Functional safety assessments are a well-established practice in machine and process automation. These assessments focus on random hardware failures or systematic software failures (such as bugs).
However, cybersecurity threats and vulnerabilities represent additional failure modes that may lead to incidents that are unaccounted for in traditional safety assessments. A business justification can be developed for discussing cyber risk assessments.
The majority of factories and process plants today are controlled and operated by automation systems built on Ethernet TCP/IP networks and legacy Microsoft operating systems. These systems are vulnerable to cybersecurity breaches resulting in potentially significant risks, including risks to health, safety and the environment. To address the risk, there's a need to understand it—but how? Functional safety assessments focus on random hardware failures or systematic software failures (such as bugs) and generally do not consider cyber threats or cyber vulnerabilities. To understand cyber risk, it's necessary to perform cyber vulnerability assessments and cyber risk assessments. Not surprisingly, this is exactly what cybersecurity standards and regulations require.
Cybersecurity regulations, standards
Fortunately, there is help available now. Many standards and regulations have been developed over the last decade to address this known issue; our industrial control systems (ICS) are susceptible to cyber compromise. Agencies such as the North American Electric Reliability Corporation (NERC), the International Society of Automation (ISA), the American Petroleum Institute (API), the National Institute of Standards and Technology (NIST), the International Electrotechnical Commission (IEC), and others have developed numerous documents describing the need to protect ICS from cyber attacks, as well as how to do it.
Functional safety standards also now are beginning to require cyber vulnerability and risk assessments. The second edition of IEC 61511 (Functional Safety: Safety Instrumented Systems for the Process Industry Sector), was released in 2016. One new clause states that a security risk assessment shall be carried out to identify the security vulnerabilities of the SIS. Another clause states the design of the SIS shall provide the necessary resilience against the identified security risks. That's as far as the new standard goes, but it does provide further guidance by pointing readers to an ISA 84 technical report and the ISA/IEC 62443-3-2 standard (Security Risk Assessment and System Design) which covers how to perform cyber vulnerability and risk assessments.
What is cybersecurity risk?
There are different types or different components of risk, and cybersecurity is one of them. For example, there are different risks for money. People can be robbed, the stock market could crash, the financial institution that holds an account could fail or be robbed, or a cyber-criminal could wipe out the account. Similarly, there are different risks to factory or plant operations. A mechanical device could fail, a human could make an error, an electronic component could fail or a cyber threat could compromise the control systems. To manage risk, it's necessary to understand all the components of risk, including cyber.
While it is more difficult to grasp than mechanical risk, cyber risk can be assessed and managed. If that weren't true, bank accounts would probably already be emptied by cyber criminals.
Cyber risk is generally considered a function of three variables: threat, vulnerability and consequence. Threats are the initiating event, such as a hacker or a computer virus. Threats vary with the skill or motivation of the hacker or the sophistication of the malware. Vulnerabilities are the inherent weaknesses in the system that allow the threat to be realized. Finally, consequences are the unwanted outcome should the threat be successful. Cybersecurity risk is a combination of the likelihood that a threat will exploit a vulnerability and the severity of the resulting consequence.
ICS cybersecurity vulnerability assessment
Vulnerabilities are a key variable in cyber risk. In theory, if there are no cyber vulnerabilities there is no cyber risk. Of course, in reality all ICSs have vulnerabilities, some more than others. The number and severity of vulnerabilities depends on the components used, how they are configured and how they are networked.
So what is an ICS cybersecurity vulnerability assessment? It is an evaluation of a ICS design. In a brownfield design begin with the ICS as-built or as-found drawings. An example is shown in Figure 1.
How is that control system constructed? What devices make up the system? How are they networked together? How do those networks communicate? Modern control systems are based on Ethernet networking and Microsoft operating systems. Understanding how these pieces go together can be very difficult in many facilities. Drawings that show the entire system architecture may not exist; these systems often have grown and evolved over decades.
Start with an analysis of network communications to understand how these networks are constructed and, and how data moves throughout the system. This is done by recording actual network traffic and plotting it out to see the data flows.
Identify what devices are communicating with each other. What devices should be communicating with each other? What devices are communicating with each other that perhaps should not be, or were not expected to be? Are any devices communicating using unexpected protocols? Are there control system devices that are trying to communicate to the Internet? Plot the communications and look for anomalous behaviors.
A vulnerability assessment would then analyze the actual servers and workstations that make up the system. Most of the operating systems that are controlling the bulk of industrial facilities today are legacy Microsoft platforms such as XP and Windows Server 2003. Identify the vulnerabilities. Look at the control devices themselves, the programmable logic controllers, the safety instrumented systems, the operator interfaces, the variable frequency drives, the analyzers, etc. Most of these devices now have Ethernet ports and are connected to common networks that make up the control system network.
The next step in a vulnerability assessment would be to partition the system into zones and conduits, as shown in Figure 2. Doing so helps better analyze the system and better design protections to limit communications to only that which needs to go into and out of a zone.
A vulnerability assessment also should include a review of policies and procedures, and include a gap analysis. How does the system stack up against industry standards and best practices? Finally, the assessment should list the vulnerabilities that have been discovered and the recommended mitigations to close the gaps.
ICS cybersecurity risk assessment
Understanding vulnerability is only one part of the equation. Cyber risk is combination of threats, vulnerabilities, and consequences. Most organizations want to understand what the true cyber risks are. A method has been developed to do so--it's called a cyber risk assessment or cyber PHA (process hazards analysis). It's a very systematic approach similar in many ways to a PHA or HAZOP. The actual process is documented in the IEC 62443-3-2 standard. The method has been applied many times within companies following the process safety management of highly hazardous chemicals regulation (29 CFR 1910.119). The method works quite well because it's very similar in nature to a HAZOP, a technique that has been used in the industry for more than 40 years. An example of a cyber risk assessment study excerpt is shown in Figure 3.
Instead of the traditional causes, in this study, look for threats. Also consider vulnerabilities and consequences. Use the same risk matrix used in ranking other risks within the organization. Performing such a study helps with prioritizing activities and resources, helps designers intelligently design and apply countermeasures, and helps document and justify decisions. A cyber risk assessment will document why certain controls were put in place, and sometimes why they were not put in place.
This also can be a very effective training and awareness exercise. Like hazard and operability studies (HAZOPs), these studies require a multi-disciplinary team. There needs to be people from IT (information technology), operations, engineering, and automation working together to study the system. Following the process, the team ultimately will develop a risk register and risk profile, providing a ranked set of risks, and an understanding where those risks are in the system. Ultimately, it's possible to derive a set of recommendations and a plan to mitigate those risks.
Cyber risk assessments benefits
Organizations can realize numerous benefits by performing cyber risk assessments. They are fundamental to any risk management program and provide a consistent method of communicating risk to management. Since no organization has unlimited resources and unlimited budgets, the results of the risk assessment can be very helpful to management in prioritizing mitigation efforts. The structured approach helps uncover hidden risk or overturn long-standing assumptions of areas of high risk which may have been overstated. Participation in the cyber risk assessment by subject matter experts is an effective way of training personnel on cybersecurity while at the same time improving their "buy in" to the proposed mitigations. Finally, the cyber risk assessment process produces detailed documentation and justification for the mitigations that are being adopted as well as those that are not.
Have your risk assessments included safety and cybersecurity? If not, why not?
This article online contains more than what appears in the March print edition. Also see the Control Engineering cybersecurity page.
John Cusimano, director of industrial cybersecurity with aeSolutions, has more than 20 years of experience and has performed many control system cybersecurity vulnerability and cyber risk assessments. He is a member of the International Society of Automation (ISA) and is a voting member of the ISA 99 cybersecurity standards committee. As part of that committee, he is the chair of the zones and conduits working group, and co-chair of the product development working group. He is the developer and primary instructor of the ISA courses on cybersecurity. Cusimano is a Certified Functional Safety Expert (CFSE), a Certified Information Systems Security Professional (CISSP), and a Global Industrial Cyber Security Professional (GICSP). He has a B.S. in Electrical and Computer Engineering from Clarkson University in New York.