Yosi Shavit, CISO Head of ICS Cyber Security Dept. at the Israeli Ministry of Environmental Protection.
Introduction
In my September article, I presented the cyber threats to hazardous materials transporters. In this article, I will introduce solutions to enhance cybersecurity resilience for these transporters. The solutions are divided into technological solutions and those related to proper operational procedures and administrative controls.
Cyber Risk Mitigation for Hazardous Materials Transporters
A. Risk Management Approaches
There are four main approaches to managing cyber risks, including those related to hazardous materials transporters:
Risk Acceptance:Leaving the situation unchanged without implementing the necessary controls or protections while accepting the possible risk of a cyber-attack. This option is rejected as a cyber-attack on a hazardous materials transporter could cause severe harm to public health, including fatalities, as well as significant environmental damage.
Risk Avoidance:Canceling the project to eliminate the risk. In this case, finding an alternative method for transporting hazardous materials that does not involve cyber risks. The likelihood of halting hazardous material transportation through traditional methods is very low in the near future.
Risk Transfer:For example, purchasing cyber insurance from an insurance company. This option can be problematic, as a cyber incident causing a hazardous materials event could present serious risks to public health and life. Financial compensation may not be sufficient for the loss of life or the severe environmental damage that may last for very long periods.
Risk Mitigation:In this option, we map existing risks and implement cybersecurity protections to reduce the exposure surface to cyber-attacks and minimize the likelihood of their occurrence as much as possible. It is essential to acknowledge that a residual risk will always remain.
From the four approaches presented above, the recommendation is to choose risk mitigation. This option allows continued business activities while implementing cybersecurity protections to reduce the likelihood of a cyber incident.
If the risk mitigation option is chosen, the following components should be included in the risk management process:
Mapping all potential attack vectors as outlined in this document and documenting them.
Addressing each attack vector by implementing controls that may reduce the risk
B. Types of Controls for Enhancing Cyber Resilience
The controls should include the following types:
Operational procedure controls.
Human factor-related controls.
Passive monitoring and alert controls.
Active controls to block illegitimate or anomalous traffic. These controls should be carefully selected to avoid operational issues.
C. Who Should the Controls Apply To?
The controls implemented to minimize cyber risks should apply to the following:
The transporter (the towing and trailer vehicles).
Personnel with physical access to the transporter (fleet workers, drivers, maintenance staff, mechanics, and anyone with physical access to the transporter).
The telematics company, the manufacturer, or any other company connected to the transporter and transmitting/receiving communications.
The supply chain: Any supplier of components, equipment, software, or systems with communicative elements to the hazardous materials transporter.
Any other entity with physical or communicative access to the hazardous materials transporter in any form.
Regarding cyber protection controls at the telematics company, the protections mainly fall under the IT domain. Therefore, it is recommended that the fleet request an external risk assessment of the telematics company to which their vehicles are connected and implement the necessary controls for optimal protection of the systems that communicate with hazardous materials transporters in the fleet.
D. The Process Explanation
Preliminary Steps
Appointment of a Cybersecurity Officer in the Fleet: The fleet manager should appoint a representative responsible for implementing the cybersecurity risk mitigation guidelines outlined in this article. The cybersecurity officer will perform their role alongside their primary responsibilities or may be dedicated to this role.
The role of the cybersecurity officer is to oversee cybersecurity resilience activities in the fleet and act as the contact point with various cyber entities, including regulators, support companies, and colleagues, which will maintain contact with the fleet regarding increasing its cybersecurity resilience.
It is important to note that the cybersecurity officer does not have to be a cyber expert but should be responsible for executing the activities and coordinating between the required parties.
The fleet owner will appoint a deputy cybersecurity officer to cover in their absence.
E. Cyber Risk Assessment
Cyber risk management for hazardous materials (HazMat) carriers is based on risk assessment that reflects the potential damage caused by a HazMat incident due to a cyberattack on HazMat carriers, as well as the exposure level of the HazMat carrier to a cyberattack.
The risk assessment will be conducted according to the principles outlined in this article. Possible scenarios will be analyzed using the "attacker's perspective," given that a human attacker is behind the attack. Optimal cybersecurity requires a deep understanding of the attacker’s methods, identifying them, and preventing their success.
It is assumed that in a malicious cyberattack on a HazMat carrier, the attacker will aim to cause an incident resulting in the release of most or all of the material in the tanker. This involves a significant amount of hazardous material, potentially reaching tens of tons, which poses a serious risk to public health and the environment.
The risks are based on the relevant threats to the HazMat carrier as per the risk analysis performed for the fleet, as detailed in this article.
Risk Assessment – Calculating Impact (I): The risk assessment begins by evaluating the level of impact (I) that could occur to public health or the environment if a HazMat incident happens due to a cyberattack. Although the potential damage can range from levels 1 to 4 based on the method presented in the table in Appendix A of this article, the assumption in a cyberattack on a HazMat carrier is that the attacker will attempt to maximize damage. Therefore, we assume a Worst Case The assumption in a cyberattack on a HazMat carrier is that the attacker will attempt to maximize damage. Therefore, we assume a Worst-Case Scenario (WCS), which considers the greatest possible damage, such as an accident or overturning of the HazMat carrier near population centers. As a result, the damage level is calculated at maximum values of 3 or 4 (in classification system from 1 to 4). This implies that there may be irreversible harm to public health (including death) and environmental damage (such as air pollution, soil contamination, water source pollution, etc.) due to the release of toxic substances, flammable materials causing thermal radiation effects, or explosive materials causing pressure effects.
Risk Assessment – Calculating Exposure (P): After calculating the expected level of damage in the event of a HazMat incident caused by a cyberattack, the exposure level (P), i.e., the probability of a cyber event (Probability), must be calculated for the HazMat carrier. This calculation is performed according to the table in Appendix B of this article.
Risk Calculation and System Classification in the Business: The risk level assessment will be based on a combination of the expected damage level and the likelihood of that damage occurring, according to the following formula:
Risk = P+3*I =
(I) = The expected level of damage in the WCS – Worst Case Scenario (for HazMat carriers, the value will be 3 or 4, which are the maximum values).
Applying the formula described above will generate a score between 4 and 16. Different risk levels will dictate the required controls:
Level 1: Low-risk potential (green zone).
Level 2: Medium-risk potential (yellow zone).
Level 3: High-risk potential (orange zone).
Level 4: Very high-risk potential (red zone).
Heatmap: The heatmap describes the risk levels as a function of impact and exposure according to the following table:
F. Determining the Required Controls for Implementation
After calculating the risk level of the process, the vehicle fleet will decide which controls to implement. The higher the risk level, the more recommended it is to implement as many controls as possible from those listed in Appendix C of this article.
In general, regardless of the risk level, and as long as resources and capabilities allow, it is advisable to implement the maximum number of controls from Appendix C of this article.
G. Gap Analysis - Comparison of Current State to Required Controls and Mapping Gaps
Based on the list of protective controls detailed in Appendix C of this article, the business must assess what is currently implemented at the conclusion of the risk survey for each of the examined systems, and what is recommended for implementation according to the results of the risk survey.
The output of the process described in the previous section will be a Gap Analysis - "Desired vs. Actual," prepared by the business.
The resulting gap list serves as the basis for the business's work plan.
H. Building a Work Plan Based on the Gap Mapping
It is the responsibility of the fleet owner, business owner, or the cybersecurity officer in the business to develop a work plan for implementing the required controls, specifying the responsible parties, timelines, and methods of handling. The business owner will allocate the necessary resources, including budget, manpower, and time, for the implementation of the required controls.
The priority for implementing the missing controls within the business as part of the work plan will be determined by weighing the risk level of the hazardous process, the cost of implementing the controls, the complexity of execution, and the speed of implementation.
Appendix A
The assumption is that in a cyberattack attempt on a hazardous materials transporter, the attacker will try to inflict maximum damage. Therefore, we assume a Worst-Case Scenario (WCS) situation, which considers the greatest potential damage, i.e., an accident or a hazardous materials transporter overturning near population centers. Hence, the damage level is always calculated at high values of 3 or 4. In these cases, there may be irreversible harm to public health (including death) and, of course, environmental harm (air pollution, soil, water sources, etc.) as a result of hazardous materials release events, radiation effects, or pressure effects (according to the values described in the table).
Appendix B
Table for Determining the Exposure Level (P) of Hazardous Materials Transporters
In this table, you must answer all 24 questions in the "Checked Parameter" column by giving a score between 1 and 4. After assigning scores to all the questions, calculate the exposure level by finding the average of all the given scores, rounded to one decimal point for the entire table. The resulting value is the exposure level (or the probability of the event occurring) and is denoted by the letter P.
Appendix C
Recommended Controls List
To reduce the risk level of a cyber event in a hazardous materials transporter (tractor or trailer), a list of controls is recommended to increase the cyber resilience of the hazardous materials transporter.
The list of controls includes processes, procedures, protection systems, and various technologies. These controls are grouped according to different categories: physical protection controls, logical protection controls, and procedural-level controls.
The list of controls is presented in the table below:
Comments