Managing Cybersecurity in the Process Industries
eBook - ePub

Managing Cybersecurity in the Process Industries

A Risk-based Approach

,
  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Managing Cybersecurity in the Process Industries

A Risk-based Approach

,
Book details
Book preview
Table of contents
Citations

About This Book

The chemical process industry is a rich target for cyber attackers who are intent on causing harm. Current risk management techniques are based on the premise that events are initiated by a single failure and the succeeding sequence of events is predictable. A cyberattack on the Safety, Controls, Alarms, and Interlocks (SCAI) undermines this basic assumption. Each facility should have a Cybersecurity Policy, Implementation Plan and Threat Response Plan in place. The response plan should address how to bring the process to a safe state when controls and safety systems are compromised. The emergency response plan should be updated to reflect different actions that may be appropriate in a sabotage situation. IT professionals, even those working at chemical facilities are primarily focused on the risk to business systems. This book contains guidelines for companies on how to improve their process safety performance by applying Risk Based Process Safety (RBPS) concepts and techniques to the problem of cybersecurity.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Managing Cybersecurity in the Process Industries by in PDF and/or ePUB format, as well as other popular books in Technology & Engineering & Chemical & Biochemical Engineering. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Wiley-AIChE
Year
2022
ISBN
9781119861805
Edition
1
Topic
Technology & Engineering
Subtopic
Chemical & Biochemical Engineering
Index
Technology & Engineering

Part 1
Introduction, Background, and History of Cybersecurity

1
Purpose of this Book

Cybersecurity has quickly become an essential component in maintaining the safe and continued operations of industrial facilities. A survey of industrial control system operators in 2019 showed that 59% had experienced a cybersecurity incident in the past year [5]. The increase of cybersecurity incidents is not a phenomenon limited to a few specific companies or only the largest corporations. Over the last ten years, numerous attacks on automation systems such as those listed in Figure 1‐1 continue to demonstrate that industrial facilities of all types and sizes are vulnerable to cybersecurity attack, and that these cyber‐attacks can have significant financial, environmental, and process safety related consequences [6].
Schematic illustration of Major Industrial Cybersecurity Events in the Last Decade
Figure 1‐1 Major Industrial Cybersecurity Events in the Last Decade
Over the past 20 years, the conversation has moved from “Who could possibly target control systems for a cybersecurity attack?” to a continuing discussion of the many recent breaches and attacks. What has led to this drastic increase in cybersecurity attacks on industrial control systems? The following list provides several factors that could account for this increase:
  • Increased interconnectivity of industrial control systems
  • Increased convergence of OT and IT systems
  • Increased use of Internet Protocol in OT applications
  • Increased requirements for remote access
  • Increased number of readily available hacking tools
  • Desire to target critical infrastructure for political motives
  • Increase in number of threat agents with skills to target control systems
  • Better identification of cybersecurity attacks
  • Increase in known software vulnerabilities
  • Increase in known vulnerabilities in legacy systems
  • Lack of sufficient cybersecurity awareness and training
  • Potential for significant financial gain
  • Desire to gain recognition of skills by targeting control systems
While no single cause drives the increase in cybersecurity attacks, it is likely that many of the factors in this list are contributing to the continually evolving cybersecurity landscape.
The purpose of this book is to introduce a risk‐based approach for Managing Cybersecurity in the Process Industries and to help organizations design and implement more effective cybersecurity management system programs that are aligned with existing process safety management systems. This approach includes methods for:
  1. Understanding cybersecurity risk for the process industry,
  2. Integrating cybersecurity management into the existing process safety framework, and
  3. Developing a path forward for the future of cybersecurity for the process industry.
The risk‐based approach helps to provide an optimum comparison between cybersecurity risk and process risk so that informed decisions can be made. Not all hazards and risks are equal, and it is important to focus time and resources on the higher risks. Cybersecurity risk for the process industry can vary greatly, from potential business impact arising from denial of service or ransomware to the devastating real‐world impact of a targeted attack that compromises process control and safety systems. The potential of cybersecurity attacks on the process industry to result in safety consequences represents a fundamental shift in approach from traditional IT cybersecurity concerns. Adopting this approach for cybersecurity will help all industries that manufacture, use, or handle hazardous chemicals or energy to:
  • Develop their approach to cybersecurity incident prevention.
  • Continuously improve their management system effectiveness.
  • Employ cybersecurity management for non‐regulatory processes using risk‐based design principles.
  • Integrate the cybersecurity business case into an organization's business processes.
  • Focus their resources on higher risk activities.
This approach for cybersecurity management builds on the Guidelines for Risk Based Process Safety (RBPS) [7] and the RBPS Management System Accident Prevention Pillars:
Table 1‐1 RBPS Accident and Cybersecurity Event Prevention Pillars
RBPS Accident Prevention Pillars Cybersecurity Event Prevention Pillars
Commit to process safety Commit to cybersecurity
Understand hazards and risk Understand cybersecurity hazards and risk
Manage risk Manage cybersecurity risk
Learn from experience Learn from experience
These pillars remain central for preventing cybersecurity incidents. Leveraging existing risk assessment and management techniques to address cybersecurity reduces the time required to deploy a robust cybersecurity program and improves the alignment between process safety risk management and cybersecurity risk management. The following considerations for cybersecurity outline key steps for addressing cybersecurity risk through the RBPS pillars.
Top management commitment to cybersecurity is a pre‐requisite to successful implementation. Without strong leadership and clear organizational commitment to improving cybersecurity, it is very difficult to make improvements. In addition to driving cybersecurity initiatives, management support is also helpful for establishing a robust cybersecurity culture. Cybersecurity culture is based on awareness (understanding of the cybersecurity impacts of employee actions) and hygiene (understanding of basic security best practices); with these two components in place, conscientious cybersecurity behavior can be promoted. After cybersecurity culture has been established, ongoing management support is critical for sustaining focus on cybersecurity excellence.
Organizations that understand cybersecurity hazards and risk are better able to allocate limited resources in the most effective way. Due to the many misconceptions about cybersecurity for the process industry, developing an accurate understanding of the potential risks is particularly important. This is a necessary step for incorporating cybersecurity risk into the business plan to lower the overall risk level of the organization and maintain safe and continuous operations.
Managing cybersecurity risk consists of multiple phases including the identification and analysis of cybersecurity risk, designing of cybersecurity protections, implementation of cybersecurity detection systems and procedures for responding to cybersecurity incidents, and recovering from cybersecurity incidents. Strategies such as implementing a cybersecurity lifecycle can help organizations to reduce unexpected downtime and decrease the potential for adverse cybersecurity impacts.
Learning from experience requires monitoring and acting on internal and external challenges. Common internal challenges include previous cybersecurity incidents and near misses, while external challenges include events at similar facilities, industries, technologies, and increased threat activity. Despite an organization's best efforts in implementing cybersecurity management, with the continually evolving threat landscape, cybersecurity attacks are more a question of “when” than “if.” Responding effectively to these situations and improving defenses in the future are critical aspects of cybersecurity management. An effective approach for learning from real world experience is to:
  1. Apply industry best practices
  2. Correct deficiencies identified from internal incidents
  3. Apply lessons learned from other organizations
Monitoring Key Performance Indicators (KPIs) for cybersecurity throughout the life of the facil...

Table of contents

  1. Cover
  2. Table of Contents
  3. Title Page
  4. Copyright
  5. List of Figures
  6. List of Tables
  7. Acronyms and Abbreviations
  8. Glossary
  9. Acknowledgments
  10. Managing Cybersecurity in the Process Industries
  11. Preface
  12. Part 1: Introduction, Background, and History of Cybersecurity
  13. Part 2: Integrating Cybersecurity Management into the Process Safety Framework
  14. Part 3: Where Do We Go from Here?
  15. Appendix A Excerpt from NIST Cybersecurity FrameworkExcerpt from NIST Cybersecurity Framework
  16. Appendix B Detailed Cybersecurity PHA and LOPA ExampleDetailed Cybersecurity PHA and LOPA Example
  17. Appendix C Example Cybersecurity MetricsExample Cybersecurity Metrics
  18. Appendix D Cybersecurity Sample Audit Question ListCybersecurity Sample Audit Question List
  19. Appendix E Management System Review ExamplesManagement System Review Examples
  20. ReferencesReferences
  21. Index
  22. End User License Agreement