InTech

JAN-FEB 2018

Issue link: http://intechdigitalxp.isa.org/i/935787

Contents of this Issue

Navigation

Page 39 of 53

40 INTECH JANUARY/FEBRUARY 2018 WWW.ISA.ORG channel chat | Tips and Strategies for Integrators Site Unit Zone Unmitigated risk (no counter measures) Mitigated risk (exist ing counter measures) Adjusted risk (proposed counter measures) 1. Anywhere 1. Remote 1. Employee remote access 8 6 3 2. Corporate HQ 1. Corporate 1. Enterprise 7 5 4 3. Terminal 1. Admin. building 1. Plant business 5 4 3 2. Truck loading 1. Process control 8 6 5 3. Safety 10 6 4 5. Wireless 6 4 3 3. Tank farm 1. Process control 9 7 4 5. Wireless 6 4 3 3. Pumping station 1. Admin. building 1. Plant business 5 4 3 2. Pump house 1. Process control 8 5 4 3. Safety 10 6 4 3. Tank farm 1. Process control 8 6 5 5. Wireless 6 4 3 I ndustrial control system (ICS) cyberse- curity is critical to companies that spend millions of dollars assessing and miti- gating ICS cybersecurity risks. This is great news for brownfield systems, but how do we make sure that greenfield projects do not install new ICSs with cybersecurity vul- nerabilities and gaps? Cybersecurity does not happen by accident—it must be con- sciously designed into the system. Integrating cybersecurity into an ICS re- quires a project life-cycle approach. First, you must justify the project. The relationship be- tween process safety and ICS cybersecurity is compelling for companies, especially if they fall under process safety regulations, such as OSHA process safety management (PSM). Preventing cybersecurity incidents that could cause costly lost production or extended ser- vice interruption follows and finishes with adherence to industry best practices and standards. The mission to "stop the bleed- ing" requires proactive integration and re- coups losses on the bottom line. Business challenges include acquiring buy-in from senior and project manage- ment, and support from engineering, pro- curement, construction (EPC), vendors, system integration (SI), and relative opera- tions. Collective buy-in guarantees minimal impact on project scheduling. For reference, a typical ICS cybersecurity life cycle for existing systems has five phas- es: vulnerability/gap assessment, risk assess- ment, a mitigation plan, implementation, and auditing. Integration of cybersecurity into the ICS project life cycle consists of: n front-end engineering with a cyber- PHA (detailed cybersecurity risk assess- ment methodology) n detailed engineering with cybersecu - rity requirements specifications and design reviews n cybersecurity factory acceptance test- ing (CFAT) and cybersecurity site accep- tance testing (CSAT) n security management, monitoring, and incident response Front-end engineering begins with ICS cybersecurity risk assessments, which are compliant with industry standards like ISA- 62443-3-2. While conformance to stan- dards is sufficient enough for many organi- zations, other factors, such as risk reduction per dollar spent, investor and regulator due diligence, and documenting to manage- ment, justify certain actions taken or not taken. An ICS cybersecurity risk assessment is meant to link a cybersecurity event and a true process hazard; a cyberPHA does so by connecting vulnerabilities and threats to consequences and likelihood of occurrence, accounting for existing countermeasures. The result gives management a road map highlighting a ranked set of risks, prioritized recommendations, and a mitigation plan. If you want cybersecurity designed into your system, you must define your require- ments and communicate them to all in- volved parties in the form of cybersecurity requirement specifications (CRSs). The CRS includes requirements for the monitoring and security of zones and conduit bound- aries, and for hardening end points like ICS asset management, malware prevention, and access control. Include key stakehold- ers in the design review and have focused discussion about satisfied cybersecurity re quirements and issues to document. Conduct CFAT and CSAT on site to evalu- ate the cybersecurity of a system. The op- erating company should accept this before delivery and startup. CFAT and CSAT ensure the verification of cybersecurity require- ments and proper configuration of security settings, the operating system, and antivirus software. Additionally, detection systems should be cleared as operational and able to identify and report events. Cybersecu- rity robustness testing must also be verified with discoveries on present vulnerabilities, Integrating cybersecurity into a greenfield ICS project By Krish Sridhar, PE, GSEC Example of an ICS risk profile CyberPHA Front-end engineering Cyber design review(s) Detailed engineering Cyber req spec Construction Cyber FAT Commission CyberSAT Run and maintain Security management monitoring and incident response Typical ICS cybersecurity life cycle

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - JAN-FEB 2018