Towards the Application of a New Methodology to Identify Cyber and Physical Risks in Industry 4.0

Industry 4.0 resembles the growing digital transformation that has matured industrial systems and processes in current years. This technological revolution is crucial to decreasing costs and expanding the quality of products and services. Nevertheless, this transformation also inserts concerns about security, reliability, and protection of physical and cyber assets. Assets can be industrial systems, equipment, and devices interconnected and connected to the internet. They can use and integrate other technologies such as the Internet of Things (IoT), cloud storage, intelligent and autonomous systems, integrating the cyber and physical world in the conception of cyber-physical systems (CPS). The CPSs are integrations that involve computing, communicating, and controlling across networks and physical processes. Integrating physical processes and cyber solutions expands the variety of attacks and risks in the cyber-physical ecosystem. These threats can incur severe consequences with economic impacts on organizations. 31% of organizations undergo cyber attacks on operational technology (OT). While 75% of tech specialists acknowledge cybersecurity as a priority, just 16% express that their companies are prepared to encounter the complexness of risks cyber-physicals. Low-precision risk identification methodologies and lack of technical and management skills to implement more rigid cybersecurity policies are the main factors influencing these numbers. Therefore, any Industry 4.0 solution must adopt best practices to identify risks in the physical and cyber worlds.

Many literature approaches deal with risk identification focusing only on one CPS layer. Although these methodologies usually cover the physical or cyber layers, they rarely present more profound studies on the interconnection layer risks. Furthermore, to the best of our knowledge, no works develop specific strategies to pinpoint risks resulting from the interaction among these layers. This paper demonstrates how one can apply a novel strategy proposed in our previous work to identify risks in Industry 4.0 systems by combining different risk identification methodologies. Our approach covers the three CPS layers and their interactions (i.e., physical, “cyber-physical” or interconnection, and cybernetics), identifying risks that can emerge in any of them or from their interactions. In general, this approach comprises four steps: list risks arising from risk identification factors at all layers; list risks by the bottom-up HAZOP strategy starting identification at the physical layer; list risks by NIST CSF's top-down strategy initiating identification at the cyber layer; and the consolidation of risks from the three previous lists in the CPS catalog.

In the first step, we start a list of factors to identify the risks. These factors result from integrating the Risk Model (RM), ISO 31000, and PMBOK guidelines. These three methodologies can explore risk factors to assess each CPS layer, taking care of potential risks. Generally, the risk factors consolidated in the RM, ISO 31000, and PMBOK methodologies are hazardous areas, causes, effects, consequences, impacts, probability, threats, vulnerabilities, nature and value of assets, limitations, timing factors, and assumptions. Some tools and techniques to support this step are brainstorming, checklists/prompt lists, structured interviews, personal experiences, and project information.

Many works associate the HAZOP methodology with identifying risks in physical processes. Therefore, it constitutes an adequate alternative to identify hazards in the CPS physical layer. Our proposal applies the HAZOP as a bottom-up strategy. We started HAZOP risk identification practices at the physical layer and extended its application to the CPS upper layers (interconnection and cyber layer). In this way, we do not restrict HAZOP to just the processes and physical elements of the CPS. Its use should include complementary aspects related to interconnection and cyber layers. We apply HAZOP by observing the following steps. First, we define the object of study or asset (system or components of the system). Next, we analyze the procedure environment in detail. After determining the system nodes, or risk zones, we identify the system components and evaluate their variables. We characterize the guide words that stimulate creativity to detect deviations in the system, apply them to the process variables, and estimate the variations of each node and their possible causes.

Risk identification practices in the NIST CSF are generally related to the corporate environment, covering asset management, business environment, and governance. NIST CSF application reports often describe risks regarding the cyber ecosystem. Considering this premise, we proceed similarly as in the previous step. We started the NIST CSF risk identification practices at the cyber layer and extended them to the CPS lower layers (interconnects and physical), carrying out a top-down strategy. Risk identification using the NIST CSF will depend on the asset category, complementary sub-categories, and benchmarks. Applying this framework through a top-down approach, we first define the system and the risk identification category (e.g., Asset Management, Business Context, Governance, Risk Assessment, Risk Management Strategy, or Supply Chain Risk Management). Subsequently, we determine risk identification subcategories based on the general category. Finally, one can apply the informative references of each subcategory.

In this last step, we perform the risk assessment and validation by comparing the three risk lists created from the previous steps. We consolidated these lists into a catalog of risks sectioned by tier, observing the following criteria: eliminate redundant risks, characterized by being the same or very similar; aggregate and merge complementary risks, which present some similarities or deal with related elements; and validate risks characterized by different aspects in terms of origin, nature, and causes.

The following description exemplifies the application of the bottom-up HAZOP and NIST CSF top-down strategy to identify risks in the flare system of oil and gas plants. This system refers to the safety mechanism that guarantees the products leaving the refinery, petrochemical plants, and other hydrocarbon processing facilities by directly burning combustible waste. We exemplify the node selection step by describing the flame system composition. This system consists of field instruments (e.g., flow controllers, temperature controllers, temperature measuring elements, flow meters such as orifice plates, control valves, solenoid valves, and flame sensors). There is also control room instrumentation (e.g., programmable logic controllers, a supervisory system with a distributed digital control system, and an alarm system). Another part of the system is telemetry/security components (e.g., pneumatic signal, current signal, controllers, digital signal, communication protocol, and fiber optic signal) and analysis instruments (e.g., gas measuring instruments and pH meters). We select three nodes for each part of the system process. Node 1 represents gas measuring instruments concerning the physical layer. Node 2 embraces Programmable Logic Controllers (PLCs) in the interconnect layer. Node 3 is the Computer Supervisor regarding the cyber layer. The deviations are "no gas flow", "higher PH", "lower flame", "no signal PLC memory", "nonstandard" and "other IP address". Possible deviation causes are “broken gas instrument,” “PH meter out of specification,” “flame system out of position,” “PLC memory accessed improperly,” “ standards out of specification,” and “address forged IP.” The HAZOP strategy documents and support tools are process diagrams, algorithms, system components technical specification, and the knowledge of professionals operating the facilities (e.g., risk management, process engineers, and technicians).

Exemplifying the application of the NIST CSF framework in the top-down approach in a flare system in Category Asset Management refers to the data, personnel, devices, systems, and facilities that enable the organization to achieve business objectives. The detailed subcategories are physical devices and systems (gas measuring instruments and pH meters), software platforms (computer programs for capturing digital and pneumatic signals), organizational communication and data flow (interaction between system supervisors), features (PLCs, DCS, security, and alarm system), and cybersecurity roles and responsibilities for the entire workforce (operators, technicians, among others).

Finally, we highlight the relevance of identifying the risks arising from the interactions between components of the physical and cybernetic worlds. Integrating risk factors from ISO 31000, PMBOK, and the Risk Model with bottom-up HAZOP and NIST CSF top-down approaches, optimized the detection, mitigation, and prevention of risk situations that could compromise the CPS of Industry 4.0.