top of page

Risk assessment in industrial control systems and OT networks that control hazardous materials

Yosi Shavit, CISO Head of ICS Cyber Security Dept. at the Israeli Ministry of Environmental Protection.


Calculating the cyber risk level In the Hazmat Industry


Risk management is based upon the risk assessment that reflects the vulnerability level of computer systems, the assessment of the threats, their potential consequences, and the probability of their occurrence.


The possible scenarios will be inspected according to the principle of “looking through the eyes of the assailant” because behind every cyber-attack there is a human attacker. The way to best resolve cyber security requires a deep understanding of the ways an attacker might operate, how to identify them, and how to prevent them.


The assumption is that during a malicious cyber-attack, most of the hazardous substance will be released in the component that contains the largest amount in the hazardous process that is connected to the computer system[1] (as opposed to a release following a malfunction or an accident), and therefore calculations as to the dispersion of the hazardous substances will be made accordingly.



Calculating the Risks


The risks are based on the relevant threats to the components of each system according to the risk analysis carried out by the business.

In calculating the risk, we have to calculate the 2 following parameters:

  1. Impact level (I) A risk assessment begins with an assessment of the impact level that might be caused to the environment or public health if a hazardous substance event occurs following a cyber-attack. The impact level will be assessed at a range between 1 and 4 according to the method presented in the table provided in this article. Please note that the score determined at this stage is for the maximum impact level.

  2. Exposure level (P). After calculating the expected impact level of a hazardous substance event caused by a cyber-attack on the business, the exposure level must be calculated, the probability of a cyber event in systems that manage/control hazardous substances. That calculation is performed in this article.


Calculating the risk assessment and the classification of the systems in the business


The risk level assessment is based upon a weighted calculation of the impact level expected given the probability that the impact will occur, according to the following formula:


Risk = P+3*I =


The risk is equal to the exposure level added by three times the impact level[2]

 

We multiply I by 3 to give the value of I more influence because we are talking about public health and human life.


The greater the impact, the greater the risk, and the greater the risk, the greater the number of controls that need to be implemented.


(I) = The expected impact level concerning the worst-case scenario 

(P) = The probability that the impact will occur

Application of the formula specified herein above for calculating the risk level will create a score of between 4 and 16.


Each one of the computer systems in the business that manages / controls hazardous substances will be classified into one of four groups according to its risk assessment, as specified herein below:

  • Level 1(Green): A low risk potential (a score between 4 and 7).

  • Level 2 (Yellow): A medium risk potential (a score between 8 and 11).

  • Level 3 (Orange): A high risk potential (a score between 12 and 14).

  • Level 4 (Red): A very high-risk potential (a score between 15 and 16).


The Heat Map


The following heat map describes the risk level as a function of the impact and exposure level:



Number of Controls to implement.

 

The number of controls to be assimilated at every risk level.

Note that each control level includes the controls of the previous levels, for example control level 4 includes all the possible controls of levels 1, 2, 3, 4.



Determining the controls that are required to be implemented.


After calculating the risk level of the process, the business will know what control package it must implement according to the key provided herein below:

 

  • Risk level at values of 4 through 7: Controls package 1.

  • Risk level at values of 9 through 11: The controls package from level 2 (that includes the controls from levels 1 and 2).

  • Risk level at values of 12 through 14: The controls package from level 3 (that includes the controls from level 1, the controls from level 2, and the controls from level 3).

  • Risk level at values of 15 through 16: The controls package from level 4 (that includes the controls from level 1, the controls from level 2, the controls from level 3, and the controls from level 4).

 

The framework of the controls that are based on the cyber security framework (the NIST CSF framework) is comprised of five functions as follows:


  • Identify - risk identification that includes mapping of the hazardous substances connected to the computer systems that manage/control hazardous substances and performance of a risk assessment of such systems.

  • Protect - assimilation of controls according to the risk level obtained in the risk assessment to minimize as much as possible the probability of a cyber event that would cause a hazardous substance event.

  • Detect - assimilation of capabilities to identify an existing attack or

  • Respond - a response to an event, after the event has occurred.

  • Recover - recovery from the event and resuming routine operation.


Understanding the importance of protecting both the OT and IT realms is crucial for comprehensive cybersecurity measures.


The required controls are primarily intended to protect the OT network and industrial control systems. However, it's important to understand that we also need to address the attack vector from the IT realm. Therefore, some of the controls should deal with this issue (such as remote connections to the OT network from the IT network, the use of ERP systems sitting in the IT realm and transmitting work orders to the OT network, etc.).

  

How to calculate the impact (I)?


The level of impact will be the highest value given in the “score” column.

The maximum impact is calculated by the CIA TRIAD, which is the basis for information security, and includes the safety (S) component, as a cyber-attack on computerized control systems dealing with hazardous materials Top of Form

It's important to note that in the scenario of an attack on industrial control systems containing hazardous materials, we consider the worst-case scenario (WCS).

 

In scenarios involving hazardous material incidents, we consider the following scenarios:

  • Dispersion of hazardous materials into the air, measured in parts per million (PPM).

  • Heat radiation resulting from the ignition of hazardous materials, calculated in kilowatts per square hour.

  • Pressure effects caused by the explosion of hazardous materials, calculated in units of pressure (BAR).

         

We can accurately calculate these values using software programs designed for this purpose. For example, there's software like Aloha that specializes in these calculations. 

We can download the Aloha software for free from the website of the United States Environmental Protection Agency (EPA) at: https://www.epa.gov/cameo/aloha-software

As of the writing of this article, the latest version is indeed 5.4.7.

 

ALOHA® (Areal Locations of Hazardous Atmospheres) is the hazard modeling program for the CAMEO® software suite (Computer-Aided Management of Emergency Operations), which is used widely to plan for and respond to chemical emergencies. 

ALOHA allows you to enter details about a real or potential chemical release, and then it will generate threat zone estimates for various types of hazards.  ALOHA can model toxic gas clouds, flammable gas clouds, BLEVEs (Boiling Liquid Expanding Vapor Explosions), jet fires, pool fires, and vapor cloud explosions. The threat zone estimates are shown on a grid in ALOHA, and they can also be plotted on maps in MARPLOT® (Mapping Application for Response, Planning, and Local Operational Tasks), Esri's ArcMap, Google Earth, and Google Maps. The red threat zone represents the worst hazard level, and the orange and yellow threat zones represent areas of decreasing hazard.[4]


 

The diagram above shows the impact zones in public scenarios: the red circle represents the range where human fatalities may occur, the orange circle indicates an area where there is irreversible health damage, and the yellow zone is an area where there is reversible damage (which can be treated, and the person can recover).

 

How to calculate the max impact level (I)?


To calculate the value of the max impact (I), we need to answer 4 basic questions related to safety, confidentiality, integrity, and availability. The value is categorized between 1 to 4 (1 is the lowest, and 4 is the highest). The highest value (SCORE) obtained is the value of the Impact Level (I).

 

How to calculate the exposure level (P)?


To calculate the exposure level (P), a response must be provided to 36 predefined questions by providing a score between 1 to 4 (1 is the lowest, and 4 is the highest). After assigning a score to all the questions, the exposure level will be calculated by summing up all the scores and calculating the average of the entire answers. The result obtained is the exposure level (P).


The analysis will be carried out according to this method relating to each process noted in the hazardous processes analysis and related to each computer system in each of those processes.


A formalized table is available per request, containing all questions and parameters for calculating both the impact and the exposure factors.


The table was constructed by the article's author through piloting risk assessments in various sectors, along with personnel from different areas of the production floor: control and ICS systems personnel, and OT personnel. Personnel from the chemistry and hazardous materials department also contributed to the construction of this table.



How to calculate the exposure level (P)?


In the following table, a response must be provided to all 36 questions outlined in the column “the parameter being inspected” by providing a score between 1 and 4. After assigning a score to all the questions, the exposure level will be calculated by summing up all the scores and calculating the average of the entire table. The result obtained is the exposure level - P.

The analysis will be carried out according to this table relating to each process noted in the hazardous processes analysis and related to each computer system in each of those processes.


The table was constructed by the article's author through piloting risk assessments in various sectors, along with personnel from different areas of the production floor: control and ICS systems personnel, and OT personnel. Personnel from the chemistry and hazardous materials department also contributed to the construction of this table.




 

38 views0 comments

Comments


bottom of page