CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
CHASE
Computer Hazard And Security EvaluationVisualising cyber security vulnerabilities and risk
Andy Geddes | David Hatch
1
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Back to basics
2
◇ asset management◇ process safety◇ functional safety
Cyber security is just another element of
◇ loss of containment◇ loss of function◇ loss of data (knowhow)
Minimising harm
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
OG0086 Note 3
In order to defend a system, it is first important to know
what is to be defended
3
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Process assets
4
HAZID HAZOP
Asset Register
BowTies
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
IACS assets
5
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Major Accidents (MA) | Loss of Essential Services (LES)
6
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Know what is to be defended
You can’t protect what you don’t understand
7
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Cyber security management system
8
Focus on these activities(Ref OG-0086 Ed 2 Fig 1)
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Process assets
9
All network details
risks,
events and
any resemblance to a specific site is coincidental….…
… No animals were harmed in the making of this presentation
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Process asset (tank) topology
10
Finaline
WLWG Pipeline
M/B Pipeline (North Line)
T/K Pipeline (South Line)
Road Tankers
12
910
911
912
913
914
915
4
5
6
7
8
301
302
303
304
Aviation
Export
Loading
Gantry
HOSL
East
HOSL
West
BPA
North
BPA
Main
MA
LESCR
SE
SE (Permanent Harm to People
or Environment)
CR (Commercial & Reputational)
LES (Loss of Essential Service)
MA (MAH/MATTE)
LES
MAC
RSE
Applicable
N/A
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Typical IACS assets | OG0086 Fig 3-3
11
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Simplified IACS network and zones
12
DMZ (Zone 02)
IACS PCN (Zone 03)
Zone 05 BPCS Zone 06 SIS Zone 07 SIS
Zone 04 HMI-A
04
OWS
05
OWS
05
PLC
05
MCC
04
AS
04
PH
06
EWS
06
SIS
07
OWS
07
DSS
07
PLC
07
WL
Plant A Network (Proprietary Redundant)
04
RT
05
NI
06
FW
Unit 1 Fault Tolerant Ethernet (FTE)
Plant A SIS Network Unit 1 FTE
04
OWS
04
EW
08
WI1
Zone 08 HMI-A
03
DC
01
FW
03
HC
03
SS
03
LS
01
WF
01
LT
01
PC
01
SV
02
FW
02
HS
02
TS
Process Control Network (PCN)
Corporate LAN
IACS DMZ Switch
Zone 01 PIZ
(Corporate Network)
02-03
_01-02_
03-0403-08
Unit 7 Local Control Network
08__
07
FE
04
FE
04-05 04-06 04-07
07__
Level 4/5 Corporate/Enterprise
Level 3 IACS Operations Management
Level 2 IACS Supervisory
Level 1 IACS Control Level 1 IACS Control
Level 2 IACS Supervisory
Level 3 IACS Operations Management
Level 3.5 IACS DMZ
Level 0 Sensors & Field Devices Level 0 Sensors & Field Devices
Internet
HOSL
West
MA
LESCR
SE
910-915
MA
LESCR
SE
HOSL
East
MA
LESCR
SE
301-304
MA
LESCR
SE
MA
LESCR
SE
06
EWS
MA
LESCR
SE
MA
LESCR
SE
MA
LESCR
SE
MA
LESCR
SE
These are the Process Assets associated
with this zone
Over all
Zone
Status
MA
LESCR
SE
ZONE Consequence
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
IACS zone importance and consequence
13
DMZ (Zone 02)
IACS PCN (Zone 03)
Zone 05 BPCS Zone 06 SIS Zone 07 SIS
Zone 04 HMI-A
04
OWS
05
OWS
05
PLC
05
MCC
04
AS
04
PH
06
EWS
06
SIS
07
OWS
07
DSS
07
PLC
07
WL
Plant A Network (Proprietary Redundant)
04
RT
05
NI
06
FW
Unit 1 Fault Tolerant Ethernet (FTE)
Plant A SIS Network Unit 1 FTE
04
OWS
04
EW
08
WI1
Zone 08 HMI-A
03
DC
01
FW
03
HC
03
SS
03
LS
01
WF
01
LT
01
PC
01
SV
02
FW
02
HS
02
TS
Process Control Network (PCN)
Corporate LAN
IACS DMZ Switch
Zone 01 PIZ
(Corporate Network)
02-03
_01-02_
03-04
Unit 7 Local Control Network
08__
07
FE
04
FE
04-05 04-06 04-07
07__
Level 4/5 Corporate/Enterprise
Level 3 IACS Operations Management
Level 2 IACS Supervisory
Level 1 IACS Control Level 1 IACS Control
Level 2 IACS Supervisory
Level 3 IACS Operations Management
Level 3.5 IACS DMZ
Level 0 Sensors & Field Devices Level 0 Sensors & Field Devices
Internet
HOSL
West
MA
LESCR
SE
910-915
MA
LESCR
SE
HOSL
East
MA
LESCR
SE
301-304
MA
LESCR
SE
06
EWS
These are the Process Assets associated
with this zone
MA
LESCR
SE
IACS ImportanceMA
LESCR
SE
MA
LESCR
SE
03-08_
MA
LESCR
SE
Consequence
Importance
MA
LESCR
SE
MA
LESCR
SE
Consequence
Importance
MA
LESCR
SE
MA
LESCR
SE
Consequence
Importance
MA
LESCR
SE
MA
LESCR
SE
Consequence
Importance
MA
LESCR
SE
MA
LESCR
SE
Consequence
Importance
MA
LESCR
SE
MA
LESCR
SE
Consequence
Importance
MA
LESCR
SE
MA
LESCR
SE
Consequence
Importance
MA
LESCR
SE
MA
LESCR
SE
Consequence
Importance
MA
LESCR
SE
Relevant
N/A
Critical
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Vulnerability | CAF vs. OG86High Level Ranking against NCSC Cyber Assessment Framework elements
A. Managing security riskA.1 GovernanceA.2 Risk managementA.3 Asset managementA.4 Supply chain
B. Protecting against cyber attackB.1 Protection policies and processes◇B.2 Identity and access control◇B.3 Data security◇B.4 System securityB.5 Resilient networks and systemsB.6 Staff awareness and training
C. Detecting cyber security events◇C.1 Security monitoring◇C.2 Proactive security event discovery
D. Minimising the impact of cyber security incidentsD.1 Response and recovery planningD.2 Lessons learned
14
Partially Achieved
Achieved
Not Achieved
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Define and implement countermeasures
◇ determine which threats are relevant to each zone
◇ define the appropriate countermeasures
◇ every technical countermeasure should be allocated where relevant
15
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Risk
◇ OG0086 acknowledges likelihood is difficult to predict and always evolving
◇ Infer likelihood based on vulnerability – more vulnerable suggests more likely to be attacked
16
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Bowties | scenario and protection visualisation
17
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Diverse defence in depth?
18
THREATS
created or
more likely !
BARRIERS
defeated or
degraded !
Are your other
BARRIERS
adequate?
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Cyber bowties | BowTieXP
19
Countermeasure
(Barrier)
Category
Barrier Type
Threat
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Threat verification and resolution
20
Actions to be
expedited
Is the barrier
• Present
• Absent
• Unknown
• Not Applicable?
Is the threat
Credible or Applicable?
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Threat and barrier evaluation
21
Effectiveness
based on CAF
scoring
Minimum List
OG86 Table 5.1
Minimum List
OG86 Table 5.2
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Cyber zone riskZone Importance
NA PA A From Vulnerability sheet
C 5 4 3
LES+MA R 4 3 2
NA 0 0 0
C 4 3 2
LES R 3 2 1
NA 0 0 0
C 4 3 2
MA R 3 2 1
NA 0 0 0
N/A 0 0 0
LES - Loss of Essential Service A - Achieved
MA - Major Accident PA - Partially Achieved
N/A - Not LES or MA NA - Not Achieved
Zon
e C
on
seq
uen
ce
Zone Vulnerability
22
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Detailed risk assessment | future
◇ detailed assessments are not current HSE focus
• evolution of High Level Risk Assessment using bowties
23
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Detailed risk assessment | future
◇ IACS Top Event risk determined by
• number and likelihood of threats
• number of vulnerabilities
• number and effectiveness of IACS barriers
24
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Detailed risk assessment | future
◇ process asset (consequence) risk determined by
• IACS CYBER attack events
• normal PROCESS events
• process asset consequence severities
• number and effectiveness of CCPS/EI barriers
25
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Threat and barrier evaluation
26
Effectiveness
based on CAF
Score
“Likelihood” based
on Threat
Characteristics
(NIST)
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Cyber and process bowtie chaining
27
Consequence
Severity/Risks
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Zone bowties
28
Attack from
within Zone
Attack via
other Zone
via Conduit
Attack escalation
to connected Zone
via Conduit
Attack escalation
to controlled or
protected Asset
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Zone impact
29
Maximum impact for
each related Asset =
Unmitigated Risk
Inherited from
connected
Asset bowtie
Mitigated Risk (to
be developed)
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Process asset impact
30
Asset T-910 vulnerable to
breach from Zone 5
and/or Zone 6
Mitigated Asset Risk (to be
developed) based on number and
effectiveness of CCPS/EI barriers
Both Zones inherit impact
from Asset Top Event
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Hazardous scenario evaluation
31
IACS breach
could defeat or
degrade a Barrier
Potential for Common
Cause failure if Zone is
breached (Adversarial)
or impacted
(Accidental, Structural
or Environmental)
IACS breach
could create
a Threat
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Process hazard analysis equivalence
32
Hazard Studies (IChemE) Cyber Security (CHASE™)
Hazard Study 1
Concept
Block Diagram
High Level Risk
OG-0086 App 4
Hazard Study 2
HAZID
Process Flow Diagram
Detailed Risk Assessment
OG-0086 App 5 & NIST & CAF
Hazard Study 3
HAZOP
P&ID
Hazardous Scenario Evaluation
CCPS/EI
DMZ (Zone 02)
IACS PCN (Zone 03)
Zone 05 BPCS Zone 06 SIS Zone 07 SIS
Zone 04 HMI-A
04
OWS
05
OWS
05
PLC
05
MCC
04
AS
04
PH
06
EWS
06
SIS
07
OWS
07
DSS
07
PLC
07
WL
Plant A Network (Proprietary Redundant)
04
RT
05
NI
06
FW
Unit 1 Fault Tolerant Ethernet (FTE)
Plant A SIS Network Unit 1 FTE
04
OWS
04
EW
08
WI1
Zone 08 HMI-A
03
DC
01
FW
03
HC
03
SS
03
LS
01
WF
01
LT
01
PC
01
SV
02
FW
02
HS
02
TS
Process Control Network (PCN)
Corporate LAN
IACS DMZ Switch
Zone 01 PIZ
(Corporate Network)
02-03
_01-02_
03-0403-08
Unit 7 Local Control Network
08__
07
FE
04
FE
04-05 04-06 04-07
07__
Level 4/5 Corporate/Enterprise
Level 3 IACS Operations Management
Level 2 IACS Supervisory
Level 1 IACS Control Level 1 IACS Control
Level 2 IACS Supervisory
Level 3 IACS Operations Management
Level 3.5 IACS DMZ
Level 0 Sensors & Field Devices Level 0 Sensors & Field Devices
Internet
HOSL
West
MA
LESCR
SE
910-915
MA
LESCR
SE
HOSL
East
MA
LESCR
SE
301-304
MA
LESCR
SE
MA
LESCR
SE
06
EWS
MA
LESCR
SE
MA
LESCR
SE
MA
LESCR
SE
MA
LESCR
SE
These are the Process Assets associated
with this zone
Over all
Zone
Status
MA
LESCR
SE
ZONE Consequence
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
Conclusions◇ proportionate and practicable visual risk assessment technique for
evaluating and addressing cyber security risks using bowties
◇builds on existing process hazard and risk assessments
◇don’t have to be a cyber expert in the early stages
• usable by C&I engineers
• understandable and explainable to non-technical management
• scenario visualisation provides common understanding to assist with decision making and resource deployment
◇can be done in stages
• helps focus effort where it is most needed
• scalable – (not just NIS/COMAH)
◇high level risk assessments
◇detailed risk assessments
◇enables integration or process and cyber assessment
33
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019 34
Do you understand what could go wrong?
Do you know what your systems are to prevent this happening?
Do you have information to assure yourself that they are working effectively?
CHASE Computer Hazard and Security Evaluation © Process Safety Integrity & Andy Geddes 2019
First steps…
35
◇ Do you understand what could go wrong?
◇ Do you know what your systems are?
◇ Where are we vulnerable?
◇ What do you have in place to reduce vulnerabilities?
◇ Do you have information to assure yourself that countermeasures are effective?
Don’t forget about incident management and recovery
HAZOPs safety reports etc
Asset Register
Simple network Diagrams
Cyber bowties
Cyber risk assessment
Cyber audits
Automated monitoring and analysis