On March 19, 2019, leading aluminum producer Norsk Hydro was under an overwhelming ransomware cyber-attack that rendered many plants inoperable, and networked devices such as phones, tablets and computers had to be unplugged from its network, and workers were forced to run the plants manually (Source: https://newsweb.oslobors.no/message/472448).
Incidentally, Norsk Hydro also received praise from industry experts on their crisis-preparedness to deal with such a cybersecurity incident as demonstrated by their agility to move to manual operations and thereby mitigating the attack (Source: https://searchsecurity.techtarget.com/news/252459949/Experts-praise-Norsk-Hydro-cyberattack-response).
Cybersecurity is now an important conversation
This is a grim reminder that no company is immune to cyber-attacks. Industrial and critical infrastructures may be very vulnerable, especially because of the melding of Internet-connected computers and smartphones on an internal network, which in turn are connected to safety systems with critical final elements (e.g. safety shutdown valves) and industrial control systems that can cripple or render plants dangerous to people (including scenarios such as contamination, explosions, meltdowns, etc).
Industrial safety and industrial cybersecurity are increasingly important conversations because critical infrastructures such as power plants, large manufacturing plants, hospitals, airports, rail networks (such as the MRT or MTR), and others, can be crippled or cause disasters because of cyber-attacks – all because many of such infrastructures are now connected to the Internet.
Developing a Safety system for industrial applications
Conventionally, the design of safety systems to protect installations is based on identification of hazards in the process followed by a risk analysis, and putting in place multiple layers of protection to reduce the risk to a tolerable level, based on the principle of ALARP (as low as reasonably practicable).
In the chemical process industry, the protection layers usually include the basic process control system, instrumented safety systems, and pressure relief systems to prevent or mitigate any conceivable consequences and minimize risk. This is usually approached by well-established methods such as HAZOP (Hazard and Operability analysis) and LOPA (Layers of Protection analysis).
In the recent years, with increasing frequency of cyber-attacks on industrial installations, concerns regarding security of control and safety systems installations have come to the fore, creating additional challenges for end-users.
It is important to know that a typical process safety hazards analysis does not involve an evaluation of cyber-security vulnerabilities and threats.
However, when a cyber-attack takes place on control and safety systems, the consequences can be quite similar to those arising from process safety hazards. Hence it is necessary that a separate cybersecurity risk analysis be carried out to ensure the security of industrial control and safety systems.
As evident from incidents like the Ukraine power grid attack (circa 2015) by hackers who managed to gain entry into the control systems unnoticed and then forced a blackout leaving over 230,000 residents without power, or the STUXNET malware (circa 2010) which affected nuclear facilities in Iran, the consequences of a cyber incident can be quite similar to that of a process safety incident with implications on people, environment and assets.
Therefore, operators of critical infrastructure must now consider a new scenario:
“Are safety systems responsible for protecting your industrial installation secure?”
Making Control and Safety Systems Secure
For any industry, ensuring security of control and safety systems requires a special strategy.
Frequently, such systems comprise of software, programmable hardware and communication networks distributed over a wide geographical area.
For the process industry, this approach is based on three cardinal principles accruing from IEC 61508/ 61511 and IEC 62443 standards:
- Protection of safety functions: Security effectively prevents negative influences of threats to Safety Instrumented Systems and their implemented safety functions
- Compatibility of implementations: Security does not interfere with safety and vice versa
- Protection of security countermeasures: The safety implementations do not negatively compromise the effectiveness of security implementations.
In order to ensure security of the control and safety systems, there are well established approaches which involve the deployment of a cyber security lifecycle framework based on the guidelines of standards such as IEC 62443 series, using principles of defence-in-depth, segregation by zones and conduits etc. There are also industry specific and country specific standards such as the Australian standard for Rail Cybersecurity (AS7770). For organizations considering to set up cybersecurity lifecycle management, there is also ISO27000 series for guidance.
To ensure the safety of industrial installations and critical infrastructure, operators have now a major task in hand – to review the architecture and design of their existing control and safety systems protecting their installations to ensure that these are secure as well.
Sujith Panikkar is Director of Consulting, HIMA