Cybersecurity is a major concern for industrial control systems, but the continually evolving nature of the field and the sheer amount of existing threats and vulnerabilities make it a daunting task to figure out where to begin addressing cybersecurity concerns.
It could be argued that currently the biggest cybersecurity challenge for industrial networks is not the multitude of cyberthreats, but the inability to effectively identify and mitigate cybersecurity risk. Inaccurately identifying the risks can result in the use of a system that is both costly and still vulnerable to attack. This article will focus on a practical example for a high-level risk assessment that forms the basis for effective management of cybersecurity risk.
The International Electrotechnical Commission (IEC) 62443 standard provides performance-based guidelines for improving the security of Industrial Automation and Control Systems (IACS) systems. IEC 62443 outlines a lifecycle approach to: analyze cybersecurity risk, design and implement countermeasures to mitigate this risk, and operate and maintain the IACS securely.
Analysis, the first phase of the lifecycle, is based on the completion of two risk assessments: high-level risk assessment and detailed risk assessment. The purpose of the first risk assessment is to quickly understand the severity of consequences per device in the event of a breach and to identify the highest areas of risk in the IACS that require a more thorough detailed risk assessment.
High-level risk assessments provide an entry point into the cybersecurity lifecycle and jumpstart the further deployment of cybersecurity activities.
Example: Styrene Chemical Facility
In our example we will look at a medium-sized bulk chemical plant that converts 1,3-butadiene through a two-stage reaction to provide high-purity styrene. Before diving into the high-level risk assessment, it is important to define a plant as the physical basis for the evaluation with the key inputs for the assessment:
- Hazards identified during the process hazard assessment: Styrene plants have several physical hazards including: flammable, toxic and reactive chemicals; the potential for runaway exothermic reactions; and potential rupture of reaction vessels and other process equipment. These hazards can have serious safety, business and environmental consequences, which must be considered when looking at the ultimate consequence of cybersecurity attacks.
- Corporate risk criteria: These define the boundaries between an unacceptable risk for an organization and what is tolerable risk. These risk criteria are typically documented in the form of a risk matrix or risk graph and are the guidelines used to evaluate risk during the assessment.
- Device inventory list: Often the device inventory for the IACS will be documented in a network diagram showing the connections between devices on the control network. A simplified diagram showing the equipment for the styrene plant is shown in Figure 2.
The first step for the high-level risk assessment is to determine the worst-case consequence per device if compromised. As shown in Figure 3, the worst-case consequence for each device considers the impact on safety, business or environment from the loss of that device’s expected function or the use of that device for an unintended and potentially hazardous purpose.
Focusing on the enterprise workstation, we can see how the direct result of a device being compromised is correlated to the corresponding worst-case consequence. If the basic process control station (BPCS) engineering workstation is compromised, it would allow attackers to download altered controller code modifying the correct function of the BPCS. In the styrene plant, this could result in overflowing the reactor vessels with reactants leading to a runaway exotherm with serious safety and business consequences.
SECURITY LEVEL TARGETS
Security Levels (SL) are roughly correlated to Safety Integrity Levels (SIL) from functional safety, in that each increasing security level (SL-1 is the lowest, SL-4 is the highest) corresponds to the order-of-magnitude increases in provided risk reduction, but there are fundamental differences between SL and SIL (i.e., the capability and testing requirements.)
When targeting security levels in the high-level risk assessment, the likelihood of a successful attack is assumed to be one, and the overall risk is determined based on consequence severity, to develop a useful but quick estimate of the required security level.
The correlation between consequence severity and required security level is determined per the corporate risk criteria. Figure 4 shows the description of the business and safety consequences corresponding to each security level based on the example risk criteria, as well as what the target security level is for each device based on the consequence.
Considering the BPCS engineering workstation, a security level 3 is targeted based on the risk criteria because the runaway exotherm in the reaction vessel could result in significant business consequence and potentially a single fatality in the event of a vessel rupture.
Network segmentation is an essential strategy for improving the security of industrial networks. It provides boundary devices (firewalls or managed switches) that block unnecessary communication between zones, making it more difficult for attackers to access critical devices.
By grouping devices with similar security targets to the same zones, it is possible to secure them to the level required without unnecessary security features for devices that don’t need them, while allowing devices to have the necessary connections to operate the IACS. Based on the severity levels from our example the network was segmented into four zones: enterprise, demilitarized, BPCS and SIS (see Figure 5).
INCIDENT RESPONSE PLAN
The last step in the high-level risk assessment is to develop an initial incident response plan. This response plan outlines the steps to be followed in the event of a breach and provides guidance on the ways to restore operations as quickly as possible, communicate the information with the necessary stakeholders, preserve data for investigating the incident, report incident as necessary, and proactively manage future IACS incidents by modifying policies, practices and procedures to mitigate the risk of other similar attacks.
Through the high-level risk assessment, the key information needed to jumpstart future security lifecycle tasks is gathered supporting the subsequent completion of analysis (detailed risk assessment), design (security level verification) and the operations (incident response) phases.
In addition to preparing for the completion of future lifecycle tasks, the high-level risk assessment provides tangible and immediate benefits. It aligns cybersecurity risk management with corporate risk criteria, identifies the highest areas of risk and develops a segmentation strategy to secure those zones. It also documents the expected response to cybersecurity events per zone. The high-level risk assessment provides both immediate and lasting benefits that support effective management of cybersecurity risk by reducing the likelihood of a successful attack and helping to recover more quickly from cybersecurity incidents.