Taking a process safety approach to cybersecurity risk management

Over the last decade the industrial sector has been dramatically impacted from the waves of frenzy brought about through big data, the IIoT and Industry 4.0. The latest evolution from these trends includes harnessing the opportunities created from machine learning, augmented/virtual reality and artificial intelligence. These concepts continue to pervade boardrooms and quickly become strategic objectives for organisations to gain an edge and remain competitive. This means that more money is being allocated to IT and OT infrastructure than ever before — a welcome opportunity for many ageing industrial sites.

In the most recent downturn of commodity prices, several final investment decisions on many of these infrastructure projects were delayed. The additional strain on bottom lines caused many companies to also consider the opportunity to consolidate their IT and OT functions to save cost. This consolidation created great opportunities, but as IT and OT infrastructure inevitably merged and monthly news articles about cyber attacks on facilities increased, it became clear that cybersecurity risks needed to be closely managed.

Many companies approached IT consultancy firms to help run risk reviews and develop mitigation strategies — which was a great start; however, in several instances that I have observed, consultants failed to effectively address the operational risk or impact practical site processes. In other cases, the mitigation outcomes only focused on getting similar IT infrastructure into the OT layer, such as firewalls, security information and event management and automated patch management. Critically, they neglected to address the greater lifecycle requirements that a secure OT infrastructure requires.

While every company typically has its own defined risk management process, some specific requirement for industrial cybersecurity should be considered. There are several published guidelines in the various frameworks — for example, NIST — and standards such as IEC 62443 that outlines these requirements clearly, based on the full lifecycle for industrial cybersecurity. It is important that these be adopted when these cybersecurity risk mitigation projects are executed, since OT has a distinctly different risk profile and lifecycle to that of enterprise IT.

Adopting a lifecycle risk management approach to industrial cybersecurity should not be hard for the industry to grasp because there are very strong parallels between industrial cybersecurity and those of process safety; however, the general pattern I have observed is that a disparity in the focus between them still exists even after a cybersecurity project is delivered.

A good test of a company’s maturity in this regard is to review a typical Management of Change (MOC) or Permit-to-Work (PtW) procedure. Does a cybersecurity risk assessment check exist, or is the expectation that this falls under the ‘other’ risks and left up to the individual to disclose? Would a PtW check of personal protection equipment be considered as ‘other’? Neither should the use of a USB device.

More equipment on sites now has the capability today to be networked through the enterprise layers. More contractors connect to site assets, directly and remotely, to complete their work — and the consequences continue to increase as attacks become more sophisticated and targeted. Therefore, effective lifecycle cybersecurity risk management will require a culture change and should utilise similar approaches to process safety relating to risk identification, assessment, mitigation, implementation and measurement, underpinned by continued awareness training.

Martin Van Der Merwe is passionate about automation, with a degree in Electronic Engineering and IT from the University of Johannesburg and over 17 years’ experience in the industry. He thrives on connecting clients’ challenges with solutions as the Director for Emerson’s Systems and Solutions in Australia and NZ.

Image: ©stock.adobe.com/au/Olivier Le Moal