Something Your Team Can Do During This April Work From Home Time
Many asset owners have the minimal staff on site required to continue ICS-related operations, and have put projects on hold until the full staff can return. Which means those non-essential are working from home part time or full time, often with open time on their schedules. A good use of this time is to dig into the consequence side of the risk equation.
There are a number of methodologies that do this such as the CyberPHA, Security PHA, or most famously, and still sparsely documented, INL Consequence-driven, Cyber-informed Engineering (CCE). These methodologies are a time consuming full-on approach, and most asset owners can leverage the 80/20 rule and get most of the benefits with a much lighter time and resource investment.
It really is a simple three step process that your engineers and technicians can do remotely with some individual thought and a few online sessions.
1.Identify the high consequence events related to the physical process being controlled and monitored.
Many organizations have already done this as part of a process hazards analysis or in the risk management system. What could cause a large financial impact? Affect customers in a large way? Cause loss of life? Significant environmental damage?
As I discussed with Thomas Parenty in a recent podcast, you need to think about this from a business risk perspective. A plant being down for two months may seem like a high consequence event to the person in charge of keeping the plant running, but it could have a small impact to the company.
2. Identify if a cyber incident or cyber / physical incident could cause a high consequence event identified in Step 1.
In this quick and dirty analysis keep the assumptions simple. Assume that an attacker with applicable engineering and automation knowledge, like those doing this analysis, was in the ICS zone and could do anything that your top talent could do in that zone. It is a variation of the discussion you probably have had, or at least thought of, … if I really wanted to cause trouble I would do X or Y.
3. Identify a “non-cyber” way to prevent the consequence even if the attacker had the access and skill required to achieve what was dreamed up in Step 2.
The knee-jerk reaction for those of us with a cybersecurity background is to first look for security controls to reduce the likelihood of the attack succeeding. Don’t do that in this exercise. Here you want to identify a way that the consequence can’t happen. I provide a factory example in this video.
Some of the more common methods are a safety or protection device that has no cyber component, the ability to move to manual operations to prevent the really bad thing from happening, manual operations over a sustained period of time, cold standby systems or other methods to speed recovery, increased critical sparing, and separating safety from the ICS (Triton).
I’ve found engineering and technician teams have achieved huge risk reduction at small costs with this approach. And it has the added benefits of capping the consequence and providing a much more solid, defendable number than trying to estimate likelihood. It is great to be able to go to executives and say even if the bad guys have complete control of our ICS, the worst they can do is X.
At some point you may choose to do a full Cyber PHA or CCE. Those more structured approaches likely will identify cases (the 20% in the 80/20 rule) you miss in this looser, ad hoc approach. Still this is a great time for a small team with potentially some rare free time on their hands to do a quick and dirty analysis with a potentially big payoff in risk reduction.