1
Purpose of this Book

Cybersecurity has quickly become an essential component in maintaining the safe and continued operations of industrial facilities. A survey of industrial control system operators in 2019 showed that 59% had experienced a cybersecurity incident in the past year [5]. The increase of cybersecurity incidents is not a phenomenon limited to a few specific companies or only the largest corporations. Over the last ten years, numerous attacks on automation systems such as those listed in Figure 1-1 continue to demonstrate that industrial facilities of all types and sizes are vulnerable to cybersecurity attack, and that these cyber-attacks can have significant financial, environmental, and process safety related consequences [6].

Figure 1-1 Major Industrial Cybersecurity Events in the Last Decade

Over the past 20 years, the conversation has moved from "Who could possibly target control systems for a cybersecurity attack?" to a continuing discussion of the many recent breaches and attacks. What has led to this drastic increase in cybersecurity attacks on industrial control systems? The following list provides several factors that could account for this increase:

• Increased interconnectivity of industrial control systems
• Increased convergence of OT and IT systems
• Increased use of Internet Protocol in OT applications
• Increased requirements for remote access
• Increased number of readily available hacking tools
• Desire to target critical infrastructure for political motives
• Increase in number of threat agents with skills to target control systems
• Better identification of cybersecurity attacks
• Increase in known software vulnerabilities
• Increase in known vulnerabilities in legacy systems
• Lack of sufficient cybersecurity awareness and training
• Potential for significant financial gain
• Desire to gain recognition of skills by targeting control systems

While no single cause drives the increase in cybersecurity attacks, it is likely that many of the factors in this list are contributing to the continually evolving cybersecurity landscape.

The purpose of this book is to introduce a risk-based approach for Managing Cybersecurity in the Process Industries and to help organizations design and implement more effective cybersecurity management system programs that are aligned with existing process safety management systems. This approach includes methods for:

1. Understanding cybersecurity risk for the process industry,
2. Integrating cybersecurity management into the existing process safety framework, and
3. Developing a path forward for the future of cybersecurity for the process industry.

The risk-based approach helps to provide an optimum comparison between cybersecurity risk and process risk so that informed decisions can be made. Not all hazards and risks are equal, and it is important to focus time and resources on the higher risks. Cybersecurity risk for the process industry can vary greatly, from potential business impact arising from denial of service or ransomware to the devastating real-world impact of a targeted attack that compromises process control and safety systems. The potential of cybersecurity attacks on the process industry to result in safety consequences represents a fundamental shift in approach from traditional IT cybersecurity concerns. Adopting this approach for cybersecurity will help all industries that manufacture, use, or handle hazardous chemicals or energy to:

• Develop their approach to cybersecurity incident prevention.
• Continuously improve their management system effectiveness.
• Employ cybersecurity management for non-regulatory processes using risk-based design principles.
• Integrate the cybersecurity business case into an organization's business processes.
• Focus their resources on higher risk activities.

This approach for cybersecurity management builds on the Guidelines for Risk Based Process Safety (RBPS) [7] and the RBPS Management System Accident Prevention Pillars:

Table 1-1 RBPS Accident and Cybersecurity Event Prevention Pillars

These pillars remain central for preventing cybersecurity incidents. Leveraging existing risk assessment and management techniques to address cybersecurity reduces the time required to deploy a robust cybersecurity program and improves the alignment between process safety risk management and cybersecurity risk management. The following considerations for cybersecurity outline key steps for addressing cybersecurity risk through the RBPS pillars.

Top management commitment to cybersecurity is a pre-requisite to successful implementation. Without strong leadership and clear organizational commitment to improving cybersecurity, it is very difficult to make improvements. In addition to driving cybersecurity initiatives, management support is also helpful for establishing a robust cybersecurity culture. Cybersecurity culture is based on awareness (understanding of the cybersecurity impacts of employee actions) and hygiene (understanding of basic security best practices); with these two components in place, conscientious cybersecurity behavior can be promoted. After cybersecurity culture has been established, ongoing management support is critical for sustaining focus on cybersecurity excellence.

Organizations that understand cybersecurity hazards and risk are better able to allocate limited resources in the most effective way. Due to the many misconceptions about cybersecurity for the process industry, developing an accurate understanding of the potential risks is particularly important. This is a necessary step for incorporating cybersecurity risk into the business plan to lower the overall risk level of the organization and maintain safe and continuous operations.

Managing cybersecurity risk consists of multiple phases including the identification and analysis of cybersecurity risk, designing of cybersecurity protections, implementation of cybersecurity detection systems and procedures for responding to cybersecurity incidents, and recovering from cybersecurity incidents. Strategies such as implementing a cybersecurity lifecycle can help organizations to reduce unexpected downtime and decrease the potential for adverse cybersecurity impacts.

Learning from experience requires monitoring and acting on internal and external challenges. Common internal challenges include previous cybersecurity incidents and near misses, while external challenges include events at similar facilities, industries, technologies, and increased threat activity. Despite an organization's best efforts in implementing cybersecurity management, with the continually evolving threat landscape, cybersecurity attacks are more a question of "when" than "if." Responding effectively to these situations and improving defenses in the future are critical aspects of cybersecurity management. An effective approach for learning from real world experience is to:

1. Apply industry best practices
2. Correct deficiencies identified from internal incidents
3. Apply lessons learned from other organizations

Monitoring Key Performance Indicators (KPIs) for cybersecurity throughout the life of the facility can provide useful information about how an organization's cybersecurity approach changes over time. In addition to tracking KPIs, periodic audits/assessments of the current level of cybersecurity drive continuous improvement and sustained results.

The pillars of the risk-based approach for cybersecurity are shown in Figure 1-2:

Figure 1-2 Cybersecurity Management System Pillars

Adapted from [7]

Focusing on the pillars of the risk-based approach for cybersecurity should enable an organization to improve its cybersecurity effectiveness, reduce the frequency and severity of cybersecurity incidents, and improve its long-term safety, environmental, and business performance. If the process control system is not secure, it cannot be operated safely. The risk-based approach helps avoid gaps and inconsistencies in the security approach to prevent common cause failures of the control and safety systems.

1.1 Target Audience

This risk-based approach for Managing Cybersecurity in the Process Industries is written for practitioners of the process safety lifecycle including process safety practitioners, process control engineers, instrumentation engineers, maintenance engineers, and process engineers, and others. For simplicity, these roles are referred to as process safety professionals throughout the remainder of this book. Additionally, this book is written for key stakeholders whose decisions can impact the implementation of the process safety lifecycle. The goal...