Understanding the Risk of Cyber

Threats to an Industrial Process with

a Cyber PHA

Copyright © 2013 exida Consulting LLC

1
 John A. Cusimano, CFSE, CISSP
• Director of ICS Cybersecurity Solutions for exida
• 25 years experience in industrial automation
• Kodak, Moore Products, Siemens, exida
• 6 years in ICS Cybersecurity
• Certifications:
• CFSE, Certified Functional Safety Expert
• CISSP, Certified Information Systems Security Professional
• Industry Associations:
• ISA S99 Committee, WG4 TG3 Chair, TG6 Co-Chair
• Lead developer/instructor for ISA IC 32 Training Course
• ISA S84 Committee
• ISA Security Compliance Institute, technical steering committee
• ICSJWG Workforce Development & Vendor Subgroups
• NIST Cyber-physical Systems workshop lead
• US Expert to IEC TC65 WG10

2
 Process Hazard Analysis (PHA)
• An organized and systematic assessment of the
potential hazards associated with an industrial process
• Used for decades to assist operators of potentially
hazardous industrial facilities in understanding and ranking
operational risks so they can be properly mitigated
• Mandated in the USA by the Occupational Safety and
Health Administration (OSHA) in its Process Safety
Management regulation for processes that handle highly
hazardous chemicals

Copyright © 2013 exida Consulting LLC

6
 PHA
• Provides information to assist in making decisions for
improving safety and reducing the consequences of
unwanted or unplanned events
• Directed toward analyzing potential causes and
consequences of fires, explosions, releases of toxic or
flammable chemicals and major spills of hazardous
chemicals
• Focuses on equipment, instrumentation, utilities, human
actions, and external factors that might impact the
process.

Copyright © 2013 exida Consulting LLC

7
 PHA Methods
• Checklist, What if?
• Hazard and Operability Study (HAZOP)
• Failure Mode and Effects Analysis (FMEA)
• Layer of Protection Analysis (LOPA)
• Fault Tree Analysis (FTA)

Copyright © 2013 exida Consulting LLC

8
 HAZOP
• A hazard and operability study (HAZOP) is a structured
and systematic examination of a planned or existing
industrial process in order to identify and evaluate
problems that may represent risks to personnel or
equipment, or prevent efficient operation
• A HAZOP is a qualitative technique based on guide-words
and is carried out by a multi-disciplinary team (HAZOP
team) during a set of meetings

Copyright © 2013 exida Consulting LLC

9
Example P&ID

Copyright © 2013 exida Consulting LLC

10
Parameters and Guide-Words

Copyright © 2013 exida Consulting LLC

11
 Example HAZOP
GW DEVIATION CAUSES CONSEQUENCES SAFEGUARDS REF# RECOMMENDATIONS BY

Non-uniformity leads
to runaway reaction • Add SIF to chemically control
and possible • High Temperature runaway reaction.
Agitator
explosion. and High Pressure • Add a pressure safety relief valve
No No Agitation motor drive
Agitator failure is Alarm in DCS. • If necessary, add a de-pressurization
fails
indicated by high • Shortstop system. SIF. Use LOPA to determine required
reactor temperature SIL.
and high pressure.

Temperature
High temperature
control failure
could damage
Higher causes High Temperature Alarm • Add high-temperature SIF.
More reactor seals causing
Temperature overheating in DCS. • Use LOPA to determine required SIL
leak. Indicated by
during steam
high temperature.
heating

Reactor becomes
Flow control full, possible reactor
failure allows damage and release. • Add high-level SIF.
More Higher Level High Level Alarm in DCS.
the reactor to Indicated by high • Use LOPA to determine required SIL
overfill level or high
pressure.

Copyright © 2013 exida Consulting LLC

12
 Layers of Protection

Disaster Disaster protection

protection

Collection
basin
Passive protection

Overpressure
valve, rupture Active protection
disc

Safety system Safety Safety Instrumented

(automatic)
shutdown System (SIS)

Plant
personnel
intervenes Process alarm
Process control
system
Basic
Process
automation value Normal activity

13
 Safety Instrumented System (SIS)
A system composed of sensors, logic solvers, and final
control elements for the purpose of taking the process to
a safe state when pre-determined conditions are violated.

Safety Instrumented Basic Process Control

System (SIS) System (BPCS)
Inputs Outputs Inputs Outputs

PT
PT
1A PT

I/P

FT

Reactor

14
 The Problem
• PHA’s / HAZOP’s assume that the control systems and
operators (alarms) will perform their intended function
(layers of protection)
• Additional layers (e.g. safety systems) are added when the
risk is too great
• Modern control systems and safety systems are
software based systems
• It very common for both to sit on the same network
and communicate to the same servers/workstations
• A single vulnerability could disable all layers of
protection!

Copyright © 2013 exida Consulting LLC

15
 Modern SIS’s To Corp WAN &
Internet

Plant LAN

PCN

Safety Instrumented Basic Process Control

System (SIS) System (BPCS)
Inputs Outputs Inputs Outputs

PT
PT
1A PT

I/P

FT

Reactor

16
 Layers of Protection

Disaster Disaster protection

protection

Collection
basin
Passive protection

Overpressure
valve, rupture Active protection
disc

Safety system Safety Safety Instrumented

(automatic)
shutdown System (SIS)

Plant
personnel
intervenes Process alarm
Process control
system
Basic
Process
automation value Normal activity

17
 The ICS Cybersecurity Lifecycle

Start with
Risk Assessment

Adapted from ISA/IEC 62443-1-1

(formerly ISA 99.01.01:2007)

Copyright © 2013 exida Consulting LLC

18
Value of Performing Cyber Risk Assessments
on Control Systems
• Before we can protect our control systems we must
understand what we are dealing with
• Determine which assets to protect
• Determine threats to the assets
• Determine vulnerabilities that currently exist
• Identify the risks posed with regard to the assets
• Develop a plan to address unacceptable risk
• Recommend changes to current practice that reduce risks to an
acceptable level
• Determine priorities
• Balance cost versus effectiveness

Copyright © 2013 exida Consulting LLC

21
NIST Preliminary Cybersecurity Framework

Start with
Risk Assessment

Copyright © 2013 exida Consulting LLC

24
 RA Guidance from
NIST Preliminary Cybersecurity Framework

IDENTIFY
(ID)

IDENTIFY
(ID)

25
 Risk Assessment Requirements from
ISA 62443-2-1 (formerly 99.02.01)
• Select a risk assessment methodology
• Conduct a high-level risk assessment
• Identify the industrial automation and control systems
• Develop simple network diagrams
• Prioritize systems
• Perform a detailed vulnerability assessment
• Identify a detailed risk assessment methodology
• Identify the reassessment frequency and triggering criteria
• Conduct risk assessments throughout the lifecycle of the
IACS
• Document the risk assessment

Copyright © 2013 exida Consulting LLC

26
 General Risk Assessment Methodology
• Identify, characterize threats
• Assess the vulnerability of critical assets to specific threats
• Determine the risk (i.e. the expected likelihood and
consequences of specific types of attacks on specific
assets)
• Identify ways to reduce those risks
• Prioritize risk reduction measures based on a strategy

Copyright © 2013 exida Consulting LLC

27
 What’s different about performing a risk
assessment on an ICS versus an IT system?
1. Difficult to identify ICS assets and assess vulnerabilities
• ICS networks often can’t be scanned
• No vulnerability scanning tools for automation equipment (e.g.
PLC’s, VFD’s, MCC’s, RTU’s, etc.)
• Network diagrams non-existent or outdated
2. Challenging to determine the impact or consequence of
compromise
• Depends on the process it is controlling, the hazards and the
existing safeguards.
• Example:
• What is the impact of an email server getting compromised?
• AD Server? OPC Server? PLC? SIS?
3. Difficult to estimate likelihood or frequency of threats
• Very little historical data available
Copyright © 2013 exida Consulting LLC
28
Risk Assessment Flowchart from
ISA 62443-3-2 (Draft 4, Edit 5)
Target
attractiveness.
Historical data Identify Threats List of threats
or common (Section 4.5.1)
sources (See
Appendix A)

Prior audits,
vendors,
vulnerability Identify Vulnerabilities List of vulnerabilities
databases, (Section 4.5.2)
government
sources, etc.

List of Threats Qualitative or

quantitative
List of Determine Likelihood assessment of
Vulnerabilities (Section 4.5.3) likelihood

Historical
Data

Qualitative or
Process Hazard quantitative
Assessments (e.g. Determine Impact assessment of
HAZOP) (Section 4.5.4) financial and social
impacts

Qualitative or
Corporate Risk quantitative
Matrix Calculate Risk assessment of
(Section 4.5.5) residual risk

Copyright © 2013 exida Consulting LLC 29

 Example Risk Assessment Process
• Characterize the product or system
• Model the system (zones & conduits)
• Identify trust boundaries
• Identify entry points and data flows
• Document assumptions and external dependencies
• Identify Critical Assets and Consequences
• Identify critical assets
• Evaluate consequence of compromise
• Identify threats
• Enumerate threats
• Classify and evaluate threats
• Analyze threats
• Identify vulnerabilities
• Identify existing countermeasures
• Assess the risk of each threat
Copyright © 2013 exida Consulting LLC
30
System Architecture Diagram
IT Data Center
Corporate
Domain
Data Controller WAN
Historian
Enterprise
Firewall

Business LAN

Business
LAN

Control Room Operator Operator

Consoles Consoles

PCN

Equipment Room

SIS
Engineering DCS Server DCS Server
Workstation BPCS
Engineering
Workstation
PCN
` `

PCN

FS-PES Control PES

Field

BPCS HMI

Copyright © 2013 exida Consulting LLC

31
Cyber PHA Example

Copyright © 2013 exida Consulting LLC

32
Initial Zone & Conduit Diagram

Copyright © 2013 exida Consulting LLC

33
 Conclusion
With Good Risk Information You Can…
• Determine what plants/processes need to be addressed
first
• Intelligently design and apply countermeasures (e.g.
network segmentation, access controls, hardening,
detection, etc.) to reduce risk
• Prioritize activities and resources
• Evaluate countermeasures based upon their effectiveness
of versus their cost/complexity
John Cusimano
exida
jcusimano@exida.com
215-453-1720
www.exida.com/security
Copyright © 2013 exida Consulting LLC
34