Throughout the operational life of a process plant controls and safety systems are designed and implemented to perform reliably, consistently and predictably but if a system isn't secure, you can't rely on it to be safe.
What Could Possibly Go Wrong?
Your process has been subject to thorough hazard and risk assessment, your plant has been designed to operate efficiently and reliably, your process controls have been tested to ensure they keep your plant equipment operating safely and your Safety Instrumented Systems have been designed, verified and validated to ensure that your operators, plant and the environment are protected should the unthinkable happen. Every professional involved in the design and operation of your process plant has used their best judgement and made assumptions about the availability, reliability operability and safety of each system and its individual components but the biggest assumption is that everyone wants the plant to operate safely and according to its design.
What if this assumption is wrong?
Cyber attacks on information technology (IT) systems can be costly to a company and time consuming to recover from but what if the attack isn’t targeted at information but at the cyber-physical boundary? Attacks on operational technology (OT) systems have the potential to cause physical harm to operators and damage to equipment by subverting process control or safety systems and making them fail or operate in ways not intended by their designers.
In August 2017 the fifth known attack directed against an industrial control system (ICS) and more importantly, the first directed against a Safety Instrumented System, was discovered entirely by accident. The target was a Saudi Arabia-based refining company, Petro Rabigh, and the attack was launched via an infected workstation attached to a Schneider Electric Triconex Safety Instrumented System. The attack, named Triton and TRISIS by security analysts, was only discovered because a possible error by the attacker triggered the Triconex integrity checking logic and shut the plant down.
Further investigation revealed that the attackers had been in the control system for several months, with an incident in June 2017 being treated as an equipment failure rather than a cyber attack, and that six safety systems, including one on a burner management system had been compromised. Since 2017, threat analysts have seen a steady increase in the amount of malware and attacks targeting OT and safety systems.
Common Security Vulnerabilities of OT Systems
- A significant proportion of OT equipment is old (5+ years) and not originally designed with security in mind. Given the time taken to develop products and bring them to market, even new hardware and software will be lagging behind the constantly evolving threat landscape
- Business requirements for access to information have resulted in more OT systems being accessible from corporate IT networks
- Many OT systems are unpatched, either because this would cause production down time or because it could make the system incompatible with the items (valves, motors, etc.) they control.
- Process industry OT systems and networks often grow and evolve over time rather than having been designed as a single system to the point that often even the system owners don’t fully understand the extent of their control hardware and its interconnections
- All software has flaws which may not be discovered by testing
- Most control and safety systems are built on complex proprietary software your company has no visibility of or control over. Exploitation of vulnerabilities in equipment vendor code (supply chain attacks) is becoming a significant concern for OT operators
How Can Companies Secure their Process and Safety Systems?
Securing digital technology can be a daunting task when you consider that the security team has to be successful against every attack whereas the attacker only has to be successful once, commonly known as the “Defender’s Dilemma”.
There are many useful standards and guides to outline how companies should approach cyber security e.g. the IEC 62443 series and the UK Health & Safety Executive’ OG86 guidance document on “Cyber Security for Industrial Automation and Control Systems” but most advise the following common sense steps which can be incorporated into a company’s procedures and practices:
- Identify your assets – you can’t defend what you don’t know you have
- Identify the extent of your most valuable systems and how they interface with external systems – there’s no value to locking the front door if the back door is open
- Apply appropriate security measures based on risk – prioritise you security effort and expenditure
- Be aware that the threat landscape is constantly changing – keep your finger on the pulse of security threats and vulnerabilities
- Understand that compromise may happen so make detection easy – design your process and security controls to alert you if anything goes wrong or changes unexpectedly
- Have a Business Continuity Disaster Recovery Plan, not just a data backup – create a procedure for response to an attack, practice it regularly and update it frequently
- Be aware that the attacker may not be an unknown outsider – train your staff to recognise cyber threats and limit access rights to critical systems using the principle of least privilege (sufficient to carry out your work but no more)
- Don’t overlook physical security – subverting a safety system could be as easy as removing a sensor or blocking a relief valve if an attacker can gain access to your plant
Developing the above concepts into a frequently practiced, reviewed and updated Cyber Security Risk Management policy and procedures may not stop attacks but will help keep your OT safe and secure.
Talk about this issue in more detail
You can discuss this, and a number of other important topics, with us at the =Method 2022 Roadshow. These in-depth discussions will take place at the NEC during the CHEMUK show, and at other online events during 2022. See www.methodfs.com/training-courses/functional-safety-roadshows.php