The Department of Homeland Security (DHS) is tasked with many things. One area of focus is Industrial Control Systems (ICS). The Industrial Control Systems Joint Working Group (ICSJWG) was formed to facilitate this focus. This group holds semi-annual conferences (Spring and Fall) in various US cities. These meetings are filled with presentations by industry experts on cyber security for ICS. The meeting format can vary somewhat but usually includes several tracks of presentations that cater to the interest of the attendees. There is also one day set aside for cyber security training for either a beginner or intermediate level. One of the best things about these conferences … they are FREE to attend. You only have to pay your…
Product Certification
Over 60 new products received functional safety or cybersecurity certification this year. Those products and more can be found on our Safety Automation Element List. Most significant to me are the new product categories including:
exida Certification has expanded its scope…
About 5 years ago I was sitting around a big table in a conference room at a major LNG terminal. Outside the window I could see a big city harbor filled with boats, bridges, sky scrapers and approximately 5 million people. I could also see two huge LNG storage tanks that, I was told, had the hazard potential to form a vapor cloud that could cover the harbor and, under the right conditions, could burn and explode.
I was brought to the facility by a control system integrator who had been working onsite and had concerns about the control system security and the potential risk that it represented. They wanted me to discuss options to evaluate and improve the…
Last week I attended the ISA Water/Wastewater and Automatic Controls Symposium in Bethesda, Maryland. The conference was attended by equipment manufacturers and municipalities, but system integrators composed the largest group. The technical sessions mainly discussed new opportunities for implementing the industrial internet of things (IoT) and cybersecurity concerns. Both topics are central for the future of IACS (industrial automation and control systems) and SCADA (supervisory control and data acquisition) systems, but they provide disparate advice regarding remote access, a critical component of SCADA systems.
Due to the remote nature of the control devices in SCADA systems, wireless networks are a necessity for the overall cost and feasibility of the design. Industrial IoT focuses on helping integrators design an…
ICS cybersecurity standards such as ISA 62443 (formerly ISA 99) and NERC CIP require operators to have policies and procedures in place to monitor and maintain their critical ICS cyber assets. For anything other than very small systems, the obvious choice is to implement systems to automate these procedures. So, in our practice of performing cybersecurity vulnerability assessments, we are seeing a large number of servers being installed to provide services such as asset management, user authentication, anti-virus management, whitelisting management, patch management, backup/restore, etc. These servers are being installed “in the name of” improving cybersecurity but are they really? These are generally IT-driven projects, so, in most cases these servers are being installed on the…
I don’t know whether you’ve noticed recently, but the number of cybersecurity alerts issued by CISA (Cybersecurity and Infrastructure Security Agency) seems to be increasing at an alarming rate. The latest alert I’ve seen now relates to GPS tracking systems for children. A device which is supposed to keep your children, pets, and elderly loved-ones safe, which has been sold online in the hundreds of thousands, now appears to have a number of vulnerabilities that can potentially be exploited by attackers. This was just one notification I saw, which was closely followed by one regarding a nation state issued malware attack from North Korea: ELECTRICFISH and BADCALL, referred to as HIDDEN COBRA.
According to CISA, the…
The Oldsmar Water Treatment Facility in Pinellas County Florida was compromised by hackers on February 5th. Hackers took advantage of the TeamViewer application that was still installed on the water facilities network to gain remote access1. The TeamViewer was originally installed to allow for status checks and troubleshooting of alarms or other issues, but it had not been used in around six months1. Additionally, each computer used to monitor the system remotely had a single password.
The attackers successfully gained access to the system were able to modify the concentration of water treatment chemicals and increased the amount of sodium hydroxide (lye) by a factor of 1002. This much higher concentration had the potential to cause illness to the public…
In today’s automation systems environment, certain myths continue to persist. For example, "cyber attacks are only a concern for big companies". Although it may be less likely to be targeted by, say, a nation state attack, we’ve seen that malware can cause a shutdown of a system or trigger a loss of network equipment. Although there are security requirements that need to be met by the equipment suppliers and system integrators, there are also a lot of ongoing activities for cyber security that must be maintained by the asset owner.
Another myth we often hear is "my system is totally secure because it's air gapped or isolated from the network". What we've seen is although the system was air gapped, attackers…
Before you can dive in and look at the core concept of automation cybersecurity, it's helpful to first define it. Automation cybersecurity is the prevention of intentional or unintentional interference with proper operation of automation systems including industrial controls, smart manufacturing, and IIOT systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the system.
Automation cybersecurity goes by many different names. Everything from SCADA security to process control network security, industrial automation and control system security, or just industrial control system security. There are many different terms that that may be used. What exida standardized and uses primarily, is aligned with the IEC 62443 standard which is industrial automated control systems (IACS).
Preparedness is defined as being in a state of readiness (Webster, 2022). This can take many different forms but when it comes to cybersecurity, a big part is knowing what threats lie in wait within the cyber landscape. It’s difficult to prepare against threats or vulnerabilities you don’t know exist. Being able to conduct proper research and make decisions based on high integrity intelligence is crucial. The IEC 62443-4-1 standard requires a process called threat modelling to achieve this purpose. The effectiveness of the threat model is very much dependent on this intelligence. Typically, this has meant that threat modelling is an activity that requires significant experience and knowledge of a wide range of cyber-attacks. Such experience is in high demand and can often be difficult…
This is the first in a series of blogs and papers on the benefits of cyber certification. Certification provides you with the opportunity to work with an experienced cyber team here at exida,. It also allows you to gain access to our network of cyber experts worldwide codified in the IEC 62443 family of standards.
The following chart came from a Symantec publication in 2018. While it shows that financial and government sectors are experiencing the highest level of attacks, there still is a significance presence in industrial and infrastructure sectors (Energy, Construction, Telecom, Petrochemical). Where ever you fall in this spectrum, cyber certification can help significantly reduce the likelihood of being successfully attacked.
Certification can…
This is the next in a series of blogs and papers on the benefits of cyber certification. Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.
TripWire published this article on January 24, 2016, more than 4 years ago. It contains 22 recommendations on how to secure your systems. This is the first part of a 2-part series reviewing the first 11 of those recommendations.
Given the last 4 years, look back at any security issues you have experienced, and see if any fall into these categories. Clearly mitigation for these attacks will not secure your system…
This is the next in a series of blogs and papers on the benefits of cyber certification. You can read part 1 here. Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.
TripWire published this article on January 24, 2016, more than 4 years ago. It contains 22 recommendations on how to secure your systems. This is the first part of a 2-part series reviewing the first 11 of those recommendations.
Given the last 4 years, look back at any security issues you have experienced, and see if any fall into these categories. Clearly mitigation for…
This is the next in a series of blogs and papers on the benefits of cyber certification. You can read part 1 here and part 2 here. Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.
The European Union has the General Data Protection Regulation (GDPR) which fines companies if they do not properly manage user data. Such a regulation does not exist in the United States although some groups are trying to make that happen. It is easy to see why large corporations do not want this, more systems to spend money on, so there…
This is the next in a series of blogs and papers on the benefits of cyber certification. You can read part 1 here , part 2 here, and part 3 here . Certification provides you with the opportunity to work with an experienced cyber team here at exida, and the vast knowledge of cyber experts worldwide codified in the IEC 62443 family of standards.
Last year Kevin Mandia, CEO FireEye published a white paper – “Validation for Security Effectiveness”. This is not directly focused at the control industry but does offer valuable insight into cyber management. Mandia splits his concerns into 5 areas:
Personnel responsible for protecting organizational assets within Operations Technology (OT) groups would seem to have the same mission as those responsible for protecting organizational assets within Information Technology (IT) groups, and be tightly aligned. Spending any amount of time with Industrial Control System (ICS) clients, however, shows that is certainly not the case. Let’s look at some reasons why this is and what can be done about it.
Profit-producing entities seek to organize themselves to generate revenues, minimize costs, and maximize profits. They do themselves an injustice when they create business units that are not aligned in strategic intent or in operational execution.
It is logical to have an IT services organization support the entire enterprise and list…
An April 2019 report from the Institute of Critical Infrastructure Technology (ICIT) makes the point that even though software ‘runs the world’, software security is an afterthought across virtually all industries.
The report states that this lack of software security is actually a National Threat given that this approach leads to non-resilient software being utilized in highly interconnected environments to run private and public critical infrastructures.
A Microfocus 2018 report states that 33% of applications are never tested for security vulnerabilities. Data such as that reinforces the thought that ‘secure by design’ is not a priority for most enterprises.
The robust connectivity of the Internet of Things (IIOT) only exacerbates this situation making users ‘crash test dummies’ since robust security…
Cyberattacks have become the new norm for industrial control systems. A recent study found that 54% (more than half) of companies surveyed had experienced a cyber-attack on their Industrial control system within the last two years[1].
The need for well-trained, competent individuals to address cybersecurity for industrial control systems is higher than ever before. It’s clear that having the right skills and experience to address cybersecurity is a must, but sometimes it can be difficult to identify exactly what training or competency program is right for you.
With exida’s new CACE Specialties its as easy as one, two, three.
The first step is to identify which level of professional…
Today, we are going to talk a little bit about Contractor Cyber Training. What's in a good contractor cyber training course? Why do you need one? Why aren't policies, practices, and contract language enough?
Today's operators of industrial production facilities frequently utilize contract labor. This means a number of contractors have physical access to the site. Contractors could include your electrical contractor, your process automation contractor, your instrument and control technicians, or your electrical technicians.
As a point, remember contractors serve many clients, travel to many sites, have their own engineering tools, files, and copies of code. If you grant contractors access to your network, you need to provide a level of due diligence…
One of the things that automation companies are beginning to do is to plan for cyber hygiene. More and more companies are implementing automation specific awareness training for their employees. They conduct periodic exercises which like sending phishing emails to see who if you respond. They might leave USB devices around to see who's going to pick it up and use it without either reporting it or cleaning it. Companies want to make sure that the cybersecurity policies and procedures are being followed.
Automation companies should be sending some level of information on cyber hygiene out to employees such as posters or intranet postings. These will normally communicate their expectations for employees. Uneducated employees have a…
The exposure of industrial facilities to cybersecurity threats has never been higher. An analysis performed by IBM security found that the number of attacks on SCADA systems increased 636% from 2012 to 2014, with 675,816 cybersecurity incidents in January 20141. Finding an effective method for evaluating the current level of risk in a facility and implementing additional security risk reduction as needed is becoming an essential part of managing the safety, security, and operability of industrial systems.
The three fundamental activities for the analysis of cybersecurity risk are High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. This is the second of a three-part blog series breaking down the IEC 62443 lifecycle steps for evaluating cybersecurity risk, with…
As the number, scale, and connectivity of industrial automation systems continues to grow, it becomes increasingly crucial to fundamentally understand, evaluate, and manage cybersecurity risks. The objective of an effective cybersecurity management program should be to maintain the industrial automation system consistent with corporate risk criteria.
Ownership for industrial automation cybersecurity concerns often fall to someone with a different full-time focus, as just one more task piled onto an already overbooked schedule. This makes it even more critical to manage cybersecurity both efficiently and effectively. The cost for failing to adequately manage risk for cybersecurity concerns can be seen from an ever-growing list of industry examples.
The first step in actively managing cybersecurity risk is understanding the current level of…
The exposure of industrial facilities to cybersecurity threats has never been higher. An analysis performed by IBM security found that the number of attacks on SCADA systems increased 636% from 2012 to 2014, with 675,816 cybersecurity incidents in January 2014 [1]. Finding an effective method for evaluating the current level of risk in a facility and implement additional security risk reduction as needed is becoming an essential part of managing the safety, security, and operability of industrial systems.
The three fundamental activities for the analysis of cybersecurity risk are High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. This is the final installment of a three-part blog series breaking down the IEC 62443 lifecycle steps for evaluating…
The world of automation has changed significantly over the past 30 years. I have fond memories of starting my career by calibrating, adjusting, and tuning pneumatic control loops while working my way through the electronic age right up to the present digital and cyber generation of automation. If you are like me, it is easy to get lost in all the technical changes that have made our jobs so rewarding and challenging. I want to highlight these changes by sharing my thoughts related to “Cyber Security.”
At the beginning of my career, the biggest concern was having clean dry air supplied at 20 psig and a 3 to 15 psi control signal. This may be a bit simplified,…
Have you noticed that over the last several years, cybersecurity seems to be “trending?”
Companies of all sizes are starting to learn how to prevent, or at least minimize, these attacks. They hire third-party experts and attend trainings to learn more about the human and system weaknesses that are common because competency is lacking.
For example, the mechanisms of attack listed below are only successful with the existence of human and system weaknesses:
The thought of tackling a threat model (TM) might not be the most appetizing to some people. Doing a quick Internet search, someone could get stuck under a mountain of acronyms and terms. I mean, what is a CVSS anyway? And then there are the diagrams, attack trees and feedback loops that could drive even the sanest person mad. Oh, and then you encounter the Threat Model Manifesto which sounds like something that’s straight out of an occult. What does this all mean and where in the world does someone begin?? Take a deep breath and relax.
The first logical step is to identify what threat modeling actually is. The National Institute of Standards…
Today’s owner operators and lease operators of industrial production facilities frequently employ service providers for projects and upgrades, as well as operations and maintenance. These contractors often travel to many sites, carry their own copies of source code and files, and use multiple PCs with multiple engineering tools for the automation platforms they support.
What quality practices does the contractor have in place to keep their client’s networks from being exposed to a virus or other vulnerability? How is downloadable content (e.g., drivers, firmware) that the contractor brings on site for the ICS system managed? And how does the contractor handle portable media?
What are the limits of authority allowed to the contractor? How is access to the network granted?…
To be clear, the above title is meant to capture your attention. We all understand and know that it is unusual for a Process Safety engineer and the IT architect to possess detailed knowledge of both safety and security. In today’s world, the operators, engineers, design and support personnel of an operating asset are required to be aware of the implications of cybersecurity attacks that can not only impact the business from a financial perspective, but can also initiate process safety-related incidents.
There are two clear hurdles in the interaction of these two disciplines. The first is technological vocabulary. I have often found that these two disciplines have completely different vocabularies and especially from a different context. A process safety engineer…
Co-written by Todd Stauffer, Director of Alarm Management Services at exida
A wise man once said, “You can’t manage what you don’t measure.” Let's apply this to the world of cybersecurity to discuss the importance of cybersecurity metrics and how they are different from a cyber diagnostic and a cyber alarm.
Cybersecurity Metrics are usually defined in terms of either leading or lagging performance. Think of cyber metrics as the Key Performance Indicators (KPI’s) that help you evaluate your cybersecurity performance and whether things are improving or getting worse. Audits or performance measurements /calculations of specific work processes or cyber events are the norm. However, the addition of performance expectations or specific target goals for each metric allows for an…
exida would like to welcome our new director of cybersecurity services Dave Gunter. Dave will be taking us through a multi part blog series based on general cybersecurity evolving into how it pertains to your industrial work environment and what you should do to protect your company and its assets from cyber criminals.
In a manner of speaking, cyber hygiene is an individual’s base behavior when it comes to handling, managing, operating, and maintaining today's computing devices and software. The term computing devices is a broad term, however in pragmatic terms, it can viewed to represent computers, tablets, phones as well as boundary devices used to connect to the internet.
That’s a great question.
A cyber sensitive position is a subset of a job position description that can be graded as Ultra, High, Medium or Low sensitivity with respect to cybersecurity assets and associated potential consequences that may impact an operating company.
What this means is that more and more companies are qualifying their operating assets within the context of cybersecurity risk. These risk qualifications of operating assets require having engineering, operation and maintenance positions defined as cyber sensitive positions as appropriate for their role with respect to the asset(s) they support.
Today’s companies have an obligation to ensure they manage the risk envelope of their operating assets to tolerable levels. In the past,…
The travel and group meeting restrictions from COVID-19 have allowed me to catch up on some reading about viruses; not the type that get transmitted to humans. This article is about the Stuxnet virus and what I learned from the book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon” by Kim Zetter (Published in 2014). It focuses on how Stuxnet manipulated control and safety systems to inflict physical damage to the equipment under control (centrifuges). Some information is also taken from “To Kill a Centrifuge”, by Ralph Langner, one of the people credited with uncovering Stuxnet.
Stuxnet was way more than “just” a virus. It was a combination worm (for spreading) and virus (for infecting) that ultimately propagated to…
Oh look! Squirrel!
I am not much of a blogger. I should be but I’m not. This is strange, because I always have plenty to say.
This subject just gets me going so I am writing about it. I welcome feedback and opinions.
I have been in cybersecurity in one form or another for over 30 years, whether it be as the target of the attacks as an IT Manager, or a consultant trying to educate and help client companies with products and services, I have seen the same trend over and over again.
When a company has a realized or suspected a cyber-event, they go into proactive response mode, begin investigating and at that point my phone generally rings…
The IEC 62443 series of cybersecurity standards include over ten documents covering various subjects. Buying a full set is a bit expensive, but for me the real cost is the time needed to read and understand them. So I often ask one of the experts at exida for a quick overview. Since not everyone has the IEC 62443 expertise that exida has, we hope that the overview info in this blog is useful.
Integrators must perform a number of important tasks if they wish to improve the cybersecurity of any automation system they deliver. And in today’s environment, end users demand strong cybersecurity strength. The IEC 62443 committee has documented their list of these important tasks; IEC 62443-2-4…
During an IACS cybersecurity risk analysis, each zone of a network is given a target security level. The levels are one to four, with one being the least amount of protection and four giving the most protection. For each zone we ask, “How much cybersecurity protection do we need?” “Is there any real need to get products with cybersecurity certification?” “If so, to what security level?”
I just read the September 2018 issue of WIRED magazine. The cover article is “The Untold Story of Notpetya, the Most Devastating Cyberattack in History .”
After reading, I come away with one strong thought:
it is amazing how threat agents can get through so many defense mechanisms. The…
As an end-user, do you know how reliable and safe your Safety Instrumented Systems (SIS) and Basic Process Control Systems (BPCS) are from potential cyber issues? Do you rely on your vendor statements regarding the robustness of their products? If the answer to these questions is “don’t know” or “yes” then maybe you should be considering using an independent 3rd party to perform a cybersecurity vulnerability assessment (for existing installations) and/or performing a cyber-risk assessment (as part of a HAZOP) for new installations. This is especially true for legacy systems that are still in operation using products from the mid-1990s. Although most software engineers won’t admit it, they often used to have “back doors” to enable fault-finding and…
As the cybersecurity threats in the industrial world continue to rise, the automation world continues to grapple with how to address these issues. As such, the newly released IEC61511-1: 2016 edition has included a new clause to address this (Clause 8.2.4). In essence, End Users have to carry out a security risk assessment to identify any potential security vulnerabilities of the Safety Instrumented System (SIS).
Clause 8.2.4 then goes on to specify that there needs to be a description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other device connected to the SIS); together with a description of identified threats that could exploit vulnerabilities and result in security events. This should also include intentional attacks…
I was driving one of exida’s top risk experts from Europe to a business meeting. We parked and I locked the car door. He commented “I noticed you did not lock the car door when you parked at the exida office.” He was right. In an area I do not know, I always lock the car door. But not always in the exida lot. He added “A risk analysis will show car theft is a low risk due to random events, but remember cars are stolen by humans. These are not random events as we know them.” He added “A good risk return on investment analysis would show you should always lock the car door. The cost is so little,…
Industrial Automation Control Systems (IACS) Cybersecurity based on IEC 62443 was created to be compatible with agile development methodology. The standard deliberately talks about processes and not phases, such as those in the waterfall model. The processes defined can be met simultaneously and are, most likely, already being followed as part of your agile process; however, you may not be explicitly calling them out. One of these processes is documentation.
Agile does not mean no documentation; it means useful documentation. To start, documentation helps you and your team review the cybersecurity aspects of your current sprint, and provides evidence for the certification process. It also allows you to understand the impact of any changes, track down security issues and find…
When we were doing safety system designs in the 1980s, there was no Windows, there was no TCP/IP, there was no in Ethernet. We had to write our own protocols to transmit data to our I/O and our controllers.
Fault-finding was always a challenge . What we ended up doing was putting in what were known as “back doors”. I could go up to some of our equipment that's running in automatic, I could plug into the RS-232 port on the front with a handheld RS-232 ASCII keypad. I could put in a sequence of ASCII keys and it would take the controller out of automatic. It would allow me then to start looking at the serial registers to see what…
This webinar will focus on activities performed after the Cybersecurity Vulnerability Assessment is complete and the recommendations to segment your network have been made. We will review multiple manufacturers product offerings, evaluate selection criteria, and delve into the actual process taken to isolate critical devices from the general control network. Actual network traffic screen shots will be used to demonstrate the steps that will be required to identify and isolate the devices from unwanted traffic while allowing necessary traffic to pass to the devices.
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The second webinar will provide a detailed review of the steps and objectives for a Detailed Risk Assessment as well as the benefits of completing a Detailed Risk Assessment, and the information that feeds the Security Level verification.
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The first webinar will provide a detailed review of the steps and objectives for a High-Level Risk Assessment as well as the benefits of completing a High-Level Risk Assessment, and frame the scope of discussion for the remaining webinars in this series.
This three webinar series will walk through the fundamental methodology behind High-Level Risk Assessments, Detailed Risk Assessments, and Security Level Verification. The series will also discuss the relationships between the lifecycle steps, and the flow of information from one analysis to the next. The final webinar in this series will provide a detailed review of the steps and objectives for performing a semi-quantitative Security Level (SL) Verification as well as the benefits of completing SL Verification, and the information that feeds future lifecycle steps.
In today’s industrial control environment, where over half of ICS have experienced an attack in the last two years, it is not a question of if an attack will occur, but a question of when. When an attack does occur, how will your organization respond? Do you have monitoring in place to detect security excursions? Once the excursion is identified what measures are in place today to respond to and mitigate the concern? This webinar will focus on the keys to an effective Cybersecurity Response and Recovery plan, starting at the moment the attack is discovered all the way to when operation is successfully restored.
Cybersecurity monitoring and metrics are keys to measuring cybersecurity performance, improving the ability to respond when incidents occur, and improving cybersecurity maturity. What metrics does your organization use to measure cybersecurity performance? Do you have monitoring in place today to identify security excursions? In this webinar we will break down how leading and lagging indicators can be used to improve cybersecurity monitoring as well as how improved continuous monitoring capabilities are becoming a critical part of the automation cybersecurity lifecycle. This non-vendor specific webinar will provide general guidelines and criteria that can be used for establishing an effective continuous monitoring capability for any system.
Cybersecurity for industrial control systems has changed significantly in the past two decades as the question has changed from “who would want to target an industrial automation and control system?” to “which industrial facility will be affected next?” This webinar will review major industrial cybersecurity incidents including: Stuxnet, the attack on the Sadara Petrochemical Facility, NotPetya, and the German Steel Mill. These events and others will be used as case studies to outline how industrial cybersecurity has been shaped over the years, and introduce key lessons learned that will help IACS be better prepared to defend against and respond to cybersecurity incidents.
This webinar will demonstrate how exSILentia cyber supports the completion of high-level risk assessments consistent with the methodology described in part one of the Cybersecurity Risk Assessment and Security Level Verification series. This webinar will provide a brief description of the method and then focus on how the exSILentia cyber tool can be used to effectively complete and document high-level risk assessments in a consistent manner considering the example chemical plant. The main track of the Cybersecurity Risk Assessment and Security Level Verification series will continue later this month with Part Two - Detailed Risk Assessments
Many organizations have mature processes in place for evaluating process or machinery hazards in traditional safety risk assessments, but fewer have developed a robust approach to cybersecurity risk assessment. Alignment between safety risk assessment and cybersecurity risk assessment is critical, and the 2016 version of IEC 61511 now requires that a cybersecurity risk assessment be conducted for all Safety Instrumented Systems (SIS) and connected systems. Fortunately, traditional process hazard analyses (PHAs) have valuable information that can be used to improve the speed and efficiency of the cybersecurity assessment, including corporate risk criteria, potential consequences resulting from control system failures, severity rankings for consequence scenarios, existing mechanical protection layers. With this information organizations can jumpstart their approach to managing cybersecurity risk.
Cybersecurity management is critical for maintaining a secure Industrial Control System over time. Having well documented procedures from risk assessment, through system design, and into the operations and maintenance phase is a key difference between a purely reactive cybersecurity posture and a mature approach that builds on continuous improvement. Using templates for these policies and procedures not only speeds up the development process, but also ensures alignment with the IEC 62443 standards and industry best practice.
Cybersecurity management has become a business imperative for organizations across many industries. The first attempt can result in mounds of unruly and often unhelpful paperwork. This problem can be emphasized by identifying the correct location of cybersecurity requirements: Is the correct file for documenting the firewall rules, the firewall policy overview, firewall installation procedure, the access control philosophy, the system zone & conduit diagram, or some combination of all the above?
With a Cybersecurity Management System (CSMS), one central document outlines the “what” an organization aims to achieve for cybersecurity and provides clear direction on where to find the procedures that outline the “how” for a given security task, leading to effective cybersecurity management and fewer headaches.
With the focus on cybersecurity at an all-time high, risk assessments are being increasingly completed for industrial applications. One of the first steps in the risk assessment process is to specify the methodology that will be used. The IEC 62443-3-2 Cybersecurity Risk Assessment methodology for initial and detailed risk assessment has been commonly adopted for industrial applications. This approach is often referred to as “Cyber PHA” because it follows a similar approach to traditional Process Hazard Analyses already in use in the chemical industries. Another methodology frequently used for cybersecurity risk assessments is the MITRE ATT&CK Framework. This framework focuses on the different techniques that adversaries use to gain knowledge about target systems, gain access to and compromise systems before ultimately achieving their desired impact. This webinar will provide a brief introduction to both approaches and explore the similarities and differences in the appro #cyber aches. Lastly, practical examples of how to combine the methodologies will be provided.
Cybersecurity has become a significant and credible threat to process safety. The consequences of cyber-attacks are well understood for business networks (e.g. data theft, ransomware, denial of service), but for Industrial Automation and Control Systems (IACS) there is the potential for even more severe consequences because IACS control physical systems in the real world. Case studies will be used to demonstrate how cyber-attacks on IACS can cause damage to equipment, the environment, and safety. This webinar will look at how cybersecurity is impacting process safety, considering the impact of cybersecurity events on traditional strategies for safeguarding and risk assessment, as well as introduce key steps for managing cybersecurity risk.
When it comes to process safety, most companies will focus on the functional safety lifecycle and compliance with IEC61511. However, with the advent of the industrial internet of things (IIOT) and the growing use of wireless technologies, it is becoming more important to consider cybersecurity and the consequences of control and safety systems being compromised due to a cyber-related incident. Recent ransomware attacks such as Wannacry and NotPetya have again highlighted the need to be more vigilant when it comes to protecting control systems and OT infrastructure. The number of Malware attacks has risen exponentially over the past 10 years but still companies have been slow to react.
The update to IEC61511 in 2016 to include a cybersecurity assessment of an SIS, means companies can no longer procrastinate and/or delay reviewing any SIS for cyber vulnerabilities. Since the standards for functional safety (IEC61511) and cybersecurity (IEC62443) both follow a similar 3 phase lifecycle, it makes sense to consider these two together, when it comes to process safety. This means being just as vigilant with cybersecurity, as with functional safety. As such an integrated lifecycle approach will help in mitigating risk.
This webinar highlights the risks and need to address cybersecurity per the IEC61511 standard and the reasons why. Ignorance may be bliss until your system, network and plant becomes compromised. Then it’s a whole other story.
The presence of threats, and the success of attacks has been felt by virtually every individual and organization around the world. Protecting assets must be a well-organized, wide ranging effort that involves everyone who has assets to protect. There are organizational conflicts to understand, policies to create, and specific security activities to coordinate. This webinar discusses key aspects of a Industrial Automated Control System (IACS) Cybersecurity Program, provides concrete recommendations for getting started, and references that provide additional insight.
IEC 62443-3-3 System Security Requirements and Security Levels documents the seven foundational requirements for achieving robust system cybersecurity. These requirements can be applied to integrated industrial automation and control systems (either implemented in-house by an end-user or provided as an automation solution by a service provider). This webinar will cover the structure and key concepts from the standard, as well as introduce the process of IEC 62443-3-3 certification, and the benefits that system certification can provide to integration service providers and end-users.
IEC 62443-2-4 documents “a comprehensive set of requirements for security capabilities for IACS service providers.” These requirements can be applied to integration or maintenance service providers and documents a framework for negotiations between asset owners and IACS service providers for cybersecurity requirements. This webinar will cover the structure and key concepts from the standard, as well as introduce the process of IEC 62443-2-4 certification, and the benefits that certification can provide to integration and maintenance service providers.
How Functional Safety, Cybersecurity, and Alarm Management Work Together.
Functional Safety standards have addressed how hazards and their risks are to be analyzed and protected against, as well as how the effectiveness of the protection must be evaluated and maintained.
With the use of PLC based systems, the ease of generating alarms has increased significantly and alarm floods are common in most plants. Alarm management standards are addressing concepts of rationalization and prioritization.
With advancements in automation the threats of cyber-attacks and cybersecurity incidents has presented itself. Cybersecurity standards are being written to address these issues both from a manufacturer as well as a user perspective. The most effective method for developing a streamlined work process is the creation of a cohesive lifecycle that addresses all automation requirements.
This pulls from the functional safety, cybersecurity and alarm management lifecycles to create one unified approach to safety and security.
This presentation will address a combined lifecycle approach while using common automation examples to enhance the importance of the integration of the respective automation needs.
Information Technology and Operational Technology are the two groups responsible for managing industrial cybersecurity, but often they work separately with little communication or common understanding of how each groups’ objectives play a role in the overall cybersecurity of the IACS. Developing clear communication and common understanding between IT and OT groups is essential for securing the IACS from the business network to the BPCS and SIS zones.
Co-presented by exida Senior Cybersecurity Engineer Robert Michalsky.
In early February of this year a water treatment facility was compromised in Florida. The attackers successfully increased the concentration of sodium hydroxide (also known as lye) by a factor of 100 risking potential illness for the public as well as significant erosion and pipe damage. Fortunately, operators of the Oldsmar water treatment facility saw the attackers increase the concentration and were able to return the concentration to normal levels before there was any risk for harm to the public. This near-miss highlights several important trends for industrial cybersecurity: Industrial cybersecurity incidents can have major health and safety implications, Critical infrastructure makes an attractive target to a variety of hackers, Critical infrastructure is highly susceptible to cybersecurity attack. In this webinar we will review what is known so far about the attack on the Florida water system and identify practical steps that can be taken to improve the cybersecurity of critical infrastructure systems.
Lessons Learned From Actual Control System Security Incidents and Assessments
The IEC 62443 document series is an international standard intended to provide a flexible framework to enhance Industrial Automation Control System (IACS) cybersecurity. Seven core functional requirements are used to assist with the design, development, testing and construction of an integrated security architecture. As the Security Level (SL) targets and capabilities are defined, cybersecurity metrics become necessary to be able to assess the efficacy and comprehensiveness of the design. These Security Levels are organized into four increasing tiers each requiring more stringent controls be in place.
As the security architecture matures and the logical and physical assets are grouped into zones, they need to be evaluated along with the connections and data flows between zones that are called conduits. Both the zones and conduits need appropriate security controls to insure plant operational safety. Cybersecurity Best Practices have principles (such as ‘defense in depth’) that can be evaluated through cybersecurity metrics that evaluate architectural components such as zones and conduits.
Furthermore, security is a process that requires continual risk management and risk reduction via the mitigation of identified threats. Cybersecurity metrics are generated and evaluated to determine if adequate risk management is being enabled. Through the usage of well defined, repeatable and accurate cybersecurity metrics, SL adequacy can be assessed.
This presentation goes through the IEC 62443 foundational requirements and describes appropriate and relevant security metrics for evaluating that architectural components such as zones and conduits have appropriate cybersecurity controls in place and that the SL target has been achieved.
The Industrial Internet of Things (IIoT) offers companies many potential benefits such as decreased operational costs and further optimized processes; however, the increased use of wireless control networks also introduces the potential for additional cybersecurity risks. This webinar will briefly review the trends in IIoT and discuss important factors to consider when mitigating the additional risk of wireless control networks.
The New Year is a great time to make resolutions and look to make changes from the previous year, but often as the weeks pass, these resolutions fall to the back burner. For 2023, let’s try to change that when it comes to OT Cybersecurity. In this webinar we will examine common pitfalls that prevent progress on goals in the new year, the specific need for improved OT cybersecurity in industrial control systems (ICS), how to develop and implement a roadmap-based approach, and lastly how to track progress. With these steps anyone can be successful at improving their cybersecurity knowledge this year, whether it is setting a personnel goal for better training, or an organization wide goal for better posture, this webinar can serve as the catalyst to get the New Year moving in the right direction.
Management of risk at a facility, or company-wide, requires careful consideration of potential process hazards as well as cyber-attacks. Cyber-attacks not only impact business from a financial perspective, but can also initiate process safety incidents. Cybersecurity standards are being written to address these issues both from a manufacturer as well as a user perspective. The most effective method for developing a streamlined work process is the creation of a cohesive lifecycle that addresses all automation requirements. Cyber risk assessments and security level verification are simplified by leveraging best practices from functional safety.
In this webinar, Patrick O'Brien dives into a pragmatic approach for cybersecurity, specifically looking at how asset owners can leverage and apply the IEC 62443 standard to their applications. How can a pragmatic cybersecurity approach be implemented for OT and asset owners? We'll cover three main parts that build up to answering this very question.
This webinar will provide a brief overview of the IEC62443 family of standards, and then look at recent security breaches to see if they could have been avoided by following the best practices described in these standards. Completely avoiding cyber-attacks is likely not possible, but significantly decreasing the probability of a successful attack is feasible by following these guidelines.
This webinar is the fourth of a 4 part series to look at the cybersecurity lifecycle. Part 4 looks at how to implement the lifecycle within existing facilities where it is not currently in place. Key topics of this fourth part includes:
As the number of major cybersecurity incidents in 2021 continue to rise many organizations are looking at assessing their cybersecurity risks with an increased focus. There are several methodologies outlined for conducting cybersecurity risk assessments including the IEC 62443-3-2 standard (for more information on the IEC 62443-3-2 methodology for risk assessment see: https://gca.isa.org/blog/cybersecurity-risk-assessment-according-to-isa-iec-62443-3-2) and Consequence-driven Cyber-informed Engineering (CCE) outlined by the Idaho National Laboratory (https://inl.gov/cce/ ). While the IEC 62443-3-2 provides options for considering or not considering likelihood, CCE is a fully consequence driven approach. This raises the question of whether or not cybersecurity risk assessments should consider likelihood? In this webinar we will compare the two different approaches to cybersecurity risk assessment looking at the advantages and disadvantages of each approach to provide practical guidance on cyber risk assessment best practices.
The initial cybersecurity risk assessment (or high-level risk assessment as it was previously called) is an important step in the cybersecurity lifecycle. It is at this point that the basis for network segmentation and creating zones and conduits for an industrial control system (ICS) starts. At this stage the “worst case unmitigated cyber security risk” for any scenario is documented to allow assets to be grouped into areas of similar risks. Several methodologies have been adopted to complete this task, and two of the most common are asset-based and PHA-based, each with a slightly different focus and approach. One common question that we receive when conducting initial risk assessments, is if any protections can be credited. At this stage no cybersecurity protections can be credited, but what about non-hackable safety protections? In this webinar we will review similarities and differences between these two approaches to initial risk assessment and answer the question of whether or not we can look at non-hackable protections during the initial risk assessment.
Not that long ago, the move towards “open systems” and the resulting incorporation of off-the-shelf technologies represented a huge step forward in control system design. System integration became easier, product development by manufacturers was accelerated, and training leveraged common tools and concepts. While the benefits have been tremendous, open technology has made control systems open to security vulnerabilities, putting production and human safety at risk. Nothing has made that risk more evident than the Stuxnet virus which has made headlines since it was discovered in July 2010. Countering these threats requires organizations to develop a better understanding of their process control system security risks and how to address them. In this webinar, we will discuss the seven things that every plant manager and automation professional should know about industrial control system security. We will also discuss how to apply best practices from standards such as ISA 99.02.01 to mitigate these risks.
The cybersecurity lifecycle was developed to define the key steps in analyzing security risks, designing secure systems, and maintaining security throughout the life of industrial control systems. Learn how to use exSILentia Cyber to complete key steps of the Cybersecurity Lifecycle Outlined in IEC 62443 including high-level risk assessment, detailed risk assessment, security level verification. This webinar will demonstrate how a tool-based approach allows for consistent lifecycle implementation across an organization and can provide significant benefits including knowledge capture, built-in industry best practice, consistent template usage, and report generation for easy result sharing.
A risk-based approach is key for effectively managing cybersecurity for Industrial Control Systems (ICS). It helps to identify critical areas requiring mitigation and focus limited resources on the most critical issues. The ISA/IEC 62443-3-2 standard provides the formal process for conducting these risk assessments in a two-staged approach (initial and detailed). Over the years as exida completed many cybersecurity risk assessments, it became clear that a tool which could efficiently record and export the results of the study was critical to the successful completion of the assessments. To meet this need, the exSILentia Cyber tool was developed as a new set of modules on the exSILentia v4 platform. In this webinar we will demonstrate how the exSILentia cyber tool can be used to improve the effectiveness of the cybersecurity risk assessment process and streamline the reporting process.
Cybersecurity hygiene is a set of basic practices that can be taken by all personnel to protect the health of hardware and software of computer-based systems. Just as traditional hygiene measures are needed to limit the spread of viruses and disease, cybersecurity hygiene is needed to limit the spread of computer viruses and cybersecurity attacks. Recent studies have shown that well over half of all automation systems have experienced a damaging cybersecurity incident in the last two years. To better protect automation systems against these types of incidents, cybersecurity hygiene is a critical first step. This webinar will provide a deeper look into the importance of cybersecurity hygiene as well as provide actionable steps for improving cybersecurity hygiene within your organization.
Cybersecurity seems to have become one of those buzz words, everyone knows it matters, but don’t necessarily see how it applies directly to them. In this webinar we will debunk some common myths regarding industrial cybersecurity, as well as identify the fundamental drivers for cybersecurity assessments including facility risk management, compliance to the new requirements in IEC 61511, and improved operational uptime.
Accurately identifying and analyzing potential sources of risk for both process safety (e.g., equipment failure, human performance issues) and cybersecurity (e.g., targeted attack, unintentional mistake) scenarios are core parts of an effective loss prevention program. The recently published CCPS book Managing Cybersecurity in the Process Industries, A Risk-based Approach discusses strategies for managing cybersecurity risk by adapting RBPS elements to address the unique challenges of cybersecurity threats. This paper will present key concepts from the book including the alignment of cybersecurity and process safety risk management and strategies for adapting process safety risk assessment techniques including Hazard Identification and Risk Assessment (HIRA), Bow Tie, and LOPA for cybersecurity scenarios. Additionally, practical guidance on completing cybersecurity risk assessments will be shared from real-world case studies.
Cybersecurity has become a credible threat to process safety, and the exposure has never been higher with 70% of Industrial Automation and Control Systems (IACS) now using remote access. The consequences of cyber-attacks are well understood for business networks (e.g., data theft, ransomware, denial of service), but for IACS there is the potential for even more severe consequences, because IACS control physical systems. Case studies will be used to demonstrate how cyber-attacks on IACS can cause damage to equipment, the environment, and safety. This paper will look at how cybersecurity is changing process safety, considering the impact of cybersecurity events on traditional strategies for safeguarding and risk assessment, and introduce key steps for managing cybersecurity risk. These concepts are at the core of the ongoing CCPS project Managing Cybersecurity – A Risk-based Approach Building on the Process Safety Framework.
Cybersecurity is rapidly becoming something the process safety can no longer ignore. It is part of the Chemical Facility Anti-Terrorism Standards (CFATS). In addition, the President’s Executive Order 13636– “Improving Critical Infrastructure Cybersecurity,” has drawn attention to the need for addressing cybersecurity in our plants as it has been demonstrated that in our new world, they are now a source of potential process safety incident.
IEC 61508[2], “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES)” now has a requirement to address cybersecurity in safety instrumented systems and ANSI/ISA 84.00.01, “Functional Safety: Safety Instrumented Systems for the Process Industry Sector” is looking to include this requirement in the next revision. Currently the industry is playing catch up as there tends to be a gap in understanding between information technologists, traditionally responsible for cybersecurity, and the process automation and process safety engineers responsible for keeping our plants safe with help from automated controls and safety instrumented systems. As a result, guidance is being developed, but much of it continues to be a work in progress.
The past two years have been a wakeup call for the industrial automation industry. It has been the target of sophisticated cyber attacks like Stuxnet, Night Dragon and Duqu. An unprecedented number of security vulnerabilities have been exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. Cyber security has quickly become a serious issue for professionals in the process and critical infrastructure industries.
If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices. This white paper will give you the information you need to get started. It won’t make you a security expert, but it will put you on the right path in far less time than it would take if you were to begin on your own.
We began by condensing the material from numerous industry standards and best practice documents. Then we combined our experience in assessing the security of dozens of industrial control systems. The result is an easy-to-follow 7-step process:
Step 1 – Assess Existing Systems
Step 2 – Document Policies & Procedures
Step 3 – Train Personnel & Contractors
Step 4 – Segment the Control System Network Step 5 – Control Access to the System
Step 6 – Harden the Components of the System Step 7 – Monitor & Maintain System Security
The remainder of this white paper will walk through each of these steps, explaining the importance of each step and best practices for implementing it. We will also provide ample references for additional information
With the ever changing threats posed by cyber events of any nature, it has become critical to recognize these emerging threats, malicious or not, and identify the consequences these threats may have on the operation of an industrial control system (ICS). Cyber-attacks over time have the ability to take on many forms and threaten not only industrial but also national security.
Saudi Aramco, the world’s largest exporter of crude oil, serves as a perfect example depicting how devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi Aramco (SA) had 30,000 personal computers on its network infected by a malware attack better known as the “Shamoon” virus. According to InformationWeek Security this was roughly 75 percent of the company’s workstations and took 10 days to complete clean-up efforts.
The seriousness of cyber-attacks in regards to national security was addressed by former United States Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a strong warning to business executives about cybersecurity as it relates to national security.” A cyber-attack perpetrated by nation states [and] violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation,” he stated. “For example, we know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country.”
In addition to Panetta’s address, the U.S. Department of Homeland Security has issued several alerts about coordinated attacks on gas pipeline operators, according to a May 2012 report by ABC News.
This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS) and how these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle.