Topics:
I started thinking about the safety issues for security assessments when I was asked to attend a conference for amusement rides and parks. Safety has always been paramount in this industry and their teams are working hard to understand and improve how cybersecurity fits into the phases of a ride's lifecycle.
Unsafe conditions in this industry imperil park and ride visitors in the same manner as safety issues impact workers or public safety in other industrial sectors. However, the nature of ride development, deployment, maintenance, operations, and overall ownership has made cybersecurity in this industry an intricate dance between owners/operators, integrators, and vendors—even more than in other industrial sectors.
My personal experience with process safety equipment is limited to the review of an isolated Safety Instrumented System (SIS) that is the central component of a dual-process cabinet configured to manage two jet-turbine-powered compressors. The SIS devices were deployed in the central part of the cabinet and manual inspection of the wiring confirmed there was no ethernet network connectivity. This configuration is what would be expected by many IT and cybersecurity experts not familiar with safety equipment directly integrated into process operations—including myself. My personal lack of experience with safety equipment highlighted to me that other cybersecurity team members may not have this experience either. This, in turn, makes me extremely concerned that the process stakeholders will default to leaving these systems and devices out of scope for vulnerability assessments.
Integrated safety solutions will make the vulnerability assessment a bit more complex to address the increased complexity brought by the safety considerations.
The industry (e.g. OT, IT, and cybersecurity) needs to understand that safety devices are indeed within scope for cybersecurity risk assessments. This includes conducting high-level risk assessments to assemble documentation for specific Systems-under-Consideration (SuC) of the safety solution, performing a vulnerability assessment of the SuC, feeding the results into the detailed risk assessment to allow the risk management team to identify and address residual risks. Most of the time these assessments will be conducted on air-gapped zones with their own individual evaluation that does not include the process the safety solution is protecting. Integrated safety solutions will make the vulnerability assessment a bit more complex to address the increased complexity brought by the safety considerations.
Considerations for SuC that contain integrated safety devices or are safety zones are detailed in different international standards. I tend to focus on the ISA/IEC 62443 for its general approach that can be used in most industrial sectors. Considerations for safety-related equipment are outlined specifically in the ISA Technical Report (TR) 84.00.09, Cybersecurity Related to the Functional Safety Lifecycle which was approved April 10, 2017. This TR outlines specific details for cybersecurity vulnerability assessments in these areas. This input was leveraged in an excellent book titled "Managing Cybersecurity in the Process Industries: A Risk-based Approach" by the Center for Chemical Process Safety.
The cybersecurity assessments outlined by these references follow the normal ISA/IEC 62443 risk assessment methodology. The use of standard Reference Models and Reference Architectures should be used to start defining the roles of equipment and communications while also detailing their specific deployments on the appropriate communications mediums. These techniques allow the designation of the SuC and the associated zones and conduits. ISA/IEC 62443-3-2 provides specific details about this documentation in section ZCR 3.3: Separate Safety-Related Assets. This section specifies the need to ensure safety and related assets are isolated from other assets in the SuC to ensure the segregation of safety and operations related assets.
ISA TR 84.00.09 provides additional guidance for the cyber security assessments (CSA) of safety zones and conduits. The document details that two primary concerns drive cybersecurity safety considerations. The first concern is about a safety function's failure-to-perform when needed. The second concern is spurious operations that cause unauthorized activation, cause business interruption, or damage equipment. Hence, to evaluate cybersecurity risks for process safety, a series of CSA must be scheduled and performed throughout the lifecycle of the process. The TR specifically designates the different stages of the SuC from development through decommissioning.
As with all CSA, the evaluation of a safety-related SuC starts with conducting the high-level risk assessment. This process, also known as the gap assessment, involves gathering all the information necessary to scope, identify stakeholders, gather hardware and software asset details, and other risk assessment documentation. The goal of the gap assessment is to provide the risk assessment team with the information required to determine the state of the seven foundational requirements for the SuC. The risk assessment team uses this information to determine the SuC's current security level associated with the intended and known capabilities of the process.
A CSA should be used to evaluate the implementation of the SuC to validate the information obtained during the gap assessment while also reviewing the SuC for unanticipated conditions. While the risk assessment team will eventually want answers about the seven foundational requirements for each device and its communications, a faster and more manageable approach to the assessment could be achieved by considering the SANS ICS Five Critical Controls for ICS Cybersecurity. This approach focuses on the current state of the SuC by reviewing secure remote access, defensible architecture, ICS network visibility monitoring, risk-based vulnerability management, and ICS incident response.
The CSA process is too complicated to completely outline in this article, but here are some considerations for each. Consider each of the following in the context of the safety devices in the SuC.
Secure Remote Access: Determine who can access the safety devices and communications, and how. Be sure to consider third-party vendors / integrators / consultants, employees, and any cloud-based assets.
Defensible Architecture: Review the technical implementation of the SuC by analyzing network segmentation and isolation, the attack surface of each device, and the configuration of all communications.
Risk-Based Vulnerability Management: Confirm the documentation of hardware and software asset inventory, review configuration management documentation and compare to remote access, and consider the list of CISA KEVs as applied to devices and communications within the SuC.
ICS Network Monitoring: Evaluate logging configurations, centralization of logs, log analysis and alerting, and determine if countermeasure efficacy testing can be implemented to validate alerting and responses.
ICS Incident Response: Verbally review consequence-analysis scenarios and use cases to ensure your team understands the realization of exploited vulnerabilities related to the SuC.
Understanding cybersecurity risks to safety-related ICS devices and processes is ultimately the responsibility of the owner/operator. Implementation and operations of these specialized assets by vendors and integrators can result in a gray area that results in unsafe operations. I feel the Center for Chemical Process Safety outlined this situation appropriately when it described cybersecurity's affect on safety equipment”
"… cybersecurity driven common cause failures have the potential to occur even more frequently,
because they are the result of an intentional action taken by an attacker."
Teams must be proactive and prioritize the CSA of safety-related systems. Initial analysis using the SANS ICS Five Critical Controls can be used to effectively gather enough detail for an ISA/IEC 62443 detailed risk assessment of the process. The risk assessment team can use this information to identify systemic issues while also generating effective countermeasures to address gaps in SuC's deployment and operations. These details will also provide process stakeholders with the information needed to implement specific operational updates to address and critical issues that could lead to the realization of safety-related consequences in the process.
Don C. Weber is the Principal Consultant and Founder at Cutaway Security, LLC, an information security consulting company. Don's previous experiences include large-scale incident response efforts for organizations with international assets and interests, the certification and accreditation of classified federal and military systems, assessment and penetration testing of worldwide commercial assets, and, as a Navy contractor, the management of a team of distributed security professionals responsible for the security of mission-critical Navy assets.
