Often, the same attitude applies in the other process industries. Cusimano notes, "Many unscrupulous vendors will sell them [end users] anything, and claim it will deliver compliance. It is still not recognized that ICS insecurity can lead to safety incidents."
Weiss points out, "The NERC CIPs would not have prevented a Stuxnet-style attack on our power industry critical infrastructure."
So What Do We Do?
Dow's Cosman says the best way to incorporate security into functional safety is to adopt the ISA99 standard. Cusimano agrees. "We recommend starting with a control system security assessment or gap analysis," at the same time you update your safety HAZOP. "Your analysis should be based on relevant standards and best practices such as ISA99. The next step is to perform detailed risk analysis or threat modeling to understand the highest risk vulnerabilities."
Here is where the two analyses should merge. In an operating process plant, the highest-risk vulnerabilities have little to do with the data in the servers or the plant manager's emails. These vulnerabilities are in the control system and the safety instrumented system, which, if compromised, could shut down the plant, or worse. As the Stuxnet malware proved, this kind of attack doesn't have to come through the network. There were apparently several attack vectors, but the most significant one for Stuxnet was a targeted "candy drop" of infected USB memory sticks in the parking lot of the plant. Users bypassed any network security measures and plugged the USB sticks directly into the engineering workstations and the process control computers.
A Functional Security Analysis
Weiss talks about how to do a functional security analysis. "A functional security analysis requires senior management buy-in to be successful."
Then, he says, do a detailed assessment of what needs to be done to beef up your ICS security that has been documented as such. That means, find out what measures and systems you think you have in place.
Next, determine what you actually have, not what you think is there. When such assessments have been done, hidden, forgotten modem connections into the control system often turn up. The recently increasing usage of smart phones and tablets needs to be considered as both a safety and a security issue, too.
Next, Weiss says, you have to determine what is connected to what and how. Only then will you be clear what the potential cyber issues are.
Then you need to determine how secure you really are. That means finding out if known security issues, such as patching, have been addressed within the context of equipment availability. If plant conditions do not allow for security implementation, determine what work-arounds have been implemented, so you can continue to operate with insecure equipment.
Weiss says that you have to recognize that plants will be hit. You have to develop a recovery plan. This is where ISA106, Procedural Automation for Continuous Process Operations, intersects ISA84 and ISA99.
Finally, ask the many-billion-dollar question: What probability would you assign to a successful cyber attack on a process plant? In other words, how worried should you be, and how much money and manpower should you throw at this problem?
Weiss succinctly responds, "There have been more than 200 actual control system cyber incidents to date (malicious or unintentional). There have been successful cyber attacks on process facilities (more than just Stuxnet). Risk is frequency times consequence. Since there are minimal control system cyber forensics and minimal information sharing, the probability is difficult to estimate, but since you can expect to have cyber-related issues eventually, the probability should be 1!"