Apply the same level of cybersecurity emphasis to safety systems that you integrate into assets and operations.

The primary goal of every industrial facility is a safe production environment. With plant safety in mind, the objective is to reduce safety and cybersecurity risks, which are inextricably linked. At its core, risk comprises two fundamental components: the likelihood or probability that an event will occur and the severity of post-incident consequences. Effectively reducing risks requires decreasing the likelihood and consequences of the risk equation to an acceptable level. 

Reducing safety risks, however, requires a different approach than reducing cybersecurity risks. To estimate safety risk, a plant uses the safety HAZOP and LOPA processes. These processes are much more mature when compared to the risk estimations for cybersecurity. However, when StuxNet (2010) and TRITON (2017) cybersecurity threats emerged, it showed that the process-safety function is not necessarily guaranteed during a cyberattack.

Today’s consensus from OT/ICS cybersecurity experts is that risks from a cyberattack need to be reduced to a level that ensures a plant will continue to run safely if and when a cyberattack occurs or, should downtime result, operations can safely resume within the recovery-time objective timeframe. Hence, it is always recommended that critical Safety Instrumented Systems (SIS) are secure. 

The best practices for securing SIS include four standard elements:

• centrally managing inventory and vulnerability for all safety systems
• creating a separate zone for safety systems
• limiting communication to/from all safety systems
• monitoring and logging the access/communications to them.

These practices improve the process/automation design and reduce the likelihood of a cyberattack. However, in some cases, the design cannot follow the best cybersecurity strategy to ensure the usability of other OT/ICS applications. In such cases, alternative cybersecurity controls need to be considered and applied to reduce cybersecurity risks to an acceptable level.

A nefarious actor, intent on causing damage or harm, may first disable the safety systems, then go after the data being sent to the control room. By changing this data, the attacker could very well cause the operator to make poor decisions and create potentially dangerous outcomes. Consequently, safety systems must be prioritized and secured. 

ICS cybersecurity best practices, such as in-depth inventory management, vulnerability management, and incident response, should be implemented. The ISA/IEC 62443 industry standard recommends that the inventory include all the hardware, firmware, and software versions that are implemented in the OT/ICS network. The vulnerability-management solution should include details such as the probability of remote exploitation, skills to exploit, CVSS scores augmented with environmental and temporal impact factors, and methodology for mitigating them. 

The assumption that a plant will be a target of a cyberattack should always be part of the cybersecurity strategy. The automation/safety team should be trained to detect a cyberattack at an early stage. With time, cyberattacks cause more damage. The automation/safety team should identify all the changes and know what is normal and abnormal, and report to the incident management team accordingly. 

Securing an OT/ICS network is a journey. As a plant becomes more mature, the recommendations will change. It is suggested to conduct a maturity assessment to identify the status and apply cybersecurity controls on a regular basis as new vulnerabilities and threats emerge. EP

By Syed Belal, Hexagon AB

Syed M. Belal is Global Director of Cybersecurity Consulting for Hexagon’s Asset Lifecycle Intelligence division. Hexagon AB, Stockholm, Sweden (hexagon.com), is a member organization of the International Society of Automation’s (ISA) Global Cybersecurity Alliance (ISAGCA). Belal has more than 15 years of experience in industrial control systems and operational technology.