Innovation often happens when different disciplines share knowledge. We’re seeing this today with increased interactions between the risk management, industrial cybersecurity, and process safety disciplines. Risk-based approaches are at the heart of the process safety lifecycle and end users are becoming increasingly interested in applying these same principles to cybersecurity in industrial process environments. The cyber threat environment for end users is becoming increasingly complex. Leading industrial organizations understand that they require key performance indicators for risk that address both their operational and cybersecurity requirements.
At the same time, the Industrial IoT and digital transformation are providing end users with unprecedented access to millions of previously unavailable data points. Turning this data into useful information, however, is another matter. Information must be provided to the right people, when they need it, in context, and in a way that is both easy to understand and actionable.
ARC Advisory Group recently met with PAS, a provider of process safety, cybersecurity, and asset reliability solutions, to discuss that company’s approach for a new unified information management system that can integrate key process safety and operational metrics with industrial control systems (ICS) cybersecurity metrics. This creates a common view of risk in real time, allowing end users to address emerging issues before they can result in unplanned downtime or an incident.
Risk-based Approaches: From Process Safety to Cybersecurity
Measurement of risk and the adoption of risk-based frameworks and models are coming to the forefront as a way to measure overall levels of cybersecurity preparedness and protection. Cyber insurance companies, in particular, are interested in being able to quantify levels of cybersecurity maturity or competency within a given company to be able to determine overall risk before issuing a policy. But industrial companies also use similar approaches when implementing cybersecurity solutions.
A wide range of supplier companies are converging on this space. These include engineering service providers, process safety lifecycle management suppliers, cyber insurance companies, consulting companies, Big Data and analytics software suppliers, standards bodies, and government regulators. There is no single standard or model for measuring risk as it relates to cybersecurity in industrial organizations. Cyber insurance companies are either developing their own methodologies or using partners with their own models, scoring systems, and evaluation capabilities.
Companies Turn Process Safety Expertise to Cybersecurity
One very good source of knowledge regarding risk as it relates to industrial operations is the discipline of process safety. The market for process safety lifecycle management, for example, is rapidly growing. Suppliers in this space are taking their knowledge in providing process hazard analysis and risk management and are applying it to the world of ICS cybersecurity. There is no room for error in the world of process safety, which governs extremely hazardous production processes that present a great risk to human life and the environment. Process safety isn’t just about implementing safety instrumented systems (SIS) – it incorporates a continuous lifecycle approach that starts with conceptual design and risk analysis.
Safety lifecycle management in general continues to be a big issue in process plants, driven largely by the need to conform to current standards and best practices like ISA 84 and IEC 61511. The primary goal of these standards and practices is to develop a continuous improvement approach to safety system management and ease the burden on end users so they better understand the safety status of their assets and can act appropriately.
Integrate for the Big Picture
Process safety lifecycle management can be viewed as a subset of overall operational risk within an organization. Process safety lifecycle solutions should not only be integrated within the process safety realm, but also facilitate integration with enterprise-wide operational risk evaluation offerings that allow the company to evaluate vulnerabilities across the organization.
Consider the Overlap Between Process Safety, Cybersecurity, and Alarm Management
Process automation end users should strive to conform to the international standards for process safety, cybersecurity, and alarm management, respectively. End users should also be aware of the overlap between these disciplines. Each has its own lifecycle that must be managed continuously. The interrelationships between safety, cybersecurity, and alarms affect multiple facets of both process safety and cybersecurity lifecycles. Managing these lifecycles can be a real challenge for end users.
Even if you work for a smaller company that’s short on resources, ARC recommends you “do your homework” and gain a familiarity with alarm management, cybersecurity, and safety standards, because all are critical for safe plant operations and operational excellence. Even some of the larger end user companies that have good discipline in these areas at the corporate or central engineering level don’t always do well ensuring this finds its way down to the plant or operations level.
A Unified and Actionable View of both OT and ICS Cybersecurity Risk
ARC recently met with PAS to discuss how that company is leveraging its knowledge in process safety lifecycle management, alarm management, and cybersecurity to create a common, real-time view of operational risk and ICS cybersecurity. According to ARC research, PAS is the leading supplier of safety lifecycle management solutions as well as the leading independent supplier of alarm management solutions.
From Alarm Management and Safety Lifecycle Management to Cybersecurity
PAS was already an established supplier of alarm management and safety lifecycle management solutions when it entered the ICS cybersecurity space several years ago with its Cyber Integrity Management solution designed specifically for operational technology (OT) cybersecurity management applications. The product supports continuous vulnerability management for a broad range of level 0, 1, and 2 cyber assets.
Building asset inventories for proprietary control system components automatically is a key feature of PAS Cyber Integrity. It is designed to automate discovery, collection, and management of information. This includes detailed configuration data for industrial control system elements like DCSs, PLCs, safety systems, and I/O cards for all major control systems, regardless of vendor. Cyber Integrity displays all vulnerabilities across the entire environment and enables users to filter and quickly identify vulnerabilities by plant, unit, area/zone, or individual asset. The solution also includes customizable vulnerability management dashboards.
From Vulnerability to Cyber Risk Management
PAS has recently been working to leverage its experience with OT risk management to develop a solution that monitors cyber risk for OT assets in real time. Using existing standards such as the NIST Framework and the IEC 62443 standard, PAS is developing effective KPIs for cyber risk management. By incorporating this capability into its Cyber Integrity solution, PAS can provide a simultaneous real-time view of both operational and cyber risk.
This unified view enables risk to be reduced to acceptable levels across a plant or an entire global manufacturing enterprise. Risk-based dashboards can provide a display that rolls up facility or enterprise cyber and operational risk with role-based reporting capabilities. This helps ensure that people in different parts of the organization get only relevant and actionable information.
Operational risk includes elements such as safety system activations, overall operator performance, alarm metrics, independent protection layer (IPL) status, and overall control system performance. Elements of cyber risk incorporated by PAS include identified cyber vulnerabilities, deviations from configured baseline, and compliance with defined security frameworks like the NIST Framework, NERC Critical Infrastructure Protection (CIP), and IEC 62443 standard. The solution can also be used to define and provide leading indicators defined in American Petroleum Institute (API) Recommended Practice (RP) 754.
Conclusions and Recommendations
Managing risk and adopting a risk-based approach to cybersecurity is increasingly necessary in the age of IT/OT convergence. There is already a proliferation of risk-based services and risk-based approaches to cyber insurance, engineering, and design throughout the industrial and critical infrastructure segments. Most companies have their own methodologies for assessing risk and ARC has seen few that appear to focus on manufacturing, infrastructure, or smart cities.
In ARC’s view, end users should be asking themselves some key questions when it comes to managing cyber risk. Do you have clear visibility into your current levels of OT cybersecurity risk? How is your current OT cybersecurity program mitigating or managing your risk today? What metrics are you measuring/tracking today relative to OT cybersecurity risk? How do you determine the impact of a publicly released ICS vulnerability? How do you know that changes made to ICS assets are authorized? How do you measure compliance with your OT security framework? (NIST, NERC CIP, ISA/IEC 62443, etc.)?
New solutions such as the PAS Cyber Integrity could help make it a lot easier to answer many of the above questions.
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Risk Management, ICS Cybersecurity, Process Safety, PAS, ARC Advisory Group.