Bringing cyber process hazard analysis to the digital era

This issue is becoming all too real. Incidents of ransomware attacks on OT networks have been multiplying, soaring five-fold from 2018 to 2020. Out of these, manufacturing entities comprised over one-third of confirmed ransomware attacks on industrial organizations, followed by utilities, which made up 10 percent.² The estimated global cost of these ransomware attacks has skyrocketed and has been predicted to reach USD20 billion in 2021— up from USD325 million in 2015.³ Operational disruption due to ransomware in OT environments has seen a 23-fold increase. In 2020, there was a 32 percent increase in ransomware attacks against energy and utilities organizations.⁴

Over time, ransomware attacks have become more sophisticated and have changed to achieve their ends by different methods. Additionally, these kinds of attacks have increasingly targeted ICS environments like oil & gas and manufacturing.

Ransomware attacks are just one feature of a complex and increasingly aggressive threat landscape that organizations should protect themselves against. This includes:

Evolving threat actors

Cybercriminals are adapting, diversifying and behaving more like state actors. Criminal operations are changing their tactics to reduce risks of detection and increase disruptions. They are attempting to maximize the return on their effort in several ways such as: shifting away from partnerships to operating within close-knit syndicates; taking advantage of the increased availability of ICS information to launch attacks; increasing the precision of targeting by using legitimate documents to identify likely victims before delivering malware; or selling and buying direct access to networks for ransomware delivery rather than carrying out advanced intrusions.

Targeted ransomware

There is a complex range of motives at play in targeted ransomware attacks. While the motivation behind an attack may appear to be financial, there may be hybrid motives at work – a combination of financial, ideological and/or political drivers. Regardless, such attacks have the potential to impact the availability of ICS/OT. While the ransomware threat remains, organizations should ensure they take adequate measures to prepare, prevent, detect, respond, and contain a corporation-wide ransomware attack.

Supply chain threats

Improved ecosystem hygiene is pushing threats to the supply chain, turning friends into enemies. The global interconnectedness of business, the wider adoption of traditional industry cyberthreat countermeasures and improvements to basic cyber security hygiene appear to be pushing cyberthreat actors to seek new avenues to compromise organizations, such as targeting their supply chains—including those for software, hardware and the cloud.

Life after meltdown

Vulnerabilities in ICS/OT infrastructure demand tuned/targeted solutions to prevent impact to availability. The discovery of vulnerabilities in proprietary process control hardware such as programmable logic controllers (PLCs), in recent years combined with the use of commercial software and hardware used for human machine interfaces (HMIs), Engineering Workstations, and ICS supporting systems such as Historians, have an impact on system availability increasing the risk to organizations which could lead to loss of life.

Compromising geopolitics

As new threats emerge from disinformation and technology evolution, global businesses may find themselves in the crosshairs as geopolitical tensions persist. Cyberthreat actors may not only sustain current levels of activity but also take advantage of new capabilities as new technologies enable more sophisticated tactics, techniques and procedures (TTPs) which are focused on ICS/OT environments.⁵

As a result of these factors, expansion of traditional PHA is required to protect process control performed in the ICS/OT domain. This need is made more acute because safety system communication is becoming integrated into the ICS/OT domain as these systems become more digitized and connected. If the interconnected safety system is compromised, the ability to control a runaway process is compromised – potentially leading to environmental and operational hazards, and even loss of life. And with control and safety systems becoming more converged with IT systems, a cyber breach into IT could then more easily spread into the ICS/OT domain as well.

That is why additional Cyber PHA is needed, to address the cyber risks and threats that now characterize today’s industrial landscape. Welcome to cyber PHA.

In an ideal world, the first step is to ensure that your ICS/OT domain is cyber resilient through network segmentation. This involves segmentation of the network into zones and conduits, and a distinct boundary between IT and ICS/OT domains. This is the premise of IEC 62443, a series of standards to guide on secure ICS/OT. It covers general guidance, policy and procedures, system technology and design, as well as component requirements. In any event, regardless of whether formal network segmentation is in place, there should be a focus on bolstering cyber resiliency such that operations can continue to function even if a threat actor has penetrated the perimeter of a network.

A cyber PHA can help identify, verify, and design ICS/OT domain boundaries. The Cyber PHA is a safety-oriented methodology to identify and assess cyber risk for ICS/OT domains and safety instrumented systems (SIS). It usually follows a methodology similar to a HAZOP (hazard and operability study) but adapted for cyber specifically – to be known as CHAZOP.

A cyber PHA is typically performed in phases, is scalable, and can be applied to individual systems, or entire facilities or enterprises. There are six key phases:

1. The site personnel and threat assessor - the Hazard and Operability team (HAZOP) should align and agree on the focus area that will be assessed.
2. Gather information about the OT components with the OT network and the SIS, and its connections to identify vulnerabilities.
3. Analyze the data and document potential vulnerabilities that may be exploited during a cyber event.
4. Conduct a cyber PHA workshop where information is gathered, analyzed and integrated with threat scenarios to develop a complete picture of risks.
5. Once the cyber PHA is completed, a broad report is produced showing the risks to the ICS/OT domains and SIS, and a plan to mitigate risks to the organization’s acceptable level.
6. An effective remediation plan includes a prioritized list of actions, budgetary estimates, schedule, and resource requirements, which together can provide appropriate levels of resiliency.

An ideal scenario would see a cyber PHA carried out as a follow-on shortly after a traditional PHA, building on its findings to identify and address cyber issues.

The outcome of the hazard and risk analysis should identify potential hazards and vulnerabilities while providing actionable risk themes facilitating practical recommendations for implementation. Although the cyber security threat landscape is continually changing, there are general classifications of potential threat agents or sources for an organization to consider:

1. External attack - technical
2. Internal attack - non-technical
3. Internal misuse and abuse
4. Unauthorized access
5. Compromise of information (Logic Mod)
6. System malfunction
7. Process interruption
8. Safety system interruption
9. Human error
10. Unforeseen effect of changes

A detailed cyber security roadmap can be developed and broken into summarized key quick wins, multiple short-term remediations, and long-term strategic alignments to align OT and IT security programs.

There are multiple potential benefits to be gained from conducting a cyber PHA. Most obviously, ensuring system availability by removing system cyber risk. But a cyber PHA can also benefit an organization’s broader business practices. Applying a cyber PHA methodology documents an organization’s business processes and requires the creation of ICS/OT aligned information security policies, procedures, standards and controls with organization objectives.

• Clearly defined articulation of the information security strategy based on organization and business unit objectives.
• Engineering knowledge defined and aligned security controls based on risk and business objectives.
• Confident effective staffing resulting from established roles and responsibilities.
• Interconnected system cause and impact identification facilitating vulnerability and risk management.
• Targeted and prioritized cyber response and incident management.
• SecOps defined metrics, reporting, and technology requirements to help meet business objectives.

A cyber PHA also gives organizations the visibility from a cyber point of view that can be leveraged to expedite ICS/OT and IT convergence, thus helping achieve what is rapidly becoming a key strategic aim for many businesses. ICS/OT and IT convergence has the potential to create and streamline the exchange of data facilitating business operations. But cyber risks are hindering this IT/OT convergence – so carrying out a rigorous cyber PHA that helps identify operational risk, required mitigations, and residual risk, can provide the data to give management confidence in pursuing the convergence agenda.

But cyber PHA is not only a matter of potential business benefits and best practice – it is also coming onto the regulatory radar and may, in varying shapes and forms, become mandatory in the coming years.

Indeed, in Saudi Arabia the National Cyber Authority has already launched a new regulatory framework for Operational Technology which includes a specific revision that oil and gas and other circuital infrastructure entities should conduct formal process hazard analysis which should include, as a minimum, qualitative analysis of cyber risks.⁶

If this becomes adopted into the framework, it will effectively be making cyber PHA a mandatory regulatory requirement – and that could take effect later on this year.

Meanwhile in the U.S., new measures have been introduced by the Department of Homeland Security (DHS) in the wake of last year’s Gas Pipeline cyberattack which disrupted the flow of gasoline and jet and diesel fuel along the East Coast. The DHS issued two Transportation Security Administration (TSA) Security Directives that feature a number of measures that owners and operators of critical oil & gas pipelines must implement.⁷ The first directive features guidance around cyber security incident reporting, the appointment of an organizational cyber coordinator, and gap assessment. The second directive is the one that really has teeth, requiring specific mitigation measures, a formal cyber security contingency and response plan, and an annual review of cyber security architecture.

These requirements, that also include the need to carry out an analysis of network traffic in OT systems, can almost be regarded as ‘cyber PHA-lite’. What DHS is really asking of these companies is to quickly gain an appreciation of the unique systemwide cyber security components and communications, as well as the interdependencies of IT and OT and the protections that are, or are not, in place.

Elsewhere, the International Electrotechnical Commission (IEC) 61511 Functional Safety standard now requires a SIS security risk assessment. The updated report summarizes the risk assessment procedure called cyber PHA. The link to PHA here is a step in the risk assessment to firstly, review the output of the PHA to identify worst-case health, safety, security, and environment (HSSE) consequences for the asset and secondly, to identify any hazard scenarios.

Another example comes from the User Association of Automation Technology in Process Industries (NAMUR), who have already published a worksheet (NA 163) titled “Security assessment of SIS.” Here, a cyber PHA methodology can be used to assess the risks linked to identified cyber security escalation factors and recommended mitigations to reduce risks to a certain level. By creating a bridge between PHA methods and cyber security risk assessment methods, safety systems become more robust against cyber security attacks.

In short, the direction of travel is towards more formalized regulatory requirements around the cyber-related aspects of operational safety – the very area that cyber PHA is designed for. At present, there may be few jurisdictions who are explicitly moving in a cyber PHA regulatory direction, but the number may quickly grow. In addition, due to the global and inter-connected nature of the energy and natural resources industry, requirements in one jurisdiction are likely to be felt elsewhere by others. If a supermajor operating in Saudi Arabia, for example, becomes required to conduct a cyber PHA, then it may ask the partner organizations it works with in other parts of the world to carry one out too. A rising tide lifts all boats after all!

KPMG firms have already helped a number of clients by leading and performing a cyber PHA. Our multidisciplinary teams with extensive sector experience work closely with CISOs, CTOs and Risk teams at a corporate level, as well as Plant Managers, Operations, and other ICS/OT domain key stakeholders.

For example, we helped one firm’s client who needed to standardize its processes across a heterogenous environment of systems across multiple vendors, bringing all to the same operating security level. Following a gap assessment and stakeholder interviews, we conducted an analysis based on cyber PHA as part of the response alongside other technical security assessments, the design of zones and conduits for two different types of ICS network, and the design of monitoring dashboards to better understand risk exposure.

If you would like to discuss any aspect of a cyber PHA and how it relates to your broader IT and OT security posture, please don’t hesitate to get in touch. After all, the signs are that cyber PHA requirements are coming down the pipe and may soon be expected of increasing numbers of industrial players.