By Jim McGlone, Chief Marketing Officer at Kenexis Consulting Corporation
Co-author of Security PHA Review
We are looking forward to hearing from Jim McGlone on September 15, 2021 at the OT Cyber Risk - Taking it Down symposium at 1:00PM - 5:00PM EDT.
During a cybersecurity project on an oil refinery in Europe, the ideas used in this book became a reality. The project was ultimately being led by IT focused people and the industrial control systems were subcontracted to our company.
Everyone on the project wanted to do what they knew how to do, and I recognized that the safety functions and the industrial control system were at great risk. Trying to explain to them that they were focused on the wrong thing was frustrating. Local engineering didn’t want us there and the control systems were all cross connected and essentially a flat network for an entire refinery and all the auxiliary processes. This facility couldn’t even shut its blast doors, so it was frustrating.
What really pointed at the problem was the traditional cybersecurity risk calculations. The team wasn’t concerned about equipment that could blow up or emit toxic gas. Meanwhile, there were three different vendors remotely connecting to the power generation equipment alone and no one knew it until we found the modems. At least one more vendor was connecting remotely to DCS network too.
During several calls back to the other author, Ed pointed out that the risk calculations should already have been completed for the safety functions in their PHA or HAZOP. The local engineers gave me a PHA from 1969.
This is how we got to the ideas that are conveyed in the ISA book Security PHA Review for Consequence-based Cybersecurity. By focusing on the possible consequence of a loss of control scenario we were able to determine if the cause and safeguards for that scenario were vulnerable to cyberattack. If they were vulnerable, we devised a method to determine the Security Level – Target (SL-T) from the ISA/IEC 62443 standard or devise an alternative safeguard to prevent the attack from causing the consequence from occurring.