Integrating cybersecurity into a greenfield ICS project
By Krish Sridhar, PE GSEC
Industrial control system (ICS) cybersecurity is critical to companies that spend millions of dollars assessing and mitigating ICS cybersecurity risks. This is great news for brownfield systems, but how do we make sure that greenfield projects do not install new ICSs with cybersecurity vulnerabilities and gaps? Cybersecurity does not happen by accident-it must be consciously designed into the system.
Integrating cybersecurity into an ICS requires a project life-cycle approach. First, you must justify the project. The relationship between process safety and ICS cybersecurity is compelling for companies, especially if they fall under process safety regulations, such as OSHA process safety management (PSM). Preventing cybersecurity incidents that could cause costly lost production or extended service interruption follows and finishes with adherence to industry best practices and standards. The mission to "stop the bleeding" requires proactive integration and recoups losses on the bottom line.
Business challenges include acquiring buy-in from senior and project management, and support from engineering, procurement, construction (EPC), vendors, system integration (SI), and relative operations. Collective buy-in guarantees minimal impact on project scheduling.
For reference, a typical ICS cybersecurity life cycle for existing systems has five phases: vulnerability/gap assessment, risk assessment, a mitigation plan, implementation, and auditing. Integration of cybersecurity into the ICS project life cycle consists of:
- front-end engineering with a cyberPHA (detailed cybersecurity risk assessment methodology)
- detailed engineering with cybersecurity requirements specifications and design reviews
- cybersecurity factory acceptance testing (CFAT) and cybersecurity site acceptance testing (CSAT)
- security management, monitoring, and incident response
Front-end engineering begins with ICS cybersecurity risk assessments, which are compliant with industry standards like ISA-62443-3-2. While conformance to standards is sufficient enough for many organizations, other factors, such as risk reduction per dollar spent, investor and regulator due diligence, and documenting to management, justify certain actions taken or not taken. An ICS cybersecurity risk assessment is meant to link a cybersecurity event and a true process hazard; a cyberPHA does so by connecting vulnerabilities and threats to consequences and likelihood of occurrence, accounting for existing countermeasures. The result gives management a road map highlighting a ranked set of risks, prioritized recommendations, and a mitigation plan.
If you want cybersecurity designed into your system, you must define your requirements and communicate them to all involved parties in the form of cybersecurity requirement specifications (CRSs). The CRS includes requirements for the monitoring and security of zones and conduit boundaries, and for hardening end points like ICS asset management, malware prevention, and access control. Include key stakeholders in the design review and have focused discussion about satisfied cybersecurity requirements and issues to document.
Conduct CFAT and CSAT on site to evaluate the cybersecurity of a system. The operating company should accept this before delivery and startup. CFAT and CSAT ensure the verification of cybersecurity requirements and proper configuration of security settings, the operating system, and antivirus software. Additionally, detection systems should be cleared as operational and able to identify and report events. Cybersecurity robustness testing must also be verified with discoveries on present vulnerabilities, resilience to storms, and intrusion tests to verify firewall configuration. Tests in the latter coincide with the system under test, which establishes network boundaries and scope, the collaboration of CSAT and CFAT, verified configuration, and a punch list follow through.
Consider vendor-recommended settings for each control system platform: identify vendor best practices, modify default settings, review overall vendor hardening criteria, and review architecture and apply the data flow requirements.
The final life-cycle phase necessitates maintenance with the trifecta of security management, monitoring, and incident response. Security management is developed through governance policies aimed at sustaining the cybersecurity risk posture of ICS. Special consideration must be given to asset management, patch management, system backups and change management. Monitoring is the detection of abnormal activity, host and network intrusion detection, and periodic auditing.
To summarize, the benefits of integrating cybersecurity into the ICS project life cycle are:
- a common understanding of cyberrisk and securing that risk
- verification that security is properly implemented
- an operations staff security that is prepared to manage, monitor, and respond to security incidents before startup
In every stage of the project life cycle, transparency is essential, especially when future projects hinge on a clear vision of success. Practical goals aligned with CFAT, CSAT, and postcommissioning are a starting point. In summation of that, a team should consist of subject-matter experts from ICS cybersecurity, information technology infrastructure, process control, and project management. Assigning an ICS cybersecurity lead who works closely with all stakeholders from start to finish, with frequent communication along the way, ensures a successful cybersecurity program.
Typical ICS cybersecurity life cycle
Example of an ICS risk profile