Digitization in the process industry is generating new and enhanced data flows between connected devices across process control networks and the internet. While the value of this digital transformation has been measurable, cybercrime and threats to the security and safety of plant operations have been an unfortunate collateral development. It is now critical that companies address the exposure of their industrial control systems to the growing scourge of cyberattacks, given the potential impacts on health, equipment and the environment.
Traditional protections like air-gapping and hardwired interlocks no longer provide the level of safety needed to protect networked industrial control systems from outside interference. This is particularly true for legacy systems that integrate older, proprietary technologies with new software applications and hardware. The result is gaps in operational technology security that are not covered by standard IT protection methods.
Even though there is often uncertainty about how to start the process of securing process control systems against cyberattacks, knowing where you stand is the first step. It is critical to develop a thorough understanding of the vulnerabilities inherent in your instrumented, automated and control system (IACS) assets. An assessment based on the ISA/IEC 62443 standard is a systematic process designed to identify all those vulnerabilities.
Step 1: Identify the System under Construction (SuC):
This limits and marks the boundaries of the IACS where there are concerns of a cyber risk. It usually excludes business systems, e.g., local area networks, that are already covered by standard IT security practices.
Collect key inputs: Inputs include system architectural diagrams, network drawings, network devices configurations, an asset inventory, Process Hazards Analysis (PHA) documentation that includes worst-case scenarios, and threat intelligence from external sources. This step will identify software, hardware, process hazards data and network construction and configuration. Documentation will be updated and analyzed, or created if non-existent. Conceptual architectural and network drawings are produced, showing all IACS hardware, ports, cable arrangements and system access points for the SuC.
High-level assessment of IACS assets: Identifies assets at highest risk of damage, paying particularly close attention to Safety Instrumented Systems (SIS). Categorizes consequences of a compromise according to corporate risk management process or matrix.
Step 4: Perform vulnerability assessment:
Identifies weaknesses in design, operation, installation or architecture of highest-risk assets. Involves gap assessments, passive and active testing and network penetration testing where suitable.
Step 5: Divide SuC into zones and conduits:
Define zones according to factors including the criticality of asset, operational function, physical and logic location. Some assets, e.g., SISs and wireless devices, require separate zones. Then define conduits to control traffic between zones and eliminate unnecessary traffic.
Step 6: Conduct detailed risk assessment:
This process uses a risk matrix or another method to assess the likelihood of an event happening to a site identified in the vulnerability assessment, as well as its potential consequences. This assessment draws from the vulnerability assessments and analysis is organized according to zones and conduits.
Step 7: Recommend Additional Countermeasures:
For risks deemed above a tolerable level, additional countermeasures are suggested to bring risk down to tolerable level. These include logical defences (e.g., passwords and login names), physical defences (e.g., location of computer), restricting data traffic flows, intrusion detection software, and device hardening. This process uses a ‘defense in depth’ approach, ensuring layers of security to protect an asset.
Step 8: Determine security target levels:
A security target level is assigned determined for each zone, based on the findings during the detailed risk assessment of zones and conduits. This details how much risk reduction is required for each zone or conduit, as determined by the enterprise-specific balance between costs and risks.
Once a standardized assessment has been completed, facilities will have a detailed understanding of their system’s cybersecurity vulnerabilities and a roadmap for resolving these. This document is, however, just the first in a cyclical process of security management. The next step involves the engineering, implementation and validation of the countermeasures, which must be followed up by continued maintenance and scrutiny for new risks or vulnerabilities.
As with many industrial processes, this is a continuous lifecycle that requires ongoing review and reassessments over the lifetime of the plant. Cybersecurity incident response and recovery are also part of the maintenance phase. Assessing your vulnerabilities, however, should be your first engagement in this cyclical process, one that will protect the integrity of your IACS assets and data and ensure the safe operation of your process plant.