PT Notes
Cyber Attacks on Computer Control Systems
PT Notes is a series of topical technical notes on process safety provided periodically by Primatech for your benefit. Please feel free to provide feedback.
Cyber attacks on computer control systems for processes represent a significant risk for companies. Such attacks could produce catastrophic consequences much greater than those possible for process safety incidents. Warnings of the possibility of such attacks have been issued for a number of years. The International Society of Automation (ISA) is engaged in an ongoing effort producing the ISA-62443 series of standards that address this subject.
Recently, hackers were able to access a Triconex safety system which halted operations at an industrial facility. The Triconex system is used in nuclear facilities, oil and gas plants, mining, water treatment facilities, and other plants to safely shut down industrial processes when hazardous conditions are detected. It is the first reported cyber attack on this type of system. Cyber experts have called it a watershed incident because it demonstrates how hackers might cause physical damage to a plant, or even kill people, by sabotaging safety systems.
Companies should perform security vulnerability analyses (SVAs) to identify possible threat scenarios for deliberate attacks in a similar way that process hazard analysis (PHA) studies are performed to identify possible hazard scenarios for accidents. Process facilities can be attacked physically as well as by cyber means so both types of threats should be addressed by SVAs.
An SVA for a facility endeavors to address these questions:
- Will a facility be targeted?
- What assets may be targeted?
- How may assets be exploited?
- Who will attack?
- How will they attack?
- What protection is there against an attack?
- What will be the consequences?
- Is additional protection needed?
The results of SVA studies are used to develop recommendations for new attack countermeasures or enhancements to existing countermeasures. The need for additional or improved countermeasures is determined based on the possible consequences, existing countermeasures, vulnerabilities, nature of the threat, and the risk reduction afforded by the proposed countermeasures.
Some practitioners believe that PHA simply can be extended to include threat scenarios. However, threat scenarios are much different than hazard scenarios and the latter are not a good basis for extrapolating to the former. The events that make up threat scenarios would be viewed as incredible in PHA studies and usually will have far greater consequence severities. For example, a hazard scenario may involve the failure of a drain valve on a tank in a tank farm causing a release. However, a threat scenario involving drain valves more likely would involve opening multiple valves in order to cause a much more serious release. PHA and SVA studies should be conducted separately.
Cyber and physical SVA studies are described in:
Security Vulnerability Analysis (SVA): Protecting Process Plants from Physical and Cyber Threats, Security Risk Assessment in the Chemical and Process Industry, Genserik Reniers, Nima Khakzad, and Pieter Van Gelder (Editors), De Gruyter, 2018.
You may contact Primatech for further information by clicking here.
To comment on this PT Note, click here.
Copyright © 2018, Primatech Inc. All rights reserved.