Last week you identified the high consequence events related to the industrial process being monitored and controlled in OT. This week you learn what is in place to prevent these high consequence events. The engineers who designed the process are again your primary source of information.
Operators and automation logic are in place to prevent the really bad things from happening. This is only one of their many tasks, and they may make an error or not identify and stop everything that could lead to a high consequence event.
If the consequence is high enough, engineers will typically add safety or protection devices and systems whose only job is to prevent the really bad thing from happening. This can be as simple as pressure relief valves or protective relays. This can also be a complex safety integrated systems (SIS). Or there could be soft interlocks in a PLC or controller.
Your task this week is to talk to the engineers and learn:
- What safety or protection devices or systems are in place to prevent the high consequence events identified last week?
- For each device or system identified in #1, is there a cyber component that can be modified or disabled to prevent the safety or protection from performing its task?
- For each case where the answer to #2 is yes, could a compromise of the OT environment allow an attacker to have network access to the safety or protection component?
You are trying to determine if the safety or protection measure can be disabled or rendered ineffective if the OT environment is compromised in a cyber incident. Could an attacker who was on the OT network disable the safety or protection measure and use the compromised ICS to cause the high consequence event?
Approach the engineers with humility and an open mind. They have taken great care to prevent the identified high consequence events, and in most cases there has not been a high consequence event. You are asking about a new type of intentional, cyber adversary-based attack, that the engineers did not consider.
It’s common in many industries for there to be a direct network connection between OT and safety or protection devices and systems, because they have not considered an intentional cyber attack. DCS are often directly connected to SIS. Soft interlocks for protection reside in the same PLC that performs control functions.
At the end of this week’s task, you should capture all safety and protection systems that could be disabled / not operate properly if a cyber attacker has reached the OT zones. Assume you are facing a highly motivated and talented adversary who understands OT. If an engineer on OT could disable the safety and protection, assume that the attacker could as well.
_________
Protection or Safety Device / System Cyber Component (Yes/No)? Accessible From OT (Yes/No)?