Efficient Plant Nov./Dec. 2022 - 32

column | safety insights
Keep T
Safety
Systems
Cyber
Secure
Syed Belal
Hexagon AB
HE PRIMARY GOAL of every
industrial facility is a safe production
environment. With plant safety in
mind, the objective is to reduce safety and
cybersecurity risks, which are inextricably
linked. At its core, risk comprises two fundamental
components: the likelihood or probability
that an event will occur and the severity of
post-incident consequences. Effectively reducing
risks requires decreasing the likelihood
and consequences of the risk equation
to an acceptable level.
Reducing safety risks, however, requires a
different approach than reducing cybersecurity
risks. To estimate safety risk, a plant uses
the safety HAZOP and LOPA processes. These
processes are much more mature when compared
to the risk estimations for cybersecurity.
However, when StuxNet (2010) and TRITON
(2017) cybersecurity threats emerged, it
showed that the process-safety function is not
necessarily guaranteed during a cyberattack.
Today's consensus from OT/ICS cyberseApply
the same level of cybersecurity
emphasis to safety systems that you
integrate into assets and operations.
curity experts is that risks from a cyberattack
need to be reduced to a level that ensures
a plant will continue to operate safely if
and when a cyberattack occurs or, should
downtime result, operations can safely resume
within the recovery-time objective timeframe.
Hence, it is always recommended that critical
Safety Instrumented Systems (SIS) are secure.
The best practices for securing SIS include
Syed M. Belal is Global Director of
Cybersecurity Consulting for Hexagon's
Asset Lifecycle Intelligence division.
Hexagon AB, Stockholm, Sweden
(hexagon.com), is a member organization
of the International Society of
Automation's (ISA) Global Cybersecurity
Alliance (ISAGCA). Belal has more than 15
years of experience in industrial control
systems and operational technology.
32 | EFFICIENTPLANTMAG.COM
four standard elements:
centrally managing inventory and vulnerability
for all safety systems
creating a separate zone for safety systems
limiting communication to/from all safety
systems
monitoring and logging the access/communications
to them.
These practices improve the process/
automation design and reduce the likelihood
of a cyberattack. However, in some cases, the
design cannot follow the best cybersecurity
strategy to ensure the usability of other OT/
ICS applications. In such cases, alternative
cybersecurity controls need to be considered
and applied to reduce cybersecurity risks to an
acceptable level.
A nefarious actor, intent on causing
damage or harm, may first disable the safety
systems, then go after the data being sent to
the control room. By changing this data, the
attacker could very well cause the operator to
make poor decisions and create potentially
dangerous outcomes. Consequently, safety
systems must be prioritized and secured.
ICS cybersecurity best practices, such as
in-depth inventory management, vulnerability
management, and incident response, should
be implemented. The ISA/IEC 62443 industry
standard recommends that the inventory
include all the hardware, firmware, and
software versions that are implemented in the
OT/ICS network. The vulnerability-management
solution should include details such as
the probability of remote exploitation, skills
to exploit, CVSS scores augmented with environmental
and temporal impact factors, and
methodology for mitigating them.
The assumption that a plant will be a target
of a cyberattack should always be part of the
cybersecurity strategy. The automation/safety
team should be trained to detect a cyberattack
at an early stage. With time, cyberattacks
cause more damage. The automation/safety
team should identify all the changes and know
what is normal and abnormal, and report to
the incident management team accordingly.
Securing an OT/ICS network is a journey.
As a plant becomes more mature, the recommendations
will change. It is suggested to
conduct a maturity assessment to identify the
status and apply cybersecurity controls on a
regular basis as new vulnerabilities and threats
emerge. EP
NOV/DEC 2022
http://www.hexagon.com http://www.EFFICIENTPLANTMAG.COM
Efficient Plant Nov./Dec. 2022

Table of Contents for the Digital Edition of Efficient Plant Nov./Dec. 2022
