At PAS, we are passionate about process safety and cybersecurity. Working with our industrial customers over many years, we have jointly developed best practices for improving process safety (a very popular one is the 7-step methodology for alarm management). Many of these best practices are also valuable to reducing operational technology (OT) cyber risk.
But first, a bit about the traditional approach to IT cybersecurity, the so-called “CIA Triad” of Confidentiality, Integrity, and Availability. The practices associated with this model are intended to ensure business data is kept private, not compromised in any way, and available when needed. By contrast, OT is concerned with the automation systems that facilitate safe production in process and manufacturing industries.
OT cybersecurity differs from the CIA cybersecurity model because it is not only concerned with data protection, but also with the prevention of cyber espionage and the risk of impact to process safety, reliability, and the environment.
The cyber risk to OT systems is growing in both frequency and sophistication, as malicious actors have recognized the level of dependence modern societies have on OT to manage critical infrastructure and seek to disrupt it or steal intellectual property embedded in processes. They are increasingly using automation, machine learning and artificial intelligence to create highly targeted exploits directed at critical infrastructure. These exploits are designed to leverage detailed knowledge of specific automation systems and industrial processes – something which few hacking groups had 5 or 10 years ago, but which is increasingly more common (a recent experiment showed a mock industrial network placed on the public internet was infested with malware in just three days!)
The most effective way to counter these exploits is to apply automation and process-safety best practices in addition to IT-focused cybersecurity measures. Beyond protecting OT systems against cyberattacks, these practices also improve control performance, alarm performance, human interface effectiveness, and automation system resiliency which improve profitability, safety, and reliability. As a result, there are a number of key positive business benefits to applying them beyond only risk reduction.
Industry experts Chris Lyden and Eddie Habibi recently authored a paper, How OT Cybersecurity is Improved with Process Safety Best Practices, which reviews the five operations safety independent protection layers (IPLs) and how applying best practices for each greatly improves OT cybersecurity:
- IPL 1 - Inventory and Configuration Management
- IPL 2 - Automatic Process Controls
- IPL 3 - Human Intervention
- IPL 4 - Safety Instrumented Systems
- IPL 5 - Physical Protection
The paper is packed with helpful guidance whether you choose to adopt the recommendations for one, some, or all of the IPLs. We hope you find it useful.