Identification of cyber-risks for the control and safety instrumented systems: a synergic framework for the process industry

Abstract

Malicious interferences to Industrial Automation and Control Systems (IACS) such as the Basic Process Control System (BPCS) and the Safety Instrumented System (SIS) of chemical and process facilities may initiate events with severe consequences such as major accident scenarios (e.g., loss of containment of hazardous substances) and production outages. Existing security vulnerability and risk assessment (SVA/SRA) methodologies, as well as the cybersecurity risk assessment approach proposed by ISA/IEC 62443 series of standards, do not provide any practical method or guideline supporting cyber-risk identification. Moreover, an evident lack of procedures addressing the concrete connection between malicious manipulations of the BPCS and SIS and the impacts on the physical process system that can be initiated, is present in the scientific literature. Given the outlined gap, in the present study, a synergic framework of tools is described and applied to a case study (offshore Oil&Gas platform for gas compression), supporting the systematic identification of the risks that can originate as a result of a malicious interference to the BPCS and SIS. The framework consists of a past incident analysis (PIA) and of two rigorous methodologies, PHAROS, focused on major accident hazards, and POROS, addressing also operability issues. The concept of cyber-attack credibility is here introduced to identify the most credible sets of manipulations based on the score of the plant knowledge level required by the attacker and that of the cyber complexity of the attack pattern, allowing to provide valuable information on how to effectively allocate resources for a more secure network architecture.