A Cyber Resilience Risk Assessment Framework

Proposal Based on Bow-Tie Analysis of Industrial

Control System

Presented By:
Laxminarayan Nayak
Regional Risk Engineer, Middle East
Royal & Sun Alliance Insurance (Middle East) B.S.C.(c)
An Ever-Growing Threat: Targeting ICS
.
High-Value Target & Safety Issue
Infrequent Software Update

Operational Risk & Potential to Modernization of Technology &

Affect Numerous Stakeholders Automation
High-Value Target

Less Mature Protection & Weaker

Legacy Application System
Security

2
Cybersecurity-attacks are on the rise
• 1982 Trans-Siberian Pipeline
• 1999 Gazprom
• 2000 Maroochy Water
Treatment
• 2003 Davis-Besse Nuclear Plant
• 2003 PDVSA Oil Terminal
• 2006 Brown’s Ferry Nuclear
Plant
• 2008 Lodz City Tram System
• 2011 DUQU Malware
• 2012 Saudi Aramco
• 2012 Nationwide, USA
• 2013 Istanbul Ataturk Airport
• 2014 January ‘HAVEX’
• 2014 Monju, Japan
• 2014 Gori & Wolsong, South
Korea
• NRC, USA (2014)
• Ukrainian Power Grid – a string
of attack between 2015 & 2017
• WanaCry Ransome – 2017
• Colonial Pipeline - 2021
3
Analysis of Past Cybersecurity-Related Incidents in the Process Industry

Ref: Analysis of Past Cybersecurity-Related Incidents in the Process Industry and the Like by Matteo Iaiani, Alessandro Tugnoli, Valeria Casson Moreno, Valerio Cozzani; DOI: 10.3303/CET2082028
4
 OT Security

Supervision/
Configuration 5. Internet DMZ- Boundary between
Enterprise IT & wider Internet

4.Enterprise IT & Business Functions

Controller 3.5. OT DMZ - Boundary Between IT

& OT Spaces

3.Connection across maintenance &

data historian assets

2.Local HMI LAN

1. Controller LAN - PLC

0.Processes – Sensors & Actuators

Physical
Actuators Sensors
Process
The Purdue Model
5
Types of Attack
• Man-in-the-middle
Interception of information, change of
message/control signal
• Denial-of-service
Overwhelming a system’s ability to
function correctly
• Reply attacks
Using copied control signals to
cause an action at the incorrect time
• Attacks against the HMI
Displaying information to the
operator that is different to what is
happening in the process
• Attacks against the engineering
workstation/supervision areas
Compromising the engineering
workstations so that malicious
updates and controls are uploaded
the control devices
• Hybrid Attack
A combination of all these.
6
Steps of a Cyber Attack to the IT-OT System
Design - Defendable
Architect

Monitor

Recover Strategy
Ref: Analysis of Past Cybersecurity-Related Incidents in the Process Industry and the Like by Matteo
Iaiani, Alessandro Tugnoli, Valeria Casson Moreno, Valerio Cozzani; DOI: 10.3303/CET2082028 Multi-faceted CS Resilience Approach

Refer to the https://www.sciencedirect.com/science/article/pii/B9780124201149000071 for the different targets, possible attack

vectors, possible attack methods and possible consequences
7
 Hazard
Bow-Tie Risk Assessment Method

• Identification of issues – At a High Level Threat Consequence

Top
• Used for simple capturing of observations and recommendation
Event
• Articulates CS risks around hazards, top events, threats, Consequence
Threat
vulnerabilities, CS incidents, consequences and mitigations

• This helps to quickly visualize if more measures need to be

implemented Could lead to Could result in
This This This
• Build awareness about cyber security
• Hazard - An entity with the potential to cause harm, but also being
necessary for performing the business.

• Tope Event - As long as a hazard is controlled, the top event does not
occur. It is the event that shall be avoided.

• Proactive or preventive barriers & Reactive or mitigating barriers

8
Threat Threats are categorized as unintentional and intentional attacks from
internal or external attackers exploiting vulnerabilities
• Malware infection Barriers Threat Escalator
• Intrusion via remote access & control • IT security Role & Risk • Sensitive Data
components Management Plan
• Obsolete Software
• Technical malfunctions and force • Authentication, Patch Management,
majeure Fire Wall, Encryption, Antivirus, • Working from home
Sandboxing, Honeypot, Intrusion
• DoS attacks Prevention System • Remote storage and no
monitoring
• Human error • Obsolescence management, USB
Management & Password Policies, • Absence of Patch Management
dual authentication
• Outsourced IT and control
• Auditing, Training, Vetting, Targeted operators
User Social Engineering
Assessments

• Storage Policy, Tamperproof

• Restricted Access & physical

Control 9
Consequences
The outcome of an unwanted event
(occurrence of the top event).
• System is down
• Control is hijacked
• Damage to infrastructure due to
resulting malfunctions
Barriers Escalators
• security functionality verification • Use of Public Cloud
• Incident Response & Disaster • Absence of Staff Training
Recovery Plan
• Processing Sensitive Data
• Auditing System
• Outsourcing
• Off site Backup
• Compliance Failure
• Remote Wiping
• Sandboxing
• Standard Compliance
• Restoration procedures, spare
parts, Business Continuity Plan.
10
Visualization of cyber security Bow-Tie components

11
Barriers Against Malware

12
Barriers Against DoS Attack

13
 What Regulation Apply?
➢ International Standards for OT Security
• IEC 62443 Process Industry
• ISO 21434 Automotive Industry
• IEC 62645 Civil Nuclear Industry

➢ Cyber Security in safety regulation and standards

• IEC 61508/511series
• UK HSE OG-0086
• NIST

➢ UN & International agencies issuing cyber security guides

➢ Government-based technical cyber authorities starting to look
at the OT-based critical infrastructure
14
 Conclusion
Cyber Exposure is
• The business outlook is constantly changing.

• Rapid development of technology increases the threat of cyber Operational Exposure

risk.
Physical Damage Exposure
• Building cyber resilience requires proactive risk assessment
(Bow-Tie) and implementation of mitigation strategies.
EHS Exposure
• Cyber resilience can be achieved with enterprise-wise dedication
encompassing physical security, information security & industrial
control system resilience. Business Exposure

15
References
• Analysis of Past Cybersecurity-Related Incidents in the Process Industry and the Like by Matteo Iaiani, Alessandro Tugnoli, Valeria Casson Moreno, Valerio Cozzani; DOI:
10.3303/CET2082028

• ISO/IEC 27102; Information security management – Guidelines for cyber insurance

• Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries; ANSI/API STANDARD 780

• Cyber risk and resilience — Guidance for the governing body and executive management; BS 31111:2018

• Security for industrial automation and control systems; BS EN IEC 62443-3-2:2020

• DNV Cyber security resilience management for ships and mobile offshore units in operation; DNV-RP-0496; October 2021

• IEC 62443-4-2; Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components

• Implementing Shop Floor IT for Industry 4.0; Magnus Åkerman; https://www.researchgate.net/publication/326224890

• Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries; American Petroleum Institute; April 2003

• Integrated Cyber Safety & Security Management System: Industry 4.0 Issue; Vyacheslav Kharchenko; Oleg Illiashenko; DOI: 10.1109/DESSERT.2019.8770010

• An integrated cyber security risk management framework and risk predication for the critical infrastructure protection; Halima Ibrahim Kure; Shareeful Islam; Haralambos Mouratidis;
https://doi.org/10.1007/s00521-022-06959-2(0123456789().,-volV)(0123456789,-().volV)

• Internet of Things (IoT) Cybersecurity: Literature Review and IoT Cyber Risk Management; In Lee

• Differential Petri Net Models for Industrial Automation and Supervisory Control; Isabel Demongodin; Nick T. Koussoulas, Member, IEEE; IEEE TRANSACTIONS ON SYSTEMS,
MAN, AND CYBERNETICS—PART C: APPLICATIONS AND REVIEWS, VOL. 36, NO. 4, JULY 2006 16
Thank You

17