(117br) Preventing Cyber Attacks on Process Plants: Making Sense of What Is Needed

Cyber security is a term used to define measures taken to protect Industrial Automation and Control Systems (IACS) against threats, accidental circumstances, or through deliberate attack. The threats can originate from the Internet, external networks (corporate or third party), maintenance activities, software upgrades, and unauthorized access. Failures to properly manage these threats have the potential to result in incidents with major health, safety or environmental consequences and / or loss of essential services.

Cybersecurity threats continue to evolve in complexity and sophistication. While most organizations fully recognize the importance of addressing this growing threat, the framework of international consensus standards that guide the assessment and protection from potential cyber-attack are complex and oftentimes confusing.

A key concept for successful process plant Cybersecurity involves proper establishment and maintenance of safeguard diversity and defence in depth. It is essential that process safety professionals ensure that proposed barriers that are genuinely Independent and ensure they protect the data highway to get defence in depth. A key challenge facing IACS design professionals is to provide accurate Safety Integrity Levels (SIL) and Security Levels (SL) based on ISA/IEC 61511 that specifically incorporate factors for Cyber-attack.

This presentation concentrates on common misunderstandings and mistakes encountered when doing actual Cyber-protection projects involving process plants, and will provide practical insights to successfully navigate these challenges.

The presentation will emphasize the following points:

• An overview of ISA/IEC 62443, which represents a series of standards, technical reports, and related information that define procedures for implementing secure IACS.
• Efficiently using ISO/IEC 27001 to deliver an informational security management system specifically focused on process control systems. Recognizing the broad nature of the numerous standards in the ISO/IEC family, pragmatic focus on use of this standard for IACS is essential.
• Utilization of Recognized and Generally Accepted Good Engineering Practices (RAGAGEP) can help improve the implementation of Cyber Security practices in the process industries. The UK Health & Safety Executive published its operational guidance OG86 ‘Cyber Security for Industrial Automation and Control Systems (IACS)’ in March 2017, and this will be overviewed to provide a European perspective on Cyber Security approaches.

Reducing the risk of a major accident, or maintaining operation of an essential service, requires the effective application of process control and safety systems. Clarifying requirements and reducing the “mysticism” of these approaches will make this process less stressful for all stakeholders.