Guest blog by David Hatch from Process Safety Integrity
Hazards 29 is Europe’s leading process safety forum. At this year’s event, industry expert Andy Geddes and CGE Partner David Hatch from Process Safety Integrity presented their new CHASE concept. Their work has developed a practical methodology for Computer Hazard And Security Evaluation.
You can’t defend what you don’t understand
Cyber security is a major concern across all industries with the threat of data theft or corruption, disabled functionality such as denial of service or ransomed ware, or spurious protection activation. With limited resources, organizations must target their cyber security efforts wisely and proportionally to prevent, detect, and recover from intentional attacks and unintentional challenges.
Plant and equipment need robust security to defend against deviations within Industrial Automation Control Systems (IACS) and incursions into IT systems such as maintenance management or enterprise resource planning systems. As the UK’s Health and Safety Executive says: “In order to defend a system, it is first important to know what is to be defended”. They stress that “you can’t defend what you don’t understand” (HSE OG0086).
Physical & logical topology
CHASE starts by creating a topological map of the physical plant and logical IACS assets that is clear and concise. All control and protection measures (subdivided into Zones and Conduits) are overlaid onto the map with a view of potential hazards, which could result in major accidents (MA) and/or loss of essential services (LES). This technique responds to the current focus of the competent bodies including the UK’s Health and Safety Executive (HSE) and Cyber Security Centre (CSC). The mapping and evaluation also consider environmental impact and commercial or reputational damage. CHASE uses the concept of vulnerability to infer likelihood because the ecology of cyber-attacks is constantly evolving. Vulnerability is combined with asset hazard (MA or LES) severity to generate a high-level risk assessment.
High-level risk assessment
CHASE uses bowties to visualize the high-level risk assessment by presenting reasonably foreseeable threats (e.g. OG0086 Table 5.1) and their countermeasures or barriers. This allows the applicability of the threat and the adequacy of the barriers to be risk assessed.
Figure 1: A typical IACS threat is prevented by a combination of security barriers of varying effectiveness (examples only)
The effects of an IACS breach can impact on a plant or process in two ways:
- threats which originate from the IACS become more likely or new ones are created
- barriers which rely on the IACS are defeated or degraded
Detailed risk assessment
Regulators are not currently focussed on detailed risk assessments, but this will change in the near future. CHASE anticipates this change by using the same basic bowties for detailed IACS and process risk assessments which are chained together to highlight the relationships between cyber events and process events.
Figure 2: The consequence of a loss of integrity of an IACS becomes a chained threat to a physical asset which has tangible effects (examples only)
CHASE uses recognized industry good practice including HSE 0G0086, CSC Cyber Assessment Framework (CAF), IEC 62443 and NIST SP800-30. It is structured to allow easy expansion as physical and logical asset bowties develop. It provides a proportionate and practical visual risk assessment technique, which is understandable and explainable to non-technical personnel. This results in a common understanding of both general and specific vulnerabilities and improves decision making and resource deployment.
Start the CHASE method – Download a full copy of the paper
Are you interested to learn more about visualizing cyber security vulnerabilities with bowtie? Download the paper for a more detailed explanation of the CHASE method. Complete & submit the details below to receive a copy in your inbox right away.