A rising threat landscape

Extending process hazard analysis to cover cyber risks

Tim Johnson

Tim Johnson

Director Advisory, Cyber Security Services, KPMG US

+1 214-840-4449

Ransomware attacks are just one feature of a complex and increasingly aggressive threat landscape that organizations should protect themselves against. This includes: 

Evolving threat actors

Cybercriminals are adapting, diversifying, and behaving more like state actors. Criminal operations are changing their tactics to reduce risks of detection and increase disruptions. They are attempting to maximize the return on their effort in several ways such as: shifting away from partnerships to operating within close-knit syndicates: taking advantage of the increased availability of ICS information to launch attacks; increasing the precision of targeting by using legitimate documents to identify likely victims before delivering malware: or selling and buying direct access to networks for ransomware delivery rather than carrying out advanced intrusions.

Targeted ransomware

There is a complex range of motives at play in targeted ransomware attacks. While the motivation behind an attack may appear to be financial, there may be hybrid motives at work - a combination of financial ideology can and/or political drivers. Regardless, such attacks have the potential to impact the availability of ICS/OT. While the ransomware threat remains, organizations should ensure they take adequate measures to prepare, prevent, detect, respond, and contain a corporation-wide ransomware attack. 

Supply chain threats

Improved ecosystem hygiene is pushing threats to the supply chain, turning friends into enemies. The global interconnectedness of business, the wider adoption of traditional industry cyberthreat countermeasures and improvements to basic cyber security hygiene, appear to be pushing cyberthreat actors to seek new avenues to compromise organizations, such as targeting their supply chains-including those for software, hardware, and the cloud. 

Life after meltdown

Vulnerabilities in ICS/OT Infrastructure demand tuned/targeted solutions to prevent impact to availability. The discovery of vulnerabilities in proprietary process control hardware, such as programmable logic controllers (PLCs), in recent years combined with the use of commercial software and hardware, used for human machine interfaces (HM ls), Engineering Workstations, and JCS supporting systems such as Historians, have an impact on system availability increasing the risk to organizations, which could lead to loss of life. 

Compromising geopolitics

As new threats emerge from disinformation and technology evolution, global businesses may find themselves in the crosshairs as geopolitical tensions persist. Cyberthreat actors may not only sustain current levels of activity, but also take advantage of new capabilities, as new technologies enable more sophisticated tactics, techniques, and procedures (TTPs) which are focused on ICS/OT environments.

Strengthening defenses through cyber PHA

As a result of these factors, expansion of traditional PHA is required to protect process control performed in the ICS/OT domain. This need is made more acute because safety system communication is becoming integrated into the ICS/OT domain as these systems become more digitized and connected. If the Interconnected safety system is compromised. the ability to control a runaway process is compromised - potentially leading to environmental and operational hazards, and even loss of life. And with control and safety systems becoming more converged with IT systems, a cyber breach into IT could then more easily spread into the ICS/OT domain as well.

That is why additional Cyber PHA is needed to address the cyber risks and threats that now characterize today’s industrial landscape. Welcome to cyber PHA.

In an Ideal world, the first step is to ensure that your ICSIOT domain is cyber resilient through network segmentation. This Involves segmentation of the network into zones and conduits, and a distinct boundary between IT and ICS/OT domains. This is the premise of IEC 62443, a series of standards to guide on secure ICS/OT. It covers general guidance, policy and procedures, system technology and design, as well as component requirements.

A cyber PHA can help identify, verify, and design ICS/OT domain boundaries. The Cyber PHA is a safety-oriented methodology to identify and assess cyber risk for ICS/OT domains and safety instrumented systems (SIS). It usually follows a methodology like a HAZOP (hazard and operability study) but adapted for cyber specifically - to be known as CHAZOP.

A cyber PHA is typically performed in phases, is scalable, and can be applied to individual systems or entire facilities or enterprises. 

The benefits of cyber PHA

There are multiple potential benefits to be gained from conducting a cyber- PHA. Most obviously, ensuring system availability by removing system cyber risk. But a cyber PHA can also benefit an organization's broader business practices. Applying a cyber PHA methodology documents an organization's business processes requires the creation of ICS/OT aligned Information security policies, procedures, standards and controls with organization objectives.

There are six key phases:

  • Clearly defined articulation of the Information security strategy based on organization and business unit objectives.
  • Engineering knowledge defined and aligned security controls based on risk and business objectives.
  • Confident effective staffing resulting from established roles and responsibilities.
  • Interconnected system cause and impact identification facilitating vulnerability and risk management.
  • Targeted and prioritized cyber response and incident management.
  • SecOps defined metrics, reporting, and technology requirements to help meet business objectives

Cyber PHA is not only a matter of potential business benefits and best practice - it is also coming onto the regulatory radar and may in varying shapes and forms become mandatory in the coming years.

If this becomes adopted into the framework, it will effectively be making cyber PHA a mandatory regulatory requirement - and that could take effect later this year.

Meanwhile in the U.S. new measures have been introduced by the Department of Homeland Security (DHS) in the wake of last year's Gas Pipeline cyberbank which disrupted the flow of gasoline and jet and diesel fuel among the East Coast. The OHS issued two Transportation Security Administration (TSA) Security Directives that feature several measures that owners and operators of critical oil & gas pipelines must implement. 

  • The first directive features guidance around cyber security incident reporting, the appointment of an organizational cyber coordinator and gap assessment.
  • The second directive - is the one that really has teeth, requiring specific mitigation measures, a formal cyber security contingency and response plan and an annual review of cyber security architecture.

These requirements also include the need to carry out an analysis of network traffic in OT systems can almost be regarded as “cyber PHA-lite”. What DHS is really asking of these companies is to quickly gain an appreciation of the unique systemwide cyber security components and communications, as well as the interdependencies of IT and OT and the protections that are or are not.

The updated report summarizes the risk assessment procedure called cyber PHA.

By creating a bridge between PHA methods and cyber security risk assessment methods, safety systems become more robust against cyber security attacks.

How KPMG firms can help

KPMG has already helped several clients by leading and performing a cyber PHA. Our multidisciplinary teams with extensive sector experience work closely with CISOs, CTOs and Risk teams at a corporate level, as well as Plant Managers, Operations, and other ICS/OT domain key stakeholders.

Following a gap assessment and stakeholder interviews, we conduct an analysis based on cyber PHA as part of the response alongside other technical security assessments, the design of zones and conduits for two different types of ICS network, and the design of monitoring dashboards to better understand risk exposure.

If you would like to discuss any aspect of a cyber PHA and how it relates to your broader IT and OT security posture, please don't hesitate to get in touch.