Understanding the Risk of Cyber
Threats to an Industrial Process with
a Cyber PHA

Copyright © 2013 exida Consulting LLC

...
John A. Cusimano, CFSE, CISSP
• Director of ICS Cybersecurity Solutions for exida
• 25 years experience in industrial auto...
Process Hazard Analysis (PHA)
• An organized and systematic assessment of the
potential hazards associated with an industr...
PHA
• Provides information to assist in making decisions for
improving safety and reducing the consequences of
unwanted or...
PHA Methods
•
•
•
•
•

Checklist, What if?
Hazard and Operability Study (HAZOP)
Failure Mode and Effects Analysis (FMEA)
L...
HAZOP
• A hazard and operability study (HAZOP) is a structured
and systematic examination of a planned or existing
industr...
Example P&ID

Copyright © 2013 exida Consulting LLC

10
Parameters and Guide-Words

Copyright © 2013 exida Consulting LLC

11
Example HAZOP
GW

No

More

More

DEVIATION

CAUSES

CONSEQUENCES

Agitator
motor drive
fails

Non-uniformity leads
to run...
Layers of Protection

Disaster
protection

Disaster protection

Collection
basin

Passive protection

Overpressure
valve, ...
Safety Instrumented System (SIS)
A system composed of sensors, logic solvers, and final
control elements for the purpose o...
The Problem
• PHA’s / HAZOP’s assume that the control systems and
operators (alarms) will perform their intended function
...
Modern SIS’s

To Corp WAN &
Internet

Plant LAN

PCN

Safety Instrumented
System (SIS)
Inputs

PT
PT
1A

Outputs

Basic Pr...
Layers of Protection

Disaster
protection

Disaster protection

Collection
basin

Passive protection

Overpressure
valve, ...
The ICS Cybersecurity Lifecycle
Start with
Risk Assessment

Adapted from ISA/IEC 62443-1-1
(formerly ISA 99.01.01:2007)
Co...
Value of Performing Cyber Risk Assessments
on Control Systems
• Before we can protect our control systems we must
understa...
NIST Preliminary Cybersecurity Framework

Start with
Risk Assessment

Copyright © 2013 exida Consulting LLC

24
RA Guidance from
NIST Preliminary Cybersecurity Framework

IDENTIFY
(ID)

IDENTIFY
(ID)

25
Risk Assessment Requirements from
ISA 62443-2-1 (formerly 99.02.01)
•
•
•
•
•
•
•
•
•

Select a risk assessment methodolog...
General Risk Assessment Methodology
• Identify, characterize threats
• Assess the vulnerability of critical assets to spec...
What’s different about performing a risk
assessment on an ICS versus an IT system?
1. Difficult to identify ICS assets and...
Risk Assessment Flowchart from
ISA 62443-3-2 (Draft 4, Edit 5)
Target
attractiveness.
Historical data
or common
sources (S...
Example Risk Assessment Process
• Characterize the product or system
•
•
•
•

Model the system (zones & conduits)
Identify...
System Architecture Diagram
IT Data Center

Corporate
WAN

Domain
Controller

Data
Historian

Enterprise
Firewall
Business...
Cyber PHA Example

Copyright © 2013 exida Consulting LLC

32
Initial Zone & Conduit Diagram

Copyright © 2013 exida Consulting LLC

33
Conclusion
With Good Risk Information You Can…
• Determine what plants/processes need to be addressed
first
• Intelligentl...
Upcoming SlideShare
Loading in …5
×

Understand the Risk of Cyber Threats to an Industrial Process with a Cyber PHA

4,527 views

Published on

Operators of industrial facilities, particularly those that operate critical, potentially dangerous processes or produce product for consumer consumption, are rightfully concerned about the potential for cyber threats that can accidentally or intentionally manipulate their industrial control systems (ICS). Modern ICS are highly vulnerable to cyber threats due to their increased use of commercial IT technology and extensive network connectivity. In the last few years, there have been numerous documented attempts to hack or inject a virus into an ICS to intentionally cause harm or destruction.
This presentation explores the challenges that most industrial companies face in understanding the true risk of cyber threats to their industrial processes and introduces Cyber PHA as a solution. Based on Process Hazard Analysis (PHA), which has been used in the process industries for decades to assist in understanding and ranking operational risks so they can be properly mitigated, a Cyber PHA is an organized and systematic assessment of the potential cyber threats to an ICS. It aids in understanding the true risk by identifying and qualifying threats, vulnerabilities and consequences.

Published in: Technology, Business
2 Comments
4 Likes
Statistics
Notes
No Downloads
Views
Total views
4,527
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
152
Comments
2
Likes
4
Embeds 0
No embeds

No notes for slide

Understand the Risk of Cyber Threats to an Industrial Process with a Cyber PHA

  1. 1. Understanding the Risk of Cyber Threats to an Industrial Process with a Cyber PHA Copyright © 2013 exida Consulting LLC 1
  2. 2. John A. Cusimano, CFSE, CISSP • Director of ICS Cybersecurity Solutions for exida • 25 years experience in industrial automation • Kodak, Moore Products, Siemens, exida • 6 years in ICS Cybersecurity • Certifications: • • CFSE, Certified Functional Safety Expert CISSP, Certified Information Systems Security Professional • Industry Associations: • • • • • • • ISA S99 Committee, WG4 TG3 Chair, TG6 Co-Chair Lead developer/instructor for ISA IC 32 Training Course ISA S84 Committee ISA Security Compliance Institute, technical steering committee ICSJWG Workforce Development & Vendor Subgroups NIST Cyber-physical Systems workshop lead US Expert to IEC TC65 WG10 2
  3. 3. Process Hazard Analysis (PHA) • An organized and systematic assessment of the potential hazards associated with an industrial process • Used for decades to assist operators of potentially hazardous industrial facilities in understanding and ranking operational risks so they can be properly mitigated • Mandated in the USA by the Occupational Safety and Health Administration (OSHA) in its Process Safety Management regulation for processes that handle highly hazardous chemicals Copyright © 2013 exida Consulting LLC 6
  4. 4. PHA • Provides information to assist in making decisions for improving safety and reducing the consequences of unwanted or unplanned events • Directed toward analyzing potential causes and consequences of fires, explosions, releases of toxic or flammable chemicals and major spills of hazardous chemicals • Focuses on equipment, instrumentation, utilities, human actions, and external factors that might impact the process. Copyright © 2013 exida Consulting LLC 7
  5. 5. PHA Methods • • • • • Checklist, What if? Hazard and Operability Study (HAZOP) Failure Mode and Effects Analysis (FMEA) Layer of Protection Analysis (LOPA) Fault Tree Analysis (FTA) Copyright © 2013 exida Consulting LLC 8
  6. 6. HAZOP • A hazard and operability study (HAZOP) is a structured and systematic examination of a planned or existing industrial process in order to identify and evaluate problems that may represent risks to personnel or equipment, or prevent efficient operation • A HAZOP is a qualitative technique based on guide-words and is carried out by a multi-disciplinary team (HAZOP team) during a set of meetings Copyright © 2013 exida Consulting LLC 9
  7. 7. Example P&ID Copyright © 2013 exida Consulting LLC 10
  8. 8. Parameters and Guide-Words Copyright © 2013 exida Consulting LLC 11
  9. 9. Example HAZOP GW No More More DEVIATION CAUSES CONSEQUENCES Agitator motor drive fails Non-uniformity leads to runaway reaction and possible explosion. Agitator failure is indicated by high reactor temperature and high pressure. Higher Temperature Temperature control failure causes overheating during steam heating High temperature could damage reactor seals causing leak. Indicated by high temperature. Higher Level Flow control failure allows the reactor to overfill Reactor becomes full, possible reactor damage and release. Indicated by high level or high pressure. No Agitation SAFEGUARDS REF# RECOMMENDATIONS • • • Add SIF to chemically control runaway reaction. Add a pressure safety relief valve If necessary, add a de-pressurization SIF. Use LOPA to determine required SIL. High Temperature Alarm in DCS. • • Add high-temperature SIF. Use LOPA to determine required SIL High Level Alarm in DCS. • • BY Add high-level SIF. Use LOPA to determine required SIL • • High Temperature and High Pressure Alarm in DCS. Shortstop system. Copyright © 2013 exida Consulting LLC 12
  10. 10. Layers of Protection Disaster protection Disaster protection Collection basin Passive protection Overpressure valve, rupture disc Safety system (automatic) Active protection Plant personnel intervenes Basic automation Safety Instrumented System (SIS) Safety shutdown Process alarm Process value Process control system Normal activity 13
  11. 11. Safety Instrumented System (SIS) A system composed of sensors, logic solvers, and final control elements for the purpose of taking the process to a safe state when pre-determined conditions are violated. Safety Instrumented System (SIS) Inputs PT PT 1A Outputs Basic Process Control System (BPCS) Inputs Outputs PT I/P FT Reactor 14
  12. 12. The Problem • PHA’s / HAZOP’s assume that the control systems and operators (alarms) will perform their intended function (layers of protection) • Additional layers (e.g. safety systems) are added when the risk is too great • Modern control systems and safety systems are software based systems • It very common for both to sit on the same network and communicate to the same servers/workstations • A single vulnerability could disable all layers of protection! Copyright © 2013 exida Consulting LLC 15
  13. 13. Modern SIS’s To Corp WAN & Internet Plant LAN PCN Safety Instrumented System (SIS) Inputs PT PT 1A Outputs Basic Process Control System (BPCS) Inputs Outputs PT I/P FT Reactor 16
  14. 14. Layers of Protection Disaster protection Disaster protection Collection basin Passive protection Overpressure valve, rupture disc Safety system (automatic) Active protection Plant personnel intervenes Basic automation Safety Instrumented System (SIS) Safety shutdown Process alarm Process value Process control system Normal activity 17
  15. 15. The ICS Cybersecurity Lifecycle Start with Risk Assessment Adapted from ISA/IEC 62443-1-1 (formerly ISA 99.01.01:2007) Copyright © 2013 exida Consulting LLC 18
  16. 16. Value of Performing Cyber Risk Assessments on Control Systems • Before we can protect our control systems we must understand what we are dealing with • • • • Determine which assets to protect Determine threats to the assets Determine vulnerabilities that currently exist Identify the risks posed with regard to the assets • Develop a plan to address unacceptable risk • Recommend changes to current practice that reduce risks to an acceptable level • Determine priorities • Balance cost versus effectiveness Copyright © 2013 exida Consulting LLC 21
  17. 17. NIST Preliminary Cybersecurity Framework Start with Risk Assessment Copyright © 2013 exida Consulting LLC 24
  18. 18. RA Guidance from NIST Preliminary Cybersecurity Framework IDENTIFY (ID) IDENTIFY (ID) 25
  19. 19. Risk Assessment Requirements from ISA 62443-2-1 (formerly 99.02.01) • • • • • • • • • Select a risk assessment methodology Conduct a high-level risk assessment Identify the industrial automation and control systems Develop simple network diagrams Prioritize systems Perform a detailed vulnerability assessment Identify a detailed risk assessment methodology Identify the reassessment frequency and triggering criteria Conduct risk assessments throughout the lifecycle of the IACS • Document the risk assessment Copyright © 2013 exida Consulting LLC 26
  20. 20. General Risk Assessment Methodology • Identify, characterize threats • Assess the vulnerability of critical assets to specific threats • Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets) • Identify ways to reduce those risks • Prioritize risk reduction measures based on a strategy Copyright © 2013 exida Consulting LLC 27
  21. 21. What’s different about performing a risk assessment on an ICS versus an IT system? 1. Difficult to identify ICS assets and assess vulnerabilities • • • ICS networks often can’t be scanned No vulnerability scanning tools for automation equipment (e.g. PLC’s, VFD’s, MCC’s, RTU’s, etc.) Network diagrams non-existent or outdated 2. Challenging to determine the impact or consequence of compromise • • Depends on the process it is controlling, the hazards and the existing safeguards. Example: • What is the impact of an email server getting compromised? • AD Server? OPC Server? PLC? SIS? 3. Difficult to estimate likelihood or frequency of threats • Very little historical data available Copyright © 2013 exida Consulting LLC 28
  22. 22. Risk Assessment Flowchart from ISA 62443-3-2 (Draft 4, Edit 5) Target attractiveness. Historical data or common sources (See Appendix A) Prior audits, vendors, vulnerability databases, government sources, etc. Identify Threats (Section 4.5.1) List of threats Identify Vulnerabilities (Section 4.5.2) List of vulnerabilities List of Threats List of Vulnerabilities Determine Likelihood (Section 4.5.3) Qualitative or quantitative assessment of likelihood Historical Data Process Hazard Assessments (e.g. HAZOP) Corporate Risk Matrix Determine Impact (Section 4.5.4) Calculate Risk (Section 4.5.5) Copyright © 2013 exida Consulting LLC Qualitative or quantitative assessment of financial and social impacts Qualitative or quantitative assessment of residual risk 29
  23. 23. Example Risk Assessment Process • Characterize the product or system • • • • Model the system (zones & conduits) Identify trust boundaries Identify entry points and data flows Document assumptions and external dependencies • Identify Critical Assets and Consequences • Identify critical assets • Evaluate consequence of compromise • Identify threats • Enumerate threats • Classify and evaluate threats • Analyze threats • Identify vulnerabilities • Identify existing countermeasures • Assess the risk of each threat Copyright © 2013 exida Consulting LLC 30
  24. 24. System Architecture Diagram IT Data Center Corporate WAN Domain Controller Data Historian Enterprise Firewall Business LAN Business LAN Control Room Operator Consoles Operator Consoles PCN Equipment Room SIS Engineering Workstation DCS Server DCS Server BPCS Engineering Workstation PCN ` ` PCN FS-PES Control PES Field BPCS HMI Copyright © 2013 exida Consulting LLC 31
  25. 25. Cyber PHA Example Copyright © 2013 exida Consulting LLC 32
  26. 26. Initial Zone & Conduit Diagram Copyright © 2013 exida Consulting LLC 33
  27. 27. Conclusion With Good Risk Information You Can… • Determine what plants/processes need to be addressed first • Intelligently design and apply countermeasures (e.g. network segmentation, access controls, hardening, detection, etc.) to reduce risk • Prioritize activities and resources • Evaluate countermeasures based upon their effectiveness of versus their cost/complexity John Cusimano exida jcusimano@exida.com 215-453-1720 www.exida.com/security Copyright © 2013 exida Consulting LLC 34

×