Managing an Uncertain Threat: Cyber Vulnerability Assessment
By Matt Mowrer, Director of Applied Technology and Data Analytics; David Campbell, Sr. Engineer, Process Safety; and Derek Bergeron, Sr. Engineer, Process Safety at ABS Group
Leverage Existing Risk Management Strategies
Engineered processes at petroleum and chemical processing facilities are designed to provide multiple layers of protections to prevent major accidents. These include administrative functions (e.g. training, procedures and emergency response), safety instrumented systems and mechanical protection devices (e.g. relief valves). While designed for a different purpose, these barriers can also prevent cyber attacks from resulting in operational, safety and environmental consequences. So, even though cyber vulnerabilities may exist, the facility may not be at a significant risk with respect to physical consequences due to the existence of safeguards that are not susceptible to cyber exploitation.
But how can organizations understand their exposure to risks? Companies can answer this question, with just a little extra effort, by leveraging studies that nearly all of them already perform.
To support the development of risk-informed strategies, and to promote safer, more reliable industry practices related to maintaining cybersecurity systems in asset-intensive industries, an independent, third party risk advisor can perform cyber risk analyses using the results of cyber vulnerability assessments, process hazard analyses (PHAs), layer of protection analyses (LOPAs), operational risk assessments and/or safety case studies.
Our Approach: Build a Risk Framework
Our recommended approach begins with a scoping discussion to identify your organization's cybersecurity concerns and the decisions that the management team would like to inform with the results of a cyber risk analysis. This is an essential step which helps the engineering team carrying out the assessment determine the scope of the analysis and the form of the results (e.g. qualitative, semi-quantitative).
Since cyber threats are diverse, compounded by the complexity of their environments, the assessment team must clearly define these factors in the analysis scope. The two (2) major threat categories considered are cybersecurity and cybersafety.
Cybersecurity threats involve the intentional disruption or exploitation of a computer network or control system by adversaries. These attacks can employ a variety of techniques to disrupt system functions, compromise data or gain control of systems. There is an innumerable array of potential attacks from a wide range of adversaries, which vary in objectives, capabilities and sophistication. Cybersecurity threats can include:
- External bad actor – an adversary who, while not physically within the facility perimeter, can access the site remotely via wired or wireless connections
- Internal bad actor – an adversary who is physically within the facility perimeter, or with authorized access to the facility’s IT/OT; internal bad actors potentially have direct physical or virtual access to computers or control system components
Cybersafety threats involve the accidental disruption of cyber systems by employees or authorized third parties, such as vendors or guests, who can cause:
- Accidental corruption – inadvertently introducing variability into the functions of control systems, such as the introduction of malicious code by charging phones from USB drives on the control system computer
- Software or configuration errors – installing software with undetected bugs or improperly configuring a system
Our Solution: Cyber Vulnerability Assessment
ABS Group's Security Risk Management team, which includes cybersecurity and PHA advisors, prepare for cyber risk analyses by reviewing (1) cyber vulnerability assessments to understand critical gaps and (2) hazard assessments (e.g. PHAs, LOPAs) to understand the overall process, potential loss scenarios and the associated causes, consequences and safeguards. Cyber vulnerabilities are identified for each potential scenario.
The team also facilitates a workshop with multi-disciplinary personnel, including process engineers, operators, maintenance personnel, instrumentation and controls engineers and IT (local and/or corporate) personnel. Past incidents and cyber attacks are discussed in order to understand the overall threat landscape. The analysis team then conducts a systematic evaluation of each potential loss scenario and considers these questions/issues:
- Could this scenario be initiated from cyber? (e.g. open valve and overfill tank)
- For each safeguard/independent protection layer (IPL), could its performance can be degraded (e.g. disable high level alarm) or failed (e.g. disable high level alarm and automatic shutdown on tank) from cyber?
- If so, categorize degradation potential (degree of difficulty) and identify potential corruption vectors (e.g. hardware ports, remote access)
- If not, note that the safeguard/IPL is not susceptible to cyber (e.g. pressure relief valve)
Once all scenarios have been analyzed, the security risk management team develops a risk profile that identifies the highest risk scenarios and compares these to the baseline risk to characterize the client's overall cyber risk. Recommendations are then provided which include both cyber and physical safeguards to address critical vulnerabilities. This process can be repeated for all sites within a company to develop an enterprise risk profile.
The results of a cyber vulnerability assessment should contribute to more reliable decision making, which will also enable more effective management of risk and security across the spectrum of high-performance, data-driven assets found in today's complex facilities.