If a system isn’t Cybersecure, you can’t rely on it to be safe

Throughout the operational life of a process plant controls and safety systems are designed and implemented to perform reliably, consistently and predictably but if a system isn’t secure, you can’t rely on it to be safe.

If a system isn’t Cybersecure, you can’t rely on it to be safe

What Could Possibly Go Wrong?

Your process has been subject to thorough hazard and risk assessment, your plant has been designed to operate efficiently and reliably, your process controls have been tested to ensure they keep your plant equipment operating safely and your Safety Instrumented Systems have been designed, verified and validated to ensure that your operators, plant and the environment are protected should the unthinkable happen. Every professional involved in the design and operation of your process plant has used their best judgement and made assumptions about the availability, reliability operability and safety of each system and its individual components but the biggest assumption is that everyone wants the plant to operate safely and according to its design.

What if this assumption is wrong?

Cyber attacks on information technology (IT) systems can be costly to a company and time consuming to recover from but what if the attack isn’t targeted at information but at the cyber-physical boundary? Attacks on operational technology (OT) systems have the potential to cause physical harm to operators and damage to equipment by subverting process control or safety systems and making them fail or operate in ways not intended by their designers.

In August 2017 the fifth known attack directed against an industrial control system (ICS) and more importantly, the first directed against a Safety Instrumented System, was discovered entirely by accident. The target was a Saudi Arabia-based refining company, Petro Rabigh, and the attack was launched via an infected workstation attached to a Schneider Electric Triconex Safety Instrumented System. The attack, named Triton and TRISIS by security analysts, was only discovered because a possible error by the attacker triggered the Triconex integrity checking logic and shut the plant down.

Triton TRISIS attack sequence

Further investigation revealed that the attackers had been in the control system for several months, with an incident in June 2017 being treated as an equipment failure rather than a cyber attack, and that six safety systems, including one on a burner management system had been compromised. Since 2017, threat analysts have seen a steady increase in the amount of malware and attacks targeting OT and safety systems.

Common Security Vulnerabilities of OT Systems

  • A significant proportion of OT equipment is old (5+ years) and not originally designed with security in mind. Given the time taken to develop products and bring them to market, even new hardware and software will be lagging behind the constantly evolving threat landscape
  • Business requirements for access to information have resulted in more OT systems being accessible from corporate IT networks
  • Many OT systems are unpatched, either because this would cause production down time or because it could make the system incompatible with the items (valves, motors, etc.) they control.
  • Process industry OT systems and networks often grow and evolve over time rather than having been designed as a single system to the point that often even the system owners don’t fully understand the extent of their control hardware and its interconnections
  • All software has flaws which may not be discovered by testing
  • Most control and safety systems are built on complex proprietary software your company has no visibility of or control over. Exploitation of vulnerabilities in equipment vendor code (supply chain attacks) is becoming a significant concern for OT operators

How Can Companies Secure their Process and Safety Systems?

Securing digital technology can be a daunting task when you consider that the security team has to be successful against every attack whereas the attacker only has to be successful once, commonly known as the “Defender’s Dilemma”. 

There are many useful standards and guides to outline how companies should approach cyber security e.g. the IEC 62443 series and the UK Health & Safety Executive’ OG86 guidance document on “Cyber Security for Industrial Automation and Control Systems” but most advise the following common sense steps which can be incorporated into a company’s procedures and practices:

  • Identify your assets – you can’t defend what you don’t know you have
  • Identify the extent of your most valuable systems and how they interface with external systems – there’s no value to locking the front door if the back door is open
  • Apply appropriate security measures based on risk – prioritise you security effort and expenditure
  • Be aware that the threat landscape is constantly changing – keep your finger on the pulse of security threats and vulnerabilities
  • Understand that compromise may happen so make detection easy – design your process and security controls to alert you if anything goes wrong or changes unexpectedly
  • Have a Business Continuity Disaster Recovery Plan, not just a data backup – create a procedure for response to an attack, practice it regularly and update it frequently
  • Be aware that the attacker may not be an unknown outsider – train your staff to recognise cyber threats and limit access rights to critical systems using the principle of least privilege (sufficient to carry out your work but no more)
  • Don’t overlook physical security – subverting a safety system could be as easy as removing a sensor or blocking a relief valve if an attacker can gain access to your plant

Developing the above concepts into a frequently practiced, reviewed and updated Cyber Security Risk Management policy and procedures may not stop attacks but will help keep your OT safe and secure.

Talk about this issue in more detail

You can discuss this, and a number of other important topics, with us at the =Method 2022 Roadshow. These in-depth discussions will take place at the NEC during the CHEMUK show, and at other online events during 2022. See www.methodfs.com/training-courses/functional-safety-roadshows.php


Title: If a system isn’t Cybersecure, you can’t rely on it to be safe
Published by: Method Cyber Security

[More Cyber Security news]



Method Roadshow at Chemuk 2020
This article will be a key topic at our FREE Roadshow taking place Live Online in June / September. Reserve a place at the Roadshow

Air-Gapped OT Systems

The truly air-gapped OT system has become a myth in today’s interconnected world. Practically all systems require a means of data transfer to remain operational e.g. for updating configuration files, patching software or performing diagnostic testing and all common means of communicating with a non-networked OT system, such as USB drives, ethernet connection from a laptop, Wi-Fi communication or even data CDs are potential attack vectors. Even if you are convinced that your OT is secure, can you say the same for your suppliers or contractors systems?

Definitions of Cyber Security terms used in this article

Cyber Security Management System (CSMS) – a systematic risk-based approach defining organisational processes, responsibilities and governance to protect computer-based systems from cyber threat and cyber attack.

Industrial Control System (ICS) – (also termed industrial automation and control system (including Safety Instrumented Systems) - IACS) computer-based systems that monitor and control industrial processes that exist in the physical world.

Operational Technology (OT) – the hardware and software used to monitor and control physical processes, devices and infrastructure.

OT Security – Practices and technologies used to protect people, assets, and information, and to monitor and / or control physical devices, processes and events.

Physical Security – the protection of personnel, hardware, software, networks and data from physical threats and exploitation of vulnerabilities.

Supply Chain Attack – a type of cyber attack which targets hardware and software during its development lifecycle to gain access to subsequent end-users networks and systems.

Threat Landscape – the collection of threats to a particular business sector, organisation or system with information on identified vulnerable assets, threats, risks, adversaries and observed trends or patterns

 

 

E: support@methodcysec.com. T: 44 (0)1462 713313. W: www.methodcysec.com