Tweet Length Review: Short and effective description of a process to add intentional cyber attacks to a Process Hazards Analysis (PHA). Includes basic process engineering examples that are highly useful for readers with an IT or IT security background.
Full Title: Security PHA Review for Consequence-Based Cybersecurity by Edward Marszal and Jim McGlone, Published by ISA
The process industries have long had to identify and prevent potential causes of high consequence events, with loss of life as a key consequence metric. This formal identification, analysis and mitigation takes place in a Process Hazards Analysis (PHA). The PHA has worked well to improve safety and other high consequence.
The problem is the PHA does not include intentional incidents caused by a cyber attack. In recent years there have been a number of consequence based ICS risk reduction approaches including DHS’s Consequence-Driven Cyber-Informed Engineering (CCE) and Cyber PHA’s from aeSolutions and others. This is the first book I’ve seen that documents the process; in this case a Kenexis developed process they call a Security PHA Review (SPR, pronounced spur). The book is clear, well-written and concise.
A SPR can be done as part of the PHA or after an existing PHA. The key is it leverages the work of the PHA. It really is as simple as determining if the initiating event is “hackable”. If yes, are all of the safeguards hackable? If yes, is the consequence above the accepted risk level? If yes, then either put in an un-hackable safeguard or select and implement the company determined appropriate IEC 62443 Security Level (SL).
You may be asking why do I need to spend $89 for this simple process, and it would be better if this book was $29 and available on my Kindle. My answer is the process information and examples will be great learning for everyone on the IT / IT Security side. You can tell that Ed, Jim and the Kenexis team have done a lot of PHA’s and come to security from the engineering and automation side.
My only concern with the SPR is the reliance on the 62443 SL’s. This is to be expected in a book published by ISA, and there aren’t a lot of simple ICS (or IACS in ISA speak) security level alternatives. If you follow the SPR process, a High consequence deviation that could result in a single fatality and up to $50M of loss could be mitigated by deploying SL2 security controls. SL2 allows remote access from an untrusted network with username/password credentials. The gap between SL2 controls and SL3 controls are significant. That said, the authors do urge the reader to look for an un-hackable safeguard before assigning and accepting a SL as the risk mitigation. And an asset owner can set their own mappings of required security controls to consequence levels.
The Good: The 16-pages in Chapter 7: Security PHA Review Examples is the best part of the book, and those with experience in ICS security will quickly understand grasp the SPR.
- Chapter 1: Introduction is also excellent and a must read. (so read Chapter 1 then 7 if time limited)
- Chapters 4 and 5 describe the PHA and SPR respectively. Chapter 4 describes a lot of the acronyms you will hear in plants such as HAZOP, FMEA, and P&ID’s.
- Chapter 6: Non-Hackable Safeguards are important for the hacker/researcher/ITsec professional who mistakenly says with confidence I can cause x to blow up.
- Appendix C: Sample Risk Tolerance Criteria is worth reading with the caution that is a “sample” and not necessarily what you should adopt.
The Bad: There really wasn’t anything terrible in this book. The only item I found myself importantly disagreeing with was the contention made multiple times in the book that the reason there have been very few cyber incidents that have resulted in high level physical consequences was due to the safeguards. While safeguards are typically underestimated by the ICS security community, the threat agents, the attackers have not been focusing on the engineering and automation and attempting to cause high consequence physical attacks. There are many processes where all safeguards are not un-hackable, and books like this should help address that.
Chapter 2 on IEC 62443 was very brief and not helpful after the information given in Chapter 1. There is more information in Appendix D. With the importance of the SL in mitigation, more information on the level of rigor in each SL, the selection process, customization of SL’s and alternatives to the 62443 SL’s should be in this book.
Chapter 3 is quite negative on the Cyber PHA / Cyber HAZOP. The book’s description of the Cyber PHA doesn’t match the Cyber PHA’s I’ve participated in as an outside SME. Those Cyber PHA’s were closer to this book’s SPR process. Perhaps there are many Cyber PHA methodologies, but if the specific method can’t be referenced the general category shouldn’t be denigrated.
Chapter 8: Conclusions seemed to end the book with a whimper, essentially a repeat of much of Chapter 1. It’s only 4-pages so not a huge problem; it’s more of a lost opportunity to end strong.
The Ugly – The book should be available in e-book form and on Amazon. This is another case where good and useful content is limited by ISA’s old school business practices.