Understand the Risk of Cyber Threats to an Industrial Process with a Cyber PHA

1

Understanding the Risk of Cyber

Threats to an Industrial Process with

a Cyber PHA

Copyright © 2013 exida Consulting LLC

2

John A. Cusimano, CFSE, CISSP

• Director of ICS Cybersecurity Solutions for exida

• 25 years experience in industrial automation

• Kodak, Moore Products, Siemens, exida

• 6 years in ICS Cybersecurity

• Certifications:

• CFSE, Certified Functional Safety Expert

• CISSP, Certified Information Systems Security Professional

• Industry Associations:

• ISA S99 Committee, WG4 TG3 Chair, TG6 Co-Chair

• Lead developer/instructor for ISA IC 32 Training Course

• ISA S84 Committee

• ISA Security Compliance Institute, technical steering committee

• ICSJWG Workforce Development & Vendor Subgroups

• NIST Cyber-physical Systems workshop lead

• US Expert to IEC TC65 WG10

6

Process Hazard Analysis (PHA)

• An organized and systematic assessment of the

potential hazards associated with an industrial process

• Used for decades to assist operators of potentially

hazardous industrial facilities in understanding and ranking

operational risks so they can be properly mitigated

• Mandated in the USA by the Occupational Safety and

Health Administration (OSHA) in its Process Safety

Management regulation for processes that handle highly

hazardous chemicals


7

PHA

• Provides information to assist in making decisions for

improving safety and reducing the consequences of

unwanted or unplanned events

• Directed toward analyzing potential causes and

consequences of fires, explosions, releases of toxic or

flammable chemicals and major spills of hazardous

chemicals

• Focuses on equipment, instrumentation, utilities, human

actions, and external factors that might impact the

process.


8

PHA Methods

• Checklist, What if?

• Hazard and Operability Study (HAZOP)

• Failure Mode and Effects Analysis (FMEA)

• Layer of Protection Analysis (LOPA)

• Fault Tree Analysis (FTA)


9

HAZOP

• A hazard and operability study (HAZOP) is a structured

and systematic examination of a planned or existing

industrial process in order to identify and evaluate

problems that may represent risks to personnel or

equipment, or prevent efficient operation

• A HAZOP is a qualitative technique based on guide-words

and is carried out by a multi-disciplinary team (HAZOP

team) during a set of meetings


10

Example P&ID


11

Parameters and Guide-Words


12

GW DEVIATION CAUSES CONSEQUENCES SAFEGUARDS REF# RECOMMENDATIONS BY

No No Agitation

Agitator

motor drive

fails

Non-uniformity leads

to runaway reaction

and possible

explosion.

Agitator failure is

indicated by high

reactor temperature

and high pressure.

• High Temperature

and High Pressure

Alarm in DCS.

• Shortstop system.

• Add SIF to chemically control

runaway reaction.

• Add a pressure safety relief valve

• If necessary, add a de-pressurization

SIF. Use LOPA to determine required

SIL.

More Higher

Temperature

Temperature

control failure

causes

overheating

during steam

heating

High temperature

could damage

reactor seals causing

leak. Indicated by

high temperature.

High Temperature Alarm

in DCS.

• Add high-temperature SIF.

• Use LOPA to determine required SIL

More Higher Level

Flow control

failure allows

the reactor to

overfill

Reactor becomes

full, possible reactor

damage and release.

Indicated by high

level or high

pressure.

High Level Alarm in DCS. • Add high-level SIF.

• Use LOPA to determine required SIL

Example HAZOP


13

Plant

personnel

intervenes

Safety system

(automatic)

Basic

automation

Overpressure valve, rupture disc

Collection basin

Active protection

Passive protection

Disaster protection Disaster protection

Safety Instrumented System (SIS)

Process value

Process alarm

Normal activity

Process control system

Safety shutdown

Layers of Protection

14


A system composed of sensors, logic solvers, and final

control elements for the purpose of taking the process to

a safe state when pre-determined conditions are violated.

I / P

FT

Basic Process Control

System (BPCS)

Inputs Outputs

Reactor

PT

1A

Safety Instrumented

System (SIS)

Inputs Outputs

PT PT

15

The Problem

• PHA’s / HAZOP’s assume that the control systems and

operators (alarms) will perform their intended function

(layers of protection)

• Additional layers (e.g. safety systems) are added when the

risk is too great

• Modern control systems and safety systems are

software based systems

• It very common for both to sit on the same network

and communicate to the same servers/workstations

• A single vulnerability could disable all layers of

protection!


16

Modern SIS’s

I / P

FT

Basic Process Control

System (BPCS)

Inputs Outputs

Reactor

PT

1A

Safety Instrumented

System (SIS)

Inputs Outputs

PT PT

PCN

Plant LAN

To Corp WAN &

Internet

17

Plant

personnel

intervenes

Safety system

(automatic)

Basic

automation

Overpressure valve, rupture disc

Collection basin

Active protection

Passive protection

Disaster protection Disaster protection


Process value

Process alarm

Normal activity

Process control system

Safety shutdown

Layers of Protection

18

The ICS Cybersecurity Lifecycle

Adapted from ISA/IEC 62443-1-1

(formerly ISA 99.01.01:2007)

Start with

Risk Assessment


21

• Before we can protect our control systems we must

understand what we are dealing with

• Determine which assets to protect

• Determine threats to the assets

• Determine vulnerabilities that currently exist

• Identify the risks posed with regard to the assets

• Develop a plan to address unacceptable risk

• Recommend changes to current practice that reduce risks to an

acceptable level

• Determine priorities

• Balance cost versus effectiveness

Value of Performing Cyber Risk Assessments

on Control Systems


24

NIST Preliminary Cybersecurity Framework

Start with

Risk Assessment


25

RA Guidance from

NIST Preliminary Cybersecurity Framework

IDENTIFY

(ID)

IDENTIFY

(ID)

26

Risk Assessment Requirements from

ISA 62443-2-1 (formerly 99.02.01)

• Select a risk assessment methodology

• Conduct a high-level risk assessment

• Identify the industrial automation and control systems

• Develop simple network diagrams

• Prioritize systems

• Perform a detailed vulnerability assessment

• Identify a detailed risk assessment methodology

• Identify the reassessment frequency and triggering criteria

• Conduct risk assessments throughout the lifecycle of the

IACS

• Document the risk assessment


27

General Risk Assessment Methodology

• Identify, characterize threats

• Assess the vulnerability of critical assets to specific threats

• Determine the risk (i.e. the expected likelihood and

consequences of specific types of attacks on specific

assets)

• Identify ways to reduce those risks

• Prioritize risk reduction measures based on a strategy


28

What’s different about performing a risk

assessment on an ICS versus an IT system?

1. Difficult to identify ICS assets and assess vulnerabilities

• ICS networks often can’t be scanned

• No vulnerability scanning tools for automation equipment (e.g.

PLC’s, VFD’s, MCC’s, RTU’s, etc.)

• Network diagrams non-existent or outdated

2. Challenging to determine the impact or consequence of

compromise

• Depends on the process it is controlling, the hazards and the

existing safeguards.

• Example:

• What is the impact of an email server getting compromised?

• AD Server? OPC Server? PLC? SIS?

3. Difficult to estimate likelihood or frequency of threats

• Very little historical data available


29

Risk Assessment Flowchart from

ISA 62443-3-2 (Draft 4, Edit 5)

Identify Threats(Section 4.5.1)

List of threats

Identify Vulnerabilities(Section 4.5.2)

Determine Likelihood(Section 4.5.3)

Determine Impact(Section 4.5.4)

Calculate Risk(Section 4.5.5)

Target attractiveness. Historical data or common sources (See Appendix A)

Prior audits, vendors, vulnerability databases, government sources, etc.

List of Threats

List of Vulnerabilities

List of vulnerabilities

Qualitative or quantitative

assessment of likelihood


assessment of financial and social

impacts

Process Hazard Assessments (e.g.

HAZOP)

Corporate Risk Matrix


assessment of residual risk

Historical Data


30

Example Risk Assessment Process

• Characterize the product or system • Model the system (zones & conduits)

• Identify trust boundaries

• Identify entry points and data flows

• Document assumptions and external dependencies

• Identify Critical Assets and Consequences • Identify critical assets

• Evaluate consequence of compromise

• Identify threats • Enumerate threats

• Classify and evaluate threats

• Analyze threats • Identify vulnerabilities

• Identify existing countermeasures

• Assess the risk of each threat Copyright © 2013 exida Consulting LLC

31

System Architecture Diagram

FS-PES

`

BPCS

Engineering

Workstation

Control PES

Operator

Consoles

Operator

Consoles

Corporate

WAN

Business LAN

PCN

Business

LAN

`

SIS

Engineering

Workstation

BPCS HMI

PCN

PCN

DCS Server DCS Server

Equipment Room

Field

Control Room

IT Data Center

Data

Historian

Domain

Controller

Enterprise

Firewall


32

Cyber PHA Example


33

Initial Zone & Conduit Diagram


34

Conclusion

With Good Risk Information You Can…

• Determine what plants/processes need to be addressed

first

• Intelligently design and apply countermeasures (e.g.

network segmentation, access controls, hardening,

detection, etc.) to reduce risk

• Prioritize activities and resources

• Evaluate countermeasures based upon their effectiveness

of versus their cost/complexity


John Cusimano

exida

[email protected]

215-453-1720

www.exida.com/security

mailto:[email protected]