if compromised. As shown in Figure 3, the worst-case consequence for each device considers the impact on safety, business or environment from the loss of that device’s expected function or the use of that device for an unintended and potentially hazardous purpose.

figure 3

Focusing on the enterprise workstation, we can see how the direct result of a device being compromised is correlated to the corresponding worst-case consequence. If the basic process control station (BPCS) engineering workstation is compromised, it would allow attackers to download altered controller code modifying the correct function of the BPCS. In the styrene plant, this could result in overflowing the reactor vessels with reactants leading to a runaway exotherm with serious safety and business consequences.


Security Levels (SL) are roughly correlated to Safety Integrity Levels (SIL) from functional safety, in that each increasing security level (SL-1 is the lowest, SL-4 is the highest) corresponds to the order-of-magnitude increases in provided risk reduction, but there are fundamental differences between SL and SIL (i.e., the capability and testing requirements.)

When targeting security levels in the high-level risk assessment, the likelihood of a successful attack is assumed to be one, and the overall risk is determined based on consequence severity, to develop a useful but quick estimate of the required security level.

The correlation between consequence severity and required security level is determined per the corporate risk criteria. Figure 4 shows the description of the business and safety consequences corresponding to each security level based on the example risk criteria, as well as what the target security level is for each device based on the consequence.

figure 4

Considering the BPCS engineering workstation, a security level 3 is targeted based on the risk criteria because the runaway exotherm in the reaction vessel could result in significant business consequence and potentially a single fatality in the event of a vessel rupture.


Network segmentation is an essential strategy for improving the security of industrial networks. It provides boundary devices (firewalls or managed switches) that block unnecessary communication between zones, making it more difficult for attackers to access critical devices.

By grouping devices with similar security targets to the same zones, it is possible to secure them to the level required without unnecessary security features for devices that don’t need them, while allowing devices to have the necessary connections to operate the IACS. Based on the severity levels from our example the network was segmented into four zones: enterprise, demilitarized, BPCS and SIS (see Figure 5).

figure 5


The last step in the high-level risk assessment is to develop an initial incident response plan. This response plan outlines the steps to be followed in the event of a breach and provides guidance on the ways to restore operations as quickly as possible, communicate the information with the necessary stakeholders, preserve data for investigating the incident, report incident as necessary, and proactively manage future IACS incidents by modifying policies, practices and procedures to mitigate the risk of other similar attacks.


Through the high-level risk assessment, the key information needed to jumpstart future security lifecycle tasks is gathered supporting the subsequent completion of analysis (detailed risk assessment), design (security level verification) and the operations (incident response) phases.

In addition to preparing for the completion of future lifecycle tasks, the high-level risk assessment provides tangible and immediate benefits. It aligns cybersecurity risk management with corporate risk criteria, identifies the highest areas of risk and develops a segmentation strategy to secure those zones. It also documents the expected response to cybersecurity events per zone. The high-level risk assessment provides both immediate and lasting benefits that support effective management of cybersecurity risk by reducing the likelihood of a successful attack and helping to recover more quickly from cybersecurity incidents.

This email address is being protected from spambots. You need JavaScript enabled to view it. is safety and cybersecurity engineer at Exida

VALVE Magazine Print & Digital


• Print magazine
Digital magazine
• VALVE eNews
Read the latest issue

*to qualified valve professionals in the U.S./Canada

Looking for a career in the Valve Industry?

ValveCareers Horiz

To learn more, visit the Valve Careers YouTube channel to watch the videos below or visit ValveCareers.com a special initiative of the Valve Manufacturers Association

  • Latest Post

  • Popular

  • Links

  • Events

New Products