Understand the Risk of Cyber Threats to an Industrial Process with a Cyber PHA

2. John A. Cusimano, CFSE, CISSP • Director of ICS Cybersecurity Solutions for exida • 25 years experience in industrial automation • Kodak, Moore Products, Siemens, exida • 6 years in ICS Cybersecurity • Certifications: • • CFSE, Certified Functional Safety Expert CISSP, Certified Information Systems Security Professional • Industry Associations: • • • • • • • ISA S99 Committee, WG4 TG3 Chair, TG6 Co-Chair Lead developer/instructor for ISA IC 32 Training Course ISA S84 Committee ISA Security Compliance Institute, technical steering committee ICSJWG Workforce Development & Vendor Subgroups NIST Cyber-physical Systems workshop lead US Expert to IEC TC65 WG10 2

3. Process Hazard Analysis (PHA) • An organized and systematic assessment of the potential hazards associated with an industrial process • Used for decades to assist operators of potentially hazardous industrial facilities in understanding and ranking operational risks so they can be properly mitigated • Mandated in the USA by the Occupational Safety and Health Administration (OSHA) in its Process Safety Management regulation for processes that handle highly hazardous chemicals Copyright © 2013 exida Consulting LLC 6

4. PHA • Provides information to assist in making decisions for improving safety and reducing the consequences of unwanted or unplanned events • Directed toward analyzing potential causes and consequences of fires, explosions, releases of toxic or flammable chemicals and major spills of hazardous chemicals • Focuses on equipment, instrumentation, utilities, human actions, and external factors that might impact the process. Copyright © 2013 exida Consulting LLC 7

5. PHA Methods • • • • • Checklist, What if? Hazard and Operability Study (HAZOP) Failure Mode and Effects Analysis (FMEA) Layer of Protection Analysis (LOPA) Fault Tree Analysis (FTA) Copyright © 2013 exida Consulting LLC 8

6. HAZOP • A hazard and operability study (HAZOP) is a structured and systematic examination of a planned or existing industrial process in order to identify and evaluate problems that may represent risks to personnel or equipment, or prevent efficient operation • A HAZOP is a qualitative technique based on guide-words and is carried out by a multi-disciplinary team (HAZOP team) during a set of meetings Copyright © 2013 exida Consulting LLC 9

9. Example HAZOP GW No More More DEVIATION CAUSES CONSEQUENCES Agitator motor drive fails Non-uniformity leads to runaway reaction and possible explosion. Agitator failure is indicated by high reactor temperature and high pressure. Higher Temperature Temperature control failure causes overheating during steam heating High temperature could damage reactor seals causing leak. Indicated by high temperature. Higher Level Flow control failure allows the reactor to overfill Reactor becomes full, possible reactor damage and release. Indicated by high level or high pressure. No Agitation SAFEGUARDS REF# RECOMMENDATIONS • • • Add SIF to chemically control runaway reaction. Add a pressure safety relief valve If necessary, add a de-pressurization SIF. Use LOPA to determine required SIL. High Temperature Alarm in DCS. • • Add high-temperature SIF. Use LOPA to determine required SIL High Level Alarm in DCS. • • BY Add high-level SIF. Use LOPA to determine required SIL • • High Temperature and High Pressure Alarm in DCS. Shortstop system. Copyright © 2013 exida Consulting LLC 12

10. Layers of Protection Disaster protection Disaster protection Collection basin Passive protection Overpressure valve, rupture disc Safety system (automatic) Active protection Plant personnel intervenes Basic automation Safety Instrumented System (SIS) Safety shutdown Process alarm Process value Process control system Normal activity 13

11. Safety Instrumented System (SIS) A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when pre-determined conditions are violated. Safety Instrumented System (SIS) Inputs PT PT 1A Outputs Basic Process Control System (BPCS) Inputs Outputs PT I/P FT Reactor 14

12. The Problem • PHA’s / HAZOP’s assume that the control systems and operators (alarms) will perform their intended function (layers of protection) • Additional layers (e.g. safety systems) are added when the risk is too great • Modern control systems and safety systems are software based systems • It very common for both to sit on the same network and communicate to the same servers/workstations • A single vulnerability could disable all layers of protection! Copyright © 2013 exida Consulting LLC 15

13. Modern SIS’s To Corp WAN & Internet Plant LAN PCN Safety Instrumented System (SIS) Inputs PT PT 1A Outputs Basic Process Control System (BPCS) Inputs Outputs PT I/P FT Reactor 16

14. Layers of Protection Disaster protection Disaster protection Collection basin Passive protection Overpressure valve, rupture disc Safety system (automatic) Active protection Plant personnel intervenes Basic automation Safety Instrumented System (SIS) Safety shutdown Process alarm Process value Process control system Normal activity 17

16. Value of Performing Cyber Risk Assessments on Control Systems • Before we can protect our control systems we must understand what we are dealing with • • • • Determine which assets to protect Determine threats to the assets Determine vulnerabilities that currently exist Identify the risks posed with regard to the assets • Develop a plan to address unacceptable risk • Recommend changes to current practice that reduce risks to an acceptable level • Determine priorities • Balance cost versus effectiveness Copyright © 2013 exida Consulting LLC 21

18. RA Guidance from NIST Preliminary Cybersecurity Framework IDENTIFY (ID) IDENTIFY (ID) 25

19. Risk Assessment Requirements from ISA 62443-2-1 (formerly 99.02.01) • • • • • • • • • Select a risk assessment methodology Conduct a high-level risk assessment Identify the industrial automation and control systems Develop simple network diagrams Prioritize systems Perform a detailed vulnerability assessment Identify a detailed risk assessment methodology Identify the reassessment frequency and triggering criteria Conduct risk assessments throughout the lifecycle of the IACS • Document the risk assessment Copyright © 2013 exida Consulting LLC 26

20. General Risk Assessment Methodology • Identify, characterize threats • Assess the vulnerability of critical assets to specific threats • Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets) • Identify ways to reduce those risks • Prioritize risk reduction measures based on a strategy Copyright © 2013 exida Consulting LLC 27

21. What’s different about performing a risk assessment on an ICS versus an IT system? 1. Difficult to identify ICS assets and assess vulnerabilities • • • ICS networks often can’t be scanned No vulnerability scanning tools for automation equipment (e.g. PLC’s, VFD’s, MCC’s, RTU’s, etc.) Network diagrams non-existent or outdated 2. Challenging to determine the impact or consequence of compromise • • Depends on the process it is controlling, the hazards and the existing safeguards. Example: • What is the impact of an email server getting compromised? • AD Server? OPC Server? PLC? SIS? 3. Difficult to estimate likelihood or frequency of threats • Very little historical data available Copyright © 2013 exida Consulting LLC 28

22. Risk Assessment Flowchart from ISA 62443-3-2 (Draft 4, Edit 5) Target attractiveness. Historical data or common sources (See Appendix A) Prior audits, vendors, vulnerability databases, government sources, etc. Identify Threats (Section 4.5.1) List of threats Identify Vulnerabilities (Section 4.5.2) List of vulnerabilities List of Threats List of Vulnerabilities Determine Likelihood (Section 4.5.3) Qualitative or quantitative assessment of likelihood Historical Data Process Hazard Assessments (e.g. HAZOP) Corporate Risk Matrix Determine Impact (Section 4.5.4) Calculate Risk (Section 4.5.5) Copyright © 2013 exida Consulting LLC Qualitative or quantitative assessment of financial and social impacts Qualitative or quantitative assessment of residual risk 29

23. Example Risk Assessment Process • Characterize the product or system • • • • Model the system (zones & conduits) Identify trust boundaries Identify entry points and data flows Document assumptions and external dependencies • Identify Critical Assets and Consequences • Identify critical assets • Evaluate consequence of compromise • Identify threats • Enumerate threats • Classify and evaluate threats • Analyze threats • Identify vulnerabilities • Identify existing countermeasures • Assess the risk of each threat Copyright © 2013 exida Consulting LLC 30

24. System Architecture Diagram IT Data Center Corporate WAN Domain Controller Data Historian Enterprise Firewall Business LAN Business LAN Control Room Operator Consoles Operator Consoles PCN Equipment Room SIS Engineering Workstation DCS Server DCS Server BPCS Engineering Workstation PCN ` ` PCN FS-PES Control PES Field BPCS HMI Copyright © 2013 exida Consulting LLC 31

27. Conclusion With Good Risk Information You Can… • Determine what plants/processes need to be addressed first • Intelligently design and apply countermeasures (e.g. network segmentation, access controls, hardening, detection, etc.) to reduce risk • Prioritize activities and resources • Evaluate countermeasures based upon their effectiveness of versus their cost/complexity John Cusimano exida jcusimano@exida.com 215-453-1720 www.exida.com/security Copyright © 2013 exida Consulting LLC 34

Understand the Risk of Cyber Threats to an Industrial Process with a Cyber PHA

John Cusimano, CFSE, CISSP, GICSP

Understand the Risk of Cyber Threats to an Industrial Process with a Cyber PHA