As the cybersecurity threats in the industrial world continue to rise, the automation world continues to grapple with how to address these issues. As such, the newly released IEC61511-1: 2016 edition has included a new clause to address this (Clause 8.2.4). In essence, End Users have to carry out a security risk assessment to identify any potential security vulnerabilities of the Safety Instrumented System (SIS).
Clause 8.2.4 then goes on to specify that there needs to be a description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other device connected to the SIS); together with a description of identified threats that could exploit vulnerabilities and result in security events. This should also include intentional attacks on the hardware, application programs and related software, as well as unintended events resulting from human error. End Users will also need to provide a description of the potential consequences resulting from the security events and the likelihood of these events occurring, together with consideration of various phases such as design, implementation, commissioning, operation, and maintenance. From this there then needs to be a determination of requirements for additional risk reduction, together with a description of, or references to information on, the measures taken to reduce or remove the threats.
The purpose of this clause is that the Safety Instrumented System (SIS), if compromised via a cyber incident, could be prevented from performing its safety functions. This could potentially be a highly dangerous situation if it were to occur.
The Clause 8.2.4 requirements will be new to many End Users and knowing where to start is usually the toughest part. The Risk Assessment part can be split into a High Level Risk Assessment and a Detailed Risk Assessment, which can include a detailed vulnerability assessment. Part of the challenge is understanding and inventorying all the devices that are (or could) be connected to the Process Control Network (PCN). This is especially true of “brownfield” sites where the PCN has generally evolved over a period of time and where extensions and/or expansions of the process have required additional networks and equipment.
During a High Level Risk Assessment, the most critical assets are reviewed to assess the impact of a cyber incident that will have the most severe consequences and what type of response is required should the asset(s) be compromised. In doing this it’s possible to provide a risk-ranking for the assets based upon the potential consequences. The Detailed Risk Assessment will then look more closely at the PCN and the Industrial Automation and Control System (IACS) design to ensure it meets the Corporate Risk Criteria. The use of Zones and Conduits is essential to help group critical assets into groups (zones) that can be protected and that the data flowing in and out can also be protected (Conduits).
The Vulnerability Assessment is intended to provide a review of the cybersecurity environment for the control and Safety Instrumented Systems (SIS) at the plant. It identifies vulnerabilities so that recommendations can be developed for possible improvements. It is best done in conjunction with a detailed cyber risk assessment.
Most End Users will probably reel at the prospect of having to implement this new clause, however, as with the Safety Lifecycle, it is possible to implement in phases via developing a strategy and plan for implementation. The first step would be to consider a “Gap” assessment that would help identify areas to focus on and help map out a strategy for achieving compliance. This would require a minimum amount of time, which would not require tying up resources for long periods of time.
Hopefully this has given you food for thought…….