Industrial Cybersecurity

John Cusimano presents on “Cyber Process Hazards Analysis (PHA) to Assess ICS Cybersecurity Risk” at the S4x17 conference.

Recent cybersecurity incidents have targeted plant control systems including DCS, PLC, and SCADA HMI architectures. To reduce risk, guidelines set by NIST Cybersecurity Framework / ISA 62443 / ISA 84 / IEC 61511 standards are driving manufacturing companies to develop a lifecycle-based cybersecurity program.

aeCyberPHA™ Risk Assessment Methodology

aeSolutions offers industrial control system (ICS) cybersecurity services in every phase of the process automation/process safety lifecycle. We guide clients through our unique cyber-safety risk assessment methodology that we call aeCyberPHA™. The aeCyberPHA methodology is a practical application of the ISA 62443 cyber risk assessment requirements. The method links realistic threat scenarios with known vulnerabilities and existing countermeasures and couples that with credible consequences from the PHA to determine cyber risk. Our risk-based approach to developing your cybersecurity program relies on network assessments from level 0 to level 4, zone and conduit diagrams, and gap assessments utilizing existing policies, procedures, and industry benchmarking.

Following your risk assessment we can assist you with cybersecurity specifications development; industrial firewall design/review and implementation; governance document creation; policies and procedures development; incident response, forensics, and disaster recovery assistance.

The Relationship between Industrial Cybersecurity & Process Safety

We understand the strong connection between Industrial Cybersecurity and Process Safety. We also believe that you can’t achieve process safety in today’s world of open, integrated control systems without addressing cybersecurity. At aeSolutions we have expertise in both fields and are working with some of the world’s leading oil & gas and petrochemical companies to help them integrate industrial cybersecurity into their Process Safety processes. The key to achieving and maintaining Industrial Cybersecurity, much like Process Safety, involves adopting an engineering-driven lifecycle approach. As a lifecycle supplier of completely engineered solutions our goal is to assist you in ensuring that cybersecurity is properly engineered into your new or existing control systems and can be properly maintained.

Assess & Define

ICS Network & Dataflow Diagrams

Undocumented connections to unauthorized and unmanaged assets can severely compromise the security of an industrial control system (ICS) network (also known as a process control network (PCN) or SCADA network). Therefore, the first step in assessing cybersecurity of an ICS is to create an accurate map of these networks, the devices connected to them and normal or expected data flows. In most industrial facilities these networks have expanded and evolved over many years resulting in incomplete or inaccurate documentation. aeSolutions can help organizations develop or update these diagrams using a combination of physical assessment and passive network discovery. For efficiency, often times this effort is coupled with an ICS Asset Inventory and/or a Cybersecurity Vulnerability Assessment.

ICS Asset Inventory

An important step in protecting industrial control systems (ICS) against cyber threats is identify and document the ICS assets that make up the system. Many facilities may not have complete and up-to-date documentation as it is very challenging to manually maintain an inventory of all physical and cyber assets over time. aeSolutions can help organizations develop or update their ICS Asset Inventory using a combination of physical assessment and passive network discovery and provide them with tools to facilitate maintenance of the inventory. For efficiency, often times this effort is coupled with the development of ICS Network & Dataflow Diagrams and/or an ICS Cybersecurity Vulnerability Assessment.

ICS Cybersecurity Gap Assessment

A good starting point in any ICS cybersecurity program is to perform a gap assessment to understand how your organization’s existing operational and technical cybersecurity practices compare to industry regulations, standards and best practices such as:

  • ACC Guidance for Addressing Cyber Security
  • API 1164
  • AWWA Process Control System Security Guidance
  • CFATS Risk-Based Performance Standards (RBPS-8)
  • CSA Z246.1-09
  • ISA/IEC 62443-2-1 (formerly ISA 99.02.01)
  • ISA/IEC 62443-3-3
  • ISA TR84.00.09
  • NEI 08-09
  • NERC CIP
  • NIST SP800-82
  • NIST Cybersecurity Framework
  • NRC Reg Guide 5.71
  • TSA Pipeline Security Guidelines

aeSolutions has performed numerous ICS cybersecurity gap assessments through a combination of interviews with key personnel and examination of drawings, configurations, polices, and procedures. Based upon our experience, we can also provide feedback relative to how your organization compares to industry peers. Often times an ICS Cybersecurity Gap Assessment is performed in conjunction with an ICS Cybersecurity Vulnerability Assessment.

ICS Cybersecurity Vulnerability Assessment

An ICS Cybersecurity Vulnerability Assessment is an exercise to define, identify, and classify the security vulnerabilities in an industrial control system and its related network infrastructure. Gathering this information is a critical step in evaluating cyber risk and developing a practical mitigation plan. An ICS CVA evaluates the ICS design, implementation, configuration as well as its operation and management in order to determine the adequacy of security measures and identify security deficiencies.

ICS CVA can be performed offsite, onsite or a combination of both. An onsite assessment is more thorough and is preferred for existing (i.e. brownfield) systems as there are almost always documentation gaps in operational systems. aeSolutions understands the critical and sensitive nature of ICS applications and uses only non-intrusive, passive forms of data collection when performing an ICS CVA on an operational systems.

For new systems or major retrofits, the ICS CVA is performed at various stages of the project (e.g. design, implementation and commissioning). For these projects, more aggressive techniques can be used to test the system before it is fully commissioned and operational.

ICS Cybersecurity Risk Assessment

aeSolutions has applied our extensive experience in Process Safety Analysis to develop a systematic method of analyzing cyber risk called aeCyberPHA™. This method is aligned with the effort companies have invested in PHA methodologies such as Hazard and Operability (HAZOP) studies.

Supported by the findings from the ICS Cybersecurity Vulnerability Assessment, the aeCyberPHA Risk Assessment methodology is a qualitative analysis of cyber threats and vulnerabilities in order to determine the likelihood and consequence should a threat successfully exploit a vulnerability.

The combination of likelihood and consequence allows for a determination of risk which is typically expressed in terms of the impact to health, safety, the environment and company finances.  The result is an understanding of ICS cybersecurity risk expressed in a form that is both actionable and familiar and meaningful to management.

Zone & Conduit Modeling

A zone and conduit model, introduced in ISA/IEC 62443-1-1, is used to document the grouping of ICS and related assets into security zones and conduits. The development of the model is an iterative process that typically begins following the ICS Cybersecurity Gap Assessment and/or ICS Cybersecurity Vulnerability Assessment and is refined following the ICS Cybersecurity Risk Assessment.

aeSolutions can assist in developing a corporate Zone & Conduit Reference Model as well as Zone & Conduit Models for specific ICSs.

ICS Cybersecurity Strategy Development

Once cybersecurity risk is well understood the next step is to develop a strategy to address any unacceptable or intolerable risks. Sorting through the numerous recommendations that were identified during the ICS Cybersecurity Gap, Vulnerability, and Risk Assessment steps and determining the most effective approach and optimal timing can be complicated.

aeSolutions can assist in technology evaluations, cost/benefit analysis and development of a strategic implementation roadmap.

ICS Cybersecurity Requirements Specification Development

An ICS Cybersecurity Requirements Specification (CRS) is the final deliverable from the Assess & Define phase of the lifecycle that is used to clearly document the cybersecurity requirements. It is an important document as it serves as the design basis for all subsequent phases of the lifecycle. For example, the CRS can be provided to automation contractors as well as to suppliers of packaged control systems ensuring they fully understand the expectations of their contribution to the overall project.

aeSolutions can assist in assembling an ICS CRS based upon the results of the ICS Cybersecurity Vulnerability Assessment, ICS Cybersecurity Risk Assessment, as well as experience and our in-depth knowledge of industry best practices and standards.

Design, Implement & Construct

Industrial Network Architecture Design

A properly designed and configured network is fundamental to achieving the required performance, reliability and security of an industrial control system. aeSolutions can provide the engineering services to plan and design or redesign complete industrial networks.

Industrial Firewall Design/Commissioning

Firewalls are a great tool to segment networks and prevent unauthorized access to critical ICS assets. However, a firewall is only as good as its configuration. aeSolutions has extensive experience in designing, configuring and commissioning firewalls in industrial applications. We have experience in all major brands of firewalls, whether they be general-purpose IT firewalls used to partition the ICS networks from company business networks or industrial firewalls used to protect individual zones and conduits.

ICS Access Control

A key element in ICS security is controlling the human users or other computer systems that are allowed to logically gain access to the system. Access control involves identifying the users who should have access to the system, the specific resources they should have access to, the privileges they should be granted and the enforcement of those rules.

aeSolutions can assist your organization in developing and implementing an ICS access control strategy whether it be for your corporation, plant or individual control system.

ICS Remote Access

Technology has made it possible to remotely connect to control systems from anywhere in the world with any device capable of Internet access. This capability provides many operational benefits such as being able to maintain and support systems with remote staff, to supply operational data to Enterprise Resource Planning (ERP) systems and regulators, and to enable vendors to provide support and updates to the system. These benefits notwithstanding, allowing remote access to a control system, especially remote access over public networks (e.g. the Internet), can be extremely risky. Since the risk varies with the application, the decision whether to allow remote access to an ICS should always be based on the results of an ICS Cybersecurity Risk Assessment.

aeSolutions can assist by evaluating your current ICS remote access implementation and assisting in the design/redesign of a solution with the appropriate layers of security.

ICS Wireless Communications

While licensed-band radio systems and microwave links have been used for many years in SCADA applications, the use of wireless communications in ICS environments has increased significantly in recent years. It is more common to find WiFi and cellular access points in ICS networks, and some automation vendors are adding wireless functionality directly into their ICS products.

Wireless access to the ICS network introduces risks similar to ICS Remote Access with some additional threat vectors. Since the risk varies with the application, the decision whether to allow remote access to an ICS should always be based on the results of an ICS Cybersecurity Risk Assessment.

aeSolutions can assist by evaluating your current ICS wireless implementation and assisting in the design/redesign of a solution with the appropriate layers of security.

ICS Security Hardening

Hardening an ICS involves constraining the functionality of the various components to prevent unauthorized access or changes, removing unnecessary functions or features, enabling security features, and patching any known vulnerabilities. aeSolutions can design and implement the security hardening requirements for a new system or help implement the security hardening gaps discovered as part of an ICS Cybersecurity Vulnerability Assessment for an existing system.

ICS Cybersecurity Acceptance Testing

A missing component in current ICS acceptance testing practices, such as Factory Acceptance Testing (FAT) or Site Acceptance Testing (SAT), is cybersecurity. In fact, many organizations have reported that the cybersecurity of their ICS was actually compromised as a result of FAT or SAT. This is not surprising as the goal of FAT/SAT is to verify the functionality of the system – not the cybersecurity. As such, cybersecurity policies, procedures and controls are often bypassed in order to expedite completion of the testing.

aeSolutions believes that ICSs should undergo Cybersecurity Acceptance Testing (CAT) following FAT and/or SAT. CAT should include verification that the system complies with the ICS Cybersecurity Requirements Specification. For example, the required security settings were configured correctly and the necessary security components (e.g. firewalls) were installed and properly configured. Additionally, CAT should include cybersecurity robustness testing, sometimes referred to as penetration testing, which is testing designed to discover and identify the weaknesses or vulnerabilities in a system. This type of testing should not be performed on a production system, but it can be safely performed before the system is operational.

aeSolutions offers Cybersecurity Acceptance Testing procedure development and testing.

Operate & Maintain

ICS Intrusion Detection Design

Just like IT networks, ICS networks should be monitored for suspicious or potentially malicious events. Minor security issues may go undetected and become critical security incidents if an organization does not have the means to detect suspicious events. Unfortunately, most Commercial Intrusion Detection (IDS) and Security Incident and Event Monitoring (SIEM) solutions are not appropriate for the ICS environment.

aeSolutions can help design and implement intrusion detection solutions that make sense for the ICS environment.

ICS Change Management

Change management policies and procedures are used to control modifications to hardware, firmware, software, and documentation to ensure the ICS is protected against improper modifications prior to, during, and after commissioning. A formal change management program should be established and procedures followed to insure that all modifications to ICS components and the ICS network maintain the security requirements established in the ICS Cybersecurity Requirements Specification. Changes to the ICS that could affect security, including configuration changes, the addition of network components, and installation of new application software should prompt an update of the ICS Cybersecurity Risk Assessment.

There are a variety of commercial software tools available to assist in managing and enforcing these policies/procedures. aeSolutions can assist in the development and implementation of an ICS change management program and the deployment of software tools to assist organizations in meeting the change management requirements set forth in ICS cybersecurity standards such as ISA/IEC 62443 and NERC CIP.

ICS Patch Management Support

Patch management is an important component of an overall ICS security program. In some cases, the only mitigation for a discovered vulnerability is to install a software patch provided by the supplier. However, patch management in an ICS is challenging in that deploying patches can introduce risk – sometimes more risk than the risk of the vulnerability the patch addresses. ICS patch management policies and procedures need to balance the need for system reliability with the need for system security.

aeSolutions can assist in the development and implementation of an ICS patch management program and the deployment of patch management software to assist organizations in meeting the requirements set forth in ICS cybersecurity standards such as ISA/IEC 62443 and NERC CIP.

ICS Malware Prevention

Studies have shown that malware related incidents are the number one cause of cyber-related production losses and upsets in ICSs. As such, malware prevention (e.g. anti-virus, whitelisting) is an important component of an overall ICS security program. However, deployment of malware prevention in an ICS can be challenging. ICS malware prevention policies and procedures need to balance the need for system reliability with the need for system security.

aeSolutions can assist in the development and implementation of an ICS malware prevention program and the deployment of anti-virus and/or whitelisting software to assist organizations in meeting the requirements set forth in ICS cybersecurity standards such as ISA/IEC 62443 and NERC CIP.

ICS Backup and Restore

Despite best efforts, it is highly likely that at some point in the operation of an ICS there will be a loss of a device or server containing critical data. Whether this loss is due to accidental or malicious forces, it is critical that a comprehensive backup and restore policy be in place to recover this data.

aeSolutions can assist in the development and implementation of a backup and restore program and the deployment of automated backup systems to assist organizations in meeting the requirements set forth in ICS cybersecurity standards such as ISA/IEC 62443 and NERC CIP.

Periodic ICS Cybersecurity Audits

Numerous factors can affect the security of a system throughout its lifecycle such as new threats, the deterioration of countermeasures over time as well as the availability of new information and techniques. Therefore, it important to periodically test and verify that the system is still configured for optimal security.

aeSolutions can assist organizations by conducting periodic audits as part of a Technical Support Agreement (TSA) and/or helping them prepare for internal or external regulatory audits.