Building a Resilient World: Practical Automation Cybersecurity

Getting Started With Cybersecurity Risk Assessment: When It’s Not About Information Technology

Written by Hal Thomas | May 11, 2021 9:30:00 AM

In any industry that uses industrial automated control systems (IACS), the potential consequences due to cyberattacks ranges from potential fatalities, catastrophic environmental incidents, equipment damage and significant business interruption. All of these have a higher priority that transcends the traditional information technology (IT) risks such as loss of privacy.

When IACS are involved, the focus is on operational technology (OT) which involves the hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events, and the applicable procedures performed by personnel (e.g. engineering, operations, maintenance) to operate and maintain with the purpose of safe and secure operation, rather than IT and its business-related networks. In the OT world, the hardware includes not just firewalls, switches, and routers, but all of the logic solvers and smart instrumentation, analyzers, field sensors and final elements as well as those persons responsible for its management, operation, engineering support and maintenance.

The ANSI/ISA 62443-3-2 standard, Security for industrial automation and control systems Part 3-2: Security risk assessment for system design, provides a performance-based risk assessment work process to determine the security level (SL) as a function of specific zones and conduits so that a suitable risk reduction may be defined as a target sufficient to satisfy a corporation’s tolerable risk criteria. This tolerable risk criteria should be consistent with the risk criteria used in more traditional safety risk assessments, such as process hazard analysis (PHA). The intent of the cybersecurity risk assessment work process is intended to be complementary to the risk assessment work processes already in place by end user companies in industries such as manufacturing, oil and gas, industrial gas, pipeline, chemical, power, transportation, pulp and paper, water treatment, hospitals, etc.

Key aspects of the risk assessment work process include identification of the system under consideration (SuC) to define the scope of the review, performance of an initial cybersecurity risk assessment to assist the basis for partitioning the SuC into zones and conduits, as well as to determine if a detailed cybersecurity risk assessment is warranted. In an initial cybersecurity risk assessment, cyberattacked are assumed successful and the potential consequences are used to determine an unmitigated risk. This unmitigated risk is then compared to the company’s risk assessment tolerability criteria to see whether to proceed with a detailed cybersecurity risk assessment.

A detailed cybersecurity risk assessment looks at the likelihood of a successful cyberattack. This is done by considering both the potential threats and vulnerabilities. Threats can result from action by foreign governments, disgruntled employees or contractors, non-malicious employee or contractor human error, criminals, or terrorists (e.g. activist, political, and religious). Furthermore, these threats can originate inside a facility as well as external to the facility, posing different threat vectors or pathways to a successful attack. Exploitation of vulnerabilities present in the devices, system and / or procedures are what allows a threat agent to be successful.

The detailed cybersecurity risk assessment will consider the potential threats, vulnerabilities and what countermeasures are in place to either prevent or mitigate an attack. This coupled with the potential consequences allows an estimate of mitigated risk. The mitigated risk is then compared to the company’s risk criteria to determine if additional risk reduction is prudent. As part of this exercise, the zone security level target (SL-T) is defined. If zone SL-Ts had been assumed during the partitioning work, then the zone SL-Ts will either be confirmed or modified according to the detailed cybersecurity assessment results.

ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels includes technical requirements as a function of security level capability (SL-C). Should these not be sufficient to satisfy the SL-T for a zone, then compensating countermeasures would need to be considered. ISA TR84.00.09-2017, Cybersecurity Related to the Functional Safety Lifecycle, provides an annex (Annex G) with typical countermeasures, with some that go beyond the countermeasures documented by ANSI/ISA-62443-3-3 (99.03.03)-2013.

Following cybersecurity risk assessment(s), the cybersecurity requirements, assumptions, and constraints are documented in a detailed risk assessment report. This allows detailed design to proceed with a defined basis following approval. An ISA whitepaper titled, Leveraging ISA 62443-3-2 For Risk Assessment and Risk Related Strategies, provides additional guidance with respect to the application of the risk assessment work process detailed in the ANSI/ISA 62443-3-2 standard.