Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

Getting Started With Cybersecurity Risk Assessment: When It’s Not About Information Technology

In any industry that uses industrial automated control systems (IACS), the potential consequences due to cyberattacks ranges from potential fatalities, catastrophic environmental incidents, equipment damage and significant business interruption. All of these have a higher priority that transcends the traditional information technology (IT) risks such as loss of privacy.

When IACS are involved, the focus is on operational technology (OT) which involves the hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events, and the applicable procedures performed by personnel (e.g. engineering, operations, maintenance) to operate and maintain with the purpose of safe and secure operation, rather than IT and its business-related networks. In the OT world, the hardware includes not just firewalls, switches, and routers, but all of the logic solvers and smart instrumentation, analyzers, field sensors and final elements as well as those persons responsible for its management, operation, engineering support and maintenance.

The ANSI/ISA 62443-3-2 standard, Security for industrial automation and control systems Part 3-2: Security risk assessment for system design, provides a performance-based risk assessment work process to determine the security level (SL) as a function of specific zones and conduits so that a suitable risk reduction may be defined as a target sufficient to satisfy a corporation’s tolerable risk criteria. This tolerable risk criteria should be consistent with the risk criteria used in more traditional safety risk assessments, such as process hazard analysis (PHA). The intent of the cybersecurity risk assessment work process is intended to be complementary to the risk assessment work processes already in place by end user companies in industries such as manufacturing, oil and gas, industrial gas, pipeline, chemical, power, transportation, pulp and paper, water treatment, hospitals, etc.

Key aspects of the risk assessment work process include identification of the system under consideration (SuC) to define the scope of the review, performance of an initial cybersecurity risk assessment to assist the basis for partitioning the SuC into zones and conduits, as well as to determine if a detailed cybersecurity risk assessment is warranted. In an initial cybersecurity risk assessment, cyberattacked are assumed successful and the potential consequences are used to determine an unmitigated risk. This unmitigated risk is then compared to the company’s risk assessment tolerability criteria to see whether to proceed with a detailed cybersecurity risk assessment.

A detailed cybersecurity risk assessment looks at the likelihood of a successful cyberattack. This is done by considering both the potential threats and vulnerabilities. Threats can result from action by foreign governments, disgruntled employees or contractors, non-malicious employee or contractor human error, criminals, or terrorists (e.g. activist, political, and religious). Furthermore, these threats can originate inside a facility as well as external to the facility, posing different threat vectors or pathways to a successful attack. Exploitation of vulnerabilities present in the devices, system and / or procedures are what allows a threat agent to be successful.

The detailed cybersecurity risk assessment will consider the potential threats, vulnerabilities and what countermeasures are in place to either prevent or mitigate an attack. This coupled with the potential consequences allows an estimate of mitigated risk. The mitigated risk is then compared to the company’s risk criteria to determine if additional risk reduction is prudent. As part of this exercise, the zone security level target (SL-T) is defined. If zone SL-Ts had been assumed during the partitioning work, then the zone SL-Ts will either be confirmed or modified according to the detailed cybersecurity assessment results.

ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels includes technical requirements as a function of security level capability (SL-C). Should these not be sufficient to satisfy the SL-T for a zone, then compensating countermeasures would need to be considered. ISA TR84.00.09-2017, Cybersecurity Related to the Functional Safety Lifecycle, provides an annex (Annex G) with typical countermeasures, with some that go beyond the countermeasures documented by ANSI/ISA-62443-3-3 (99.03.03)-2013.

Following cybersecurity risk assessment(s), the cybersecurity requirements, assumptions, and constraints are documented in a detailed risk assessment report. This allows detailed design to proceed with a defined basis following approval. An ISA whitepaper titled, Leveraging ISA 62443-3-2 For Risk Assessment and Risk Related Strategies, provides additional guidance with respect to the application of the risk assessment work process detailed in the ANSI/ISA 62443-3-2 standard.

 

Hal Thomas
Hal Thomas
Hal Thomas, a self-employed consultant, HWT Consulting LLC. He was formerly an Engineering Associate - Process Safety at Air Products for over 36 years. He received a BSME from Bucknell University, is a registered professional engineer in the state of PA and is a certified functional safety expert, CFSE. Prior to becoming a process safety engineer and being involved in cybersecurity for control systems, he was a process control engineer. He has participated in several industry initiatives involving the Center for Chemical Process Safety (CCPS), ISA84 and ISA99. He currently participates in ISA84 technical report working groups and co-chairs WG9 responsible for TR84.00.09, Cyber Security Related to the Safety Lifecycle, as well as participating in a number of ISA99 working groups and co-chairing WG7 that is intended to address the intersection of security and safety. During his career, he has authored and co-authored a number of papers dealing with aspects of risk assessment, including cybersecurity.

Related Posts

Call for Volunteers: ICS4ICS Improves Management of ICS Cybersecurity

If you would like to participate in the ICS4ICS effort, please visit our website at: www.isa.org/ICS4ICS ...
Brian Peterson Sep 21, 2021 5:30:00 AM

The Problem with Platform Ascendency for Cyber-Physical Integrations

Integration is the buzzword of the year for technology in 2021. Application programming interfaces (APIs)...
Danielle Jablanski Sep 14, 2021 5:30:00 AM

New York Lawmakers Reference ISA/IEC 62443 in New Proposed Bill

New York state legislature is hoping to add additional protections to the state’s critical infrastructure...
Steven Aliano Sep 7, 2021 5:30:00 AM