Blog

Comparison of methods for cybersecurity risk analysis.

S. Palumbo, A. Tomàs

As the internet exponentially permeates our daily work and life, more and more cyber attacks are being recorded. Today there is a great challenge on how to deal with them in industrial sectors, especially in those with a high associated risk, be it security, environmental or socio-economic, i.e. strategic facilities. This article aims to compare two methodologies available in the market to face the new risks derived from the overlapping of Information Technology (IT) with Operation Technology (OT).

1. Industrial Evolution

In modern history, three distinct stages of industrial evolution stand out:

The shift from the use of human power to the use of machines.
The incorporation of computerization and automation, with the consequent improvement in production.
Continuous integration of cybernetic systems in industrial processes.

In the industrialized world, first came the connection between humans and machines by means of robots, then the focus shifted to process connections and integration to achieve optimized production (data-driven analytics), and today Industry 4.0 is based on artificial intelligence (AI), cloud services and the industrial Internet.

2. Exposure to cyber-attacks

Shifting to a new industrial approach implies new threats that must be taken into account. Leading cybersecurity vendors (W. Schwab and M. Poujol, “The State of Industrial Cybersecurity 2018”, Kaspersky LAB – CXP Group, 2018 and “Symantec Security Response”, 2014) report that cyber attacks are growing in recent years, but that the level of preparedness of industries is alarmingly low.

Notable is the example of the Remote Access Trojan (RAT) Trojan called Havex, used to spy on industrial control systems (ICS) and developed by a team called Dragonfy (also known as “Energetic Bear” for its involvement in attacks on different energy facilities) that began to spread in 2010, but was not discovered until 2013, despite its massive presence on industrial computers. Similarly, the Karagany Trojan code, from the same Dragonfly team, which was leaked and made public in 2010, but still accounted for 5% of cyber attacks in 2013, until companies in the industry adopted adequate protections.

3. Information Technology vs. Operational Technology

Cyber attacks have been considered as the area of Information Technology (IT) performance, which uses computers to store, retrieve, transmit and manipulate data or information. End-to-end communication is monitored and protected by IT to prevent network intrusion, data redirection or information theft. IT departments fight cyber warfare through up-to-date cyber security software, resilient firewalls and controlled data transfer over networks and, in particular, through Internet servers.

Operation Technology (OT), responsible for the control of industrial process parameters, takes a completely different approach to protecting its data, which consists of complete isolation from external access. In OT, data transmission is done through wired modules between Programmable Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) systems and/or Distributed Control Systems (DCS). Process data management is limited to the business unit, with no data exchange with other external networks or the Internet, and all input systems respect a specific internal authorization policy.

For Information Technology (IT) companies a cyber attack has an economic impact due to potential data loss or virtual system downtime, while for Operation Technology (OT), in the new Industry 4.0 of interconnectedness and remote operation, if a production plant falls victim to hackers, there can be direct consequences for the safety of personnel and the integrity of the environment.

For IT, the solution is to prevent cyber attacks by plugging vulnerabilities, using multi-layered firewalls and through continuous software updates to strengthen system configuration.
For OT, upgrading to a new operating system means loss of business continuity and a risk to process integrity, as security functions would be temporarily disabled. This implies that software upgrades cannot be performed as soon as a vulnerability is discovered, but require dedicated planning and risk assessment.

Table 1. Comparison between TI and OT.

	INFORMATION TECHNOLOGY (IT)	OPERATING TECHNOLOGY (OT)
Target	Storing, retrieving, transmitting and manipulating data or information	Process and Production Safety
Aimed at	Computers, networks, data storage systems.	Industrial Control Systems (ICS) adjusting process variables
Personnel involved	Computer, telecommunications and network engineers	Automation and Control Engineers, Process Engineers and Maintenance Engineers
Priority 1	Network confidentiality of communication through firewalls, user logins, access permissions, etc.	AvailabilityProcess availability to ensure safety and continuity of production
Priority 2	IntegrityOf data stored through backups or other solutions	IntegrityOf equipment to achieve production objectives
Priority 3	AvailabilityData access through redundant systems or dynamic network configuration	ConfidentialityBecause there are different suppliers involved in the construction, commissioning and operation of the plant
Hardware	Direct upgrades, easy installation of modules, short life cycle, multi-vendor remote support service	Planned upgrades, full commissioning of upgrades, long-term service life, support restricted to reliable suppliers
Communication Network	Interns with externals, via Internet	Internal only, wired network
Consequences of a cyber attack	Loss of data, stolen information, inaccessible networks	Safety of personnel, environmental impact, loss of production, etc.

4. C-HAZOP

As long as IT has been completely separate from OT, a limited impact of cyber attacks on a process plant has been guaranteed, but now that this boundary is blurred and communication between smart sensors (i.e. Internet of Things – IoT) and end users is done over the Internet, the risk of a cyber attack on the Instrumented Control System (ICS), PLC, SCADA or a DCS, is real.

A wide variety of smart sensors, real-time data monitoring solutions and cloud services data management are offered in the market, but when a new vulnerability is discovered the lack of standards is creating difficulties in complying with system security updates. To mitigate this situation, IEC 62443 was developed, with a specific section aimed at manufacturers, vendors and suppliers of cyber-physical systems, attempting to standardize methods, procedures and components.

In addition, a risk analysis is proposed to assess the effects of a potential cyber attack on the vulnerabilities created by the interaction between IT and OT, called C-HAZOP (Control Hazard and Operability Study). The focus of C-HAZOP is to identify failure modes of industrial data and communication components and provide a better understanding of cyber attack vectors, in order to propose recommendations to prevent them.

The first step in a C-HAZOP is to divide the overall systems into subunits, identified according to IEC 62443:

Zones: “A group of logical or physical assets that share common security requirements”;
Conduits: “A logical group of communication assets that protects the security of the channels it contains”.

The former are the areas responsible for control, storage and data integrity, while the latter are responsible for transferring information between areas. Each of these areas is analyzed by considering possible system vulnerabilities, assigning them a probability of cyber attack and ranking the highest risks, based on the consequences identified. The next step of this analysis is to take into account existing IT countermeasures and to assign, for each resulting risk, a Security Level (SL) target, which is defined as “a set of policies, procedures and practices to be implemented to secure an ICS zone” (IEC 62443).

Despite the structured approach of the C-HAZOP, this method has some limitations, which are detailed below:

The scenarios identified are based on the evaluator’s personal experience.
The analysis focuses on component failure modes (such as FMEA) for data management, but are not directly linked to deviations of process plant parameters as in traditional HAZOP (high/low temperature, overpressure, high/low flow).
A detailed component-based analysis is time-consuming, requires more resources (component data provided by a variety of suppliers) and specialists in multiple areas.
Assessing the frequency of occurrence and intent of a cyberattack is subjective, which significantly modifies the risk rating obtained with the C-HAZOP.
Once an attack has occurred, any existing safeguards (alarms, security functions, etc.) may be rendered unusable, which is not taken into account in a C-HAZOP risk rating.
It is necessary to update the C-HAZOP every time new vulnerabilities of cyber components are discovered.

5. Process Cybersecurity Study (CSPR)

To obtain a cybersecurity study focused on the industrial process, TEMA proposes to perform a cybersecurity-focused PHA (Process Safety Analysis) Review (CyberSecurity Process review -CSPR-), which goes beyond the detailed analysis of components, assuming the hypothesis that an attack has taken place and evaluating how it affects the process parameters.

TEMA supports these studies with a long history of HAZOP studies performed worldwide to ensure personal safety and environmental protection, especially for chemical industries, petrochemical plants, oil and gas, energy and mining companies.

From the results of a traditional HAZOP, the CSPR identifies which scenarios are vulnerable to a cyber attack, and assesses the risk by analyzing the existing safeguards. The next step of this analysis is the classification of the risk and the definition of a prioritized proposal of actions, assigning the required Safety Level (SL) to each scenario according to IEC 62443.

Table 2. Comparison between C-HAZOP and CSPR

	C-HAZOP	CSPR
International Standard	IEC 62443	IEC 62443
Target	Storing, retrieving, transmitting and manipulating data or information	Process and Production Safety
Aimed at	Components (as FMEA)	Process parameters (such as HAZOP)
Skill required	IT	Process safety
Dedication required	Requires a lot of dedication	Less dedication (HAZOP add-on)
Risk assessment	Strongly influenced by the (uncertain) likelihood of being attacked	The attack is considered to have already occurred and the process risk is assessed.
Recommendations	Associated with an entire Zone or Duct	Specific to plant equipment and instruments
Revisions	Required periodically when a new vulnerability is identified	Independent of new vulnerabilities. Required if there are changes in plant or process.

6. Conclusions

A CSPR study is considered more suitable for assessing the consequences of a cyber-attack on an industrial process, as well as the strength of existing safeguards. The advantages over other analysis methods are:

Structured assessment of cyber risks, identifying specific impacts on the process and specific areas exposed to targeted attacks or conventional malware;
The time and resources required are optimized, since it is not necessary to start from scratch, and the method can be implemented as a complement to HAZOP;
The results of the analysis are independent of the likelihood of a cyber attack by assuming that a cyber attack has already occurred, so they do not require periodic updating of the assessment;
It provides detailed and specific recommendations for each vulnerable element (equipment or instrument) of the analyzed plant;
It allows proposals for intrinsically secure systems against cyber-attacks to be made.
Complies with IEC 62443 international standards.

The results obtained in the CSPR studies make it possible to manage both OT and IT cybersecurity threats and to define the investments required to move companies towards Industry 4.0.