There are three main components of the safety lifecycle: analysis, realization, and operation. We will be taking a look at the analysis phase, particularly related to the cyber industry.
To start, the first thing to do in both safety and security is do a detailed process, hazard and risk analysis of the system. In the case of safety, you should allocate safety functions that will protect against those risks that you have identified and create a safety specification or set of requirements for each of those safety functions that you are going to apply. Once those requirements are in place, the realization phase is similar to other realization efforts, including design and engineering, acceptance testing and installation, and various validation stages. Once the safety system is in place and tested, the next step is to go into an operational mode where the system is maintained, and modifications are made to errors that you may have discovered during the course of normal operation. Then ultimately the system is decommissioned.
Parallel to activities of management of functional safety and assessments, you need to look at the root safety requirements of the system and make sure that they are current. There is also project planning, configuration management and other related activities that are done in the entire project implementation.
There are a series of verification and testing activities that occur throughout the lifecycle. Each phase needs to be tested to make sure that all requirements are met so you can move onto the next phase.
The Cyber Security Lifecycle
Similar to the safety lifecycle, the cybersecurity lifecycle has an assess phase, analysis phase, implementation phase, and operational phase. There are also several activities involved across all phases. We will focus on the first few stages which involve process/plant design and scope, the definition of your system (zones and conduits), how to do a high-level cyber security risk assessment, and a process hazard analysis.
First start with the cyber security risk assessment itself, which involves being clear about exactly what equipment is involved and what analysis you'll be doing. Then a process hazard analysis can be done as well as a hazard and operational analysis. Later a layer protection analysis can be done on the cyber system. The result is a risk assessment that can identify security level requirements. Now that the requirements are set, you can ask: do the requirements meet the corporate risk criteria? To help answer that question, look at your corporate tolerable risk guidelines that set requirements about damage and losses as a result of cyber attacks and events. This cycle can be performed until you have adequate requirements developed. As an input to the scope, you look at things like corporate site policies and procedures, project-specific requirements, zone and conduit drawings, regulations, and standards.
Detailed cyber security risk assessment inputs include policies and procedures, which are the basis for the Recognized and Generally Accepted Good Engineering Practices (RAGAGEP). Included are also high level risk assessment results, zone and conduit drawings, and and HAZOP or LOPA inputs that may have been previously executed.
Below is an example of a high-level security risk assessment. On the left is a list of the potential threats including data modification, data theft, denial of service, and introduction of malware into the system. As you proceed through the analysis, identify possible causes associated with the threats. For example, data modification could have been done by third parties, disgruntled employees, or malicious employees. These are obviously of concern to the process control system and the severity, let's say for this example, is identified as a medium consequence.
The whole idea of this exercise – following through with data theft, denial of service, and malware -- is to take a look at those consequences and determine which are the very high and high potential threats that require mitigation. These are the things that you want to work on first. This table identifies means to address those high-level risks and gain insight as to what needs the initial detailed risk assessment.
Zone & Conduit Drawings
One of the other key components of risk assessment is basically a snapshot or a clear understanding of the interconnections within your system. To the left is an example of a zone and conduit drawing. As you look at this, you might see some pretty significant problems. Ideally you come up with these as a result of network engineers going around and determining what the interconnection is of the components within your system. In this particular drawing, we have a direct internet connection to the field IO, which is not a good practice. Likewise, we are also bypassing the DMZ by connecting the business site local area network directly to your IO. Also,the contents of the DMZ doesn't seem to be present, so someone at one point decided, in this environment, that the DMZ was a good idea, but didn't build in any equipment to actually perform the functions of the DMZ. So you can see that this particular zoning drawing is covered with all kinds of problems.
Leveraging the PHA
Now we want to start leveraging the process hazard analysis and start asking some questions. These questions include: Are HAZOP or LOPA initiating events vulnerable to cyber attack? Are safeguards vulnerable to cyber attack? What are the consequences and associated risks when the system is completely vulnerable? So if your system no longer has these protection layers in place, the system is, in fact, vulnerable.
Work Process Methodology
As you are doing this analysis, there is a methodology to follow, starting with high-level cyber risk assessment. Start by determining the scope, which no longer includes the DMZ or the corporate enterprise. So the zones that we do have for this analysis include the site business LAN, the control room zone, the safety instrumented system (SIS) zone, and the field zone.
In the work process methodology itself we have already created the zone and conduit drawings, so next when you put your team together you want to make sure the information is available to everyone ahead of time. Then you start looping through a process of going zone by zone, looking at each node within a zone, and any threats to that node. For each threat, document the causes and any consequences, identify any countermeasures, and come up with a resolution or mitigation.
Finally, you have to make sure that all of the threats, nodes and zones are evaluated. Out of this entire process, a series of cyber security recommendations is formed. A rule of thumb from the practical SIL selection handbook that can be used in this methodology is the 20/20/20 rule of thumb. For every 20 years of operation, the company should have at least 20 months of realization, and 20 weeks of analysis for building that system. The analysis in this particular rule of thumb is not only for cyber analysis, but also for safety hazard analysis. This shows the kind of effort involved in the cyber-portion of system analysis process.
Zones & Cyber Nodes
Consequently, there is a lot of information that comes out of these analyses. You can compile the information in various documents, spreadsheets and databases. Exida happens to have a tool that can assist in this process called PHAx and its counterpart CyberPHAx. PHAx does a consumer safety analysis and CyberPHAx is the tool used for the purposes of this blog. It offers some recommendations to lead you through the process and helps you organize all the information that comes out of the analysis.
Initially you take your zone and conduit drawings and put them into the tool, with each zone and their possible threats. It then lists the causes associated with the threats and the associated consequences of those threats. Then the next step is to go through the threats and identify possible countermeasures. To prevent that disgruntled employee from coming in and causing damage to your system, you can set frequently rotating passwords or you can have multiple authentication. In the case of any third party software which can be introduced to the system, your team can put together an anti virus protection program where your systems are frequently updated. While CyberPHAx helps you organize information, you can certainly go through the process by other means. However, the big picture is that you have to identify all the possible threats, causes, consequences, and countermeasures. Those all go into creating the set of requirements that are a part of your successful system or successful mitigation strategy.
Requirements for Success
First, you need to have accurate information about your process to begin. Your zone and conduit drawings need to be correct, you need to have a clear understanding of corporate goals, any standards or regulations that your industry needs to listen to and you need to have a technical team that is familiar with these requirements, understand your existing system, and has good, clear knowledge of cyber risk assessment methodologies. Ideally you want a team of more than two people but perhaps less than six people so the team does not get too large and bog things down.
- Cyber Security Risk Assessments should be integrated with overall PHA work process
- Initial scope should build on a foundation of RAGAGEP standards and procedures
- High-level Cyber Security Risk Assessment allows the detailed risk assessment to focus on what is important
- Detailed Cyber Security Risk Assessment identifies weaknesses in the proposed or existing design/operation relative to risk
For those of you who are just starting operations, otherwise known as greenfield operations, you have a clean slate and can do these analyses from the start and build your implementations from the beginning. Unfortunately, my guess is that many of you are involved in existing operations and systems and are trying to put together an assessment or cyber strategy and put it onto existing systems. That is a difficult task, but 62443 will provide you with some good guidelines to make that possible.