Critical infrastructure
Expert
Risk & Compliance

Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.

April 14, 2024
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.

Cyber-physical risk assessments are some of the toughest tasks to handle because they involve a lot of decisions before even starting an assessment. These decisions include setting / choosing the goals of the assessment, planning how to approach it, and even sometimes considering ethical issues.

Sinclair IEC/ISA 62443

Conducting cyber-physical risk assessments effectively requires substantial knowledge and skill, as these assessments involve both process automation and physical systems. Typically, this task demands collaboration among a team of experts from diverse fields. Together, they pool their expertise to ensure that all aspects of the risk are thoroughly addressed and managed. It’s crucial to adopt such a team-based approach because the risks associated with modern cyber-physical systems are complex and interconnected. Ideally, the team should include a risk analyst who guides decision-making and identifies the various options available.

This article discusses some of the decisions we need to make and the role of cyber ethics in these decisions.

The first choice we need to make concerns the objective of the risk assessment. The objective will not only determine the scope and focus but also influence the assessment strategy we select. What objectives might we pursue in a cyber-physical risk assessment?

  • Assess Vulnerabilities and Threats: This objective is to identify vulnerabilities within the  cyber physical system and understand the potential threats that could exploit these weaknesses. This helps in preparing cyber defenses against various cyber attack scenarios most likely to cause significant harm or operational disruption. The focus and scope of the assessment are crucial decisions because we can choose to limit the assessment to only the digital, computerized part of the installation or include the physical part of the installation. If we opt for the latter, we must also take into account the process automation design, the chemical and operational dynamics of the production process, and the physical installation’s ability to maintain its operational and structural soundness under various process conditions.
  • Determine Risk Exposure Levels: This involves quantifying the level of risk associated with various threats and vulnerabilities. The objective is to determine how these risks align with the plant’s overall risk tolerance, particularly in terms of process safety, compliance, financial stability, and reputational impact. This is an innovative approach to cyber-physical risk and has been driven over the past ten years by regulators’ heightened awareness of the dangers that cyber threats pose to the community and environment and the plant’s operational compliance requirements linked to its operational permit.
  • Establish Compliance with Regulations and Standards: Ensuring that the plant meets all relevant industry regulations and standards is a fundamental objective. This compliance is vital not only for legal operations but also for maintaining safety, environmental stewardship, and community trust.
  • Develop and Prioritize Mitigation Strategies: Based on the identified risks and their potential impacts, the objective is to develop effective mitigation strategies that reduce risk to acceptable levels. Prioritization helps allocate resources efficiently to areas where they can have the greatest effect in enhancing safety and operational integrity.
  • Identify Critical Assets and Systems: The primary objective is to determine which components of the plant—such as control systems, operational technology, and physical infrastructure—are critical to maintaining safe and continuous operations. This ensures that security efforts are prioritized where they are most needed to prevent disruptions that could lead to unsafe conditions or financial losses.
  • Support Business Continuity and Emergency Preparedness: An important objective is to ensure that the plant has robust plans in place for business continuity and recovery in the event of cyber-physical incidents. This supports the broader business goal of maintaining operational uptime and minimizing financial losses during disruptions.

Selecting the objectives of our risk assessment largely determines the strategy for assessing risk and the methods available. What risk assessment strategies are available?

There are principally two main strategies: a bottom-up and a top-down assessment strategy. However, we can combine them in a hybrid approach, which integrates elements of both the bottom-up and top-down strategies. Additionally, there is the layered approach. If we need to expand the scope of the risk assessment to include various organizational risk vectors, we typically segment the analysis into multiple layers and aggregate the risks from these layers to determine the overall risk. Let’s take a closer look at the bottom-up, top-down and hybrid approaches.

Bottom-Up Approach:

  • Detailed Risk Identification: Begins at the level of individual components and subsystems, examining specific vulnerabilities in the process automation functions and its interface with the process installation.
  • Operational Focus: Looks at everyday operational risks and technical specifics, which might include anything from firmware updates to sensor malfunctions, and how these can escalate to more significant system-wide issues.

Top-Down Approach:

  • Strategic Focus: Starts with organizational goals and strategic vulnerabilities, considering how cyber threats and process hazards can affect these broader objectives.
  • System-Level Analysis: Prioritizes threats that could cause widespread disruption or systemic failures, focusing on high-level network security, data integrity, and the interdependencies between the process automation functions , cyber and physical components.

Hybrid Approach:

  • Integrated Risk Management: Combines detailed risk identification with strategic analysis and system-level understanding.
  • Comprehensive Perspective: Balances the granularity of bottom-up analysis with the strategic perspective of top-down approaches to provide holistic risk management in Cyber Physical Systems (CPS).

For the objectives: To Assess Vulnerabilities and Threats; Develop and Prioritize Mitigation Strategies we can select either a top-down, bottom-up or hybrid approach. All approaches would work. However, the other objectives pose more limitations. For Determining Risk Exposure Levels, we have to select the bottom-up approach. We need the level of granularity this approach offers to be able to compare the results with the process safety hazop results. For objectives like: Establishing Compliance with Regulations and Standards; Identify Critical Assets and Systems we would require a top-down approach to risk assessment. For objectives like: Support Business Continuity and Emergency Preparedness, a hybrid approach would be a good practice.

Apart from the risk assessment approach, the risk estimation method is additionally of importance. Also, here we have two main estimation methods and a hybrid method. We can select a qualitative risk estimation method, a quantitative method, or a hybrid semi-quantitative method. Also, in this case not every objective aligns with every method, additionally the type of industry might force us to select a specific method. Engineers active in the nuclear industry would use quantitative methods, or perhaps as a compromise a semi-quantitative method. A qualitative method would typically be viewed as too subjective for this type of industry and would not align with the very strict regulations governing it. Additionally, the regulator can mandate the use of a specific estimation method.

In general process industry both qualitative and semi-quantitative risk estimation methods are in use. However, it depends on the objective if we need quantitative results. For example, an objective like Determine Risk Exposure Levels would require quantitative results to compare with the plant’s process safety risk criteria. As long as our objectives are limited to prioritization, we can accept both quantitative and qualitative results. But when we shift the ambition toward prioritization and justification, we need to use a quantitative or semi-quantitative estimation method.

So, there are plenty of decisions to make before we can actually start a risk assessment. To limit the length of this article, I want to end with another restriction and risk decision not often addressed in cybersecurity, which I would call cyber ethics.

For me, cyber ethics refers to the moral principles and guidelines governing the responsible use, management, and protection of the cyber-physical systems (especially those systems where the potential security breach directly impacts human safety and the environment) from cybersecurity threats.

Let’s first look at some possible Cyber Ethical Considerations I consider of importance:

  • Primacy of Safety: The primary ethical imperative in any industry where there is a risk of fatalities must be the safeguarding of human life and environment. Any strategy that seeks to optimize costs at the expense of potential safety measures needs to be carefully scrutinized.
  • Transparency and Accountability: It is ethically crucial that decisions made to optimize costs are transparent and that organizations (asset owners, service providers, vendors) remain accountable for the outcomes of those decisions.
  • Justification of Risk: Any adoption of riskier, cost-saving measures must be ethically justified by demonstrating that these risks are managed as prudently as possible. This includes rigorous testing, monitoring, and fallback plans to protect against unforeseen failures.
  • Informed Consent: In industries affecting public safety, it is ethically necessary to involve and inform all stakeholders, including employees, local communities, and regulators. They should understand the potential risks associated with implementing a cost-optimization strategy and have a say in the decision-making process.
Dale Peterson, founder of Digital Bond and S4 Events.
Dale Peterson, founder of Digital Bond and S4 Events.

I’m mentioning cyber ethics because there’s a group of cyber-physical systems that some consider too small to afford the necessary cyber defense. However, their potential impact on the community, if breached by a cyber terrorist organization, is significant. Specifically Dale Peterson suggested in an article to use a Barbell risk strategy for small water utilities. He refers in his article to Taleb’s use of this risk strategy.

Nassim Nicholas Taleb has written several books on risk that any risk analyst should read. For example, his works The Black Swan: The Impact of the Highly Improbable and Antifragile: Things That Gain from Disorder have had a significant impact on risk analysis. His concept of antifragility extends beyond resilience or robustness; it describes systems or entities that actually benefit from shocks, stressors, volatility, or disorders. According to Taleb, while fragile systems are harmed by volatility and stressors, robust systems resist them, and antifragile systems improve their ability to thrive as a result of these challenges. He writes: “The resilient resists shocks and stays the same; antifragile gets better”. Generally, this is true, but the question is can we accept this ‘learning curve’ approach as a valid risk strategy in cases where there is no or limited recovery, such as with systems that can cause environmental damage and fatalities if they are the victim of a cyber attack?

The Barbell strategy is used extensively in financial investments. The underlying idea of the Barbell Strategy is to hedge against major losses while positioning for potentially significant gains. By securing most of the investment in very safe assets, the strategy mitigates the risk of large-scale financial downturns negatively impacting the entire portfolio. Meanwhile, the high-risk portion of the portfolio, while risky, only comprises a small portion of the total investments, limiting the potential for devastating losses. Yet, this same high-risk end holds the promise of outsized returns, which could substantially increase the overall value of the portfolio.

In security terms, Dale suggests a strategy that involves two key approaches: Firstly, defending against everyday types of attacks. For example, by blocking attacks like reconnaissance efforts, limiting Internet access, and protecting against malware infections. Secondly, rather than focusing on preventing attacks from advanced threat actors like nation-state or state-sponsored threat actors, the plant should emphasize enhancing their recovery capabilities.

Dale’s recommended application of the Barbell Strategy to cyber-physical systems appears overly optimistic for me, suggesting: “While this cyber attack resulted in a fatality, it also provided us with a learning opportunity.” I believe that fatalities could potentially result from cyber attacks on small water utilities. While there are no direct examples of fatalities caused by such attacks, the theoretical risk is significant when considering the impact, a compromised water system could have on public health and safety. The size of the utility, whether small or large, pertains to its production capacity, but the community loss impact—whether it involves a single fatality, ten fatalities, or hundreds—is unacceptable in all cases. A small water utility needs to meet the same water quality requirements and risk criteria asa large water utility would.

Coming from a process automation background, where safety is paramount, I find this view unacceptable. Given that capable attackers, such as nation-states, cyber terrorists, and nation-sponsored actors, often aim for high-impact outcomes, we must critically assess such an approach. This leads to crucial questions: What factors should influence the robustness of our defenses, and how much should we invest in protecting our systems against potential attacks?

For me, the answer to this question depends on the facility’s threat profile and the potential loss impact of the production process. The threat profile determines which threat actors might target the facility, while the loss impact defines the severity of risks to human safety and the environment. Financial impact is less relevant here because, although a private company may risk monetary value in most cases, this is not comparable to the risks associated with human safety and environmental damage. If a nation-state, state-sponsored or cyber terrorist attacker would potentially target a small water utility than the potential loss impact would demand a protection level that meets the risk tolerance criteria for water utilities. Its production capacity doesn’t seem relevant to me. So, the ethical criteria “Primacy of Safety” and “Justification of Risk” would conclude that applying a Barbell risk strategy for small water utilities fails to meet cyber ethics criteria.

Sinclair Koelemij
With 45 years of experience in process automation, Sinclair brings a wealth of expertise, with 25 years dedicated to process control and an additional 20 years specializing in networking, security, and risk management for process automation systems. During his extensive 43-year tenure at Honeywell, he played key roles in servicing, engineering, and securing diverse control and process safety solutions, spanning basic and advanced control systems. Sinclair also possesses hands-on experience in software development and the implementation of control and safety solutions for over 100 installations owned by various asset owners, varying in scale from smaller setups with fewer than 1,000 I/O points to large installations exceeding 100,000 I/O points. Furthermore, Sinclair holds several patents in the field of cyber-physical risk evaluation and mitigation..

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology