The Mental Miser of the OT Security World – Overcoming Fear to Redefine Concepts

How feasible is it to evolve and reconsider concepts within the field of OT security? Our approach to security design in the realm of cyber-physical systems has been notably shaped by the IEC/ISA 62443 standard.

ISO 27001 has historically encountered challenges when applied in the operational technology (OT) context, but some asset owners have used it for security certification, albeit at a high level of abstraction. In recent years, an alternative concept, exemplified by the NIST Cybersecurity Framework, has gained significant traction due to its clarity and ease of implementation. This alternative has garnered support from individuals who perceive IEC/ISA 62443 as overly complex.
Nonetheless, the influence of IEC/ISA 62443 remains significant, partly attributed to its comprehensive training and certification programs.

I had the privilege of participating as a reviewer during the initial revision of IEC/ISA 62443-3-3, dating back to 2009. This experience allowed me to learn from engaging discussions among experienced professionals such as Johan Nye (Exxon), Jeff Potter (Emerson), Kevin Staggs (Honeywell), and Ragnar Schierholz (ABB). But there were many more great experts from the early days of OT security. The collaborative effort of a team of 18 authors and 27 reviewers culminated in the publication of ISA-62443.3.3 (99.03.03) on September 4th, 2011. The very first security standard for operational technology. I write operational technology (OT) though in those days the term OT wasn’t that much in use.
Roughly 18 months later, the International Electrotechnical Commission (IEC), a global standards organization comprising nation-states, initiated a review process and incorporated minor amendments to the original ISA document. This significant event marked the introduction of the world’s first global standard dedicated to OT security, designated as IEC 62443-3-3 (August 2013). Notably, this standard received official government-level endorsement, signifying a momentous achievement.

Following this milestone, ISA continued to release a series of additional standard documents, each contributing to the development of a comprehensive framework aimed at enhancing the security of industrial automation systems. While some of these documents were highly regarded, others were seen as having varying degrees of quality, depending on one’s perspective. However, it’s essential to note that all of these standards undergo periodic updates on a five-year cycle to ensure they remain aligned with current industry practices and technology while continually improving their effectiveness.

Practitioners of the standard have grappled with the definitions of security levels as outlined in IEC 62443-3-3 for an extended period. Notably, important inconsistencies have emerged in the definitions of security level target (SL-T), security level achieved (SL-A), and security level capable (SL-C). Additionally, the original security levels were primarily based on the threat actor, lacking a direct link to risk reduction. This posed a growing challenge, particularly for system integrators who rely on risk analyses as the foundation of their design approach.

In previous articles, I’ve referred to security design based on IEC/ISA 62443.3.3 as a prescriptive method. However, industry demand has been shifting towards a risk-based approach that enables the customization of defense strength based on the actual risk profile. Different industries encounter varying threats, necessitating tailored levels of protection to prevent either over-protection or under-protection of these critical systems. A risk-based design method offers the advantage of adaptability, customization, and cost-effectiveness, making it a valuable approach for addressing security challenges in a dynamic and complex threat landscape. This together with the various inconsistencies that emerged over time has led to an attempt to define better IEC / ISA 62443 security levels.

Many meetings and discussions, as well as a stepwise refinement process, led to the development of a list containing four different definitions for the security levels, with two of them being risk-based. The group of subject matter experts agreed in the majority on one aspect: the existing definitions needed to be revised. Moreover, there appeared to be a clear preference for a definition grounded in risk reduction. While this was all progressing smoothly, a significant issue arose. Transitioning from the current definition to the new risk-based definition would entail a substantial change to the standard, a change that an IEC representative was hesitant to support.

This brings me to the topic of this article: the challenge of reevaluating our security concepts. Is it reasonable to continue with an initial concept that was discussed and chosen 15 years ago, even when experienced practitioners are actively seeking solutions to address evident gaps in that definition?
Many books have explored the foundation of this topic, and Adam Grant’s bestseller, ‘Think Again,’ directly addresses the reluctance to reconsider our answers and concepts. Often, we find it more convenient to cling to old perspectives rather than wrestle with new ones. I encounter similar challenges when discussing semi-quantitative risk assessment; many individuals preconceive that it can’t be achieved.

However, if you inquire why they adhere to the outdated concept of cyber risk estimation based on unconditional probability, which is ill-suited for analyzing the risk of cyber attacks against cyber-physical systems, the primary reason often stems from mentioning the lack of adequate data to establish a reliable probability. There are just not enough of these cyber-attacks to estimate a reliable probability. This argument, which I fully support and was also used in the above-mentioned security level discussion by one of the participants, is valid. However, different methods such as the proposed ROPA (Rings of Protection Analysis) method do not rely on an unconditional probability based on the number of cyber attacks. Instead, it estimates a conditional probability based on its own defensive strength and the chance of failure of the defensive ring(s) it depends on for protection.

This represents an entirely different type of probability, one that we can estimate even in the absence of data on the frequency of cyber attacks against a cyber-physical system. We estimate the strength of the defense (the probability it fails if attacked), and we want to be ready if attacked. These strength levels can be adjusted for different threat levels, very similar to being used in the analysis of the terrorist threat. Our education typically covers unconditional probability, whereas the theory of conditional probability is relatively more recent and involves more complex formulas compared to Blaise Pascal’s unconditional probability. But we prefer to hang on to the traditional concept of probability avoiding the difficulty of grappling a new concept.

Process safety, specifically its metric Probability of Failure on Demand (PFD), is based on unconditional probability. Safety barrier failures happen randomly due to wear and tear of the barrier. PFD is a widely used metric in the realm of functional safety. It quantifies the likelihood that a safety instrumented function (SIF) will fail to execute its intended safety function when required. PFD depends on various factors, including the Mean Time Between Failures (MTBF) of the safety barrier and the frequency of proof testing for that barrier. Sufficient statistical data is available to reliably estimate this metric.
Furthermore, there is ample information regarding event frequency, specifically the frequency at which equipment failures leading to safety hazards occur. This wealth of data has given rise to a technique known as Layers of Protection Analysis (LOPA), which has proven its effectiveness over the past two decades. However, when LOPA was initially introduced 20 years ago, the process safety community exhibited significant reluctance toward adopting this method.

Cyber-physical risk does not arise from random defense failures or a random attack frequency; instead, cyber barriers (security measures) are intentionally bypassed or breached by the intelligent actions of threat actors with different levels of motivation, skills, and resources. These actions are not accidental but rather malicious in nature.

If these attacks were to occur frequently, we could collect event data and estimate the likelihood of defense failures using conventional unconditional probability methods. However, the frequency of cyber-physical attacks remains very low. Despite the potentially severe consequences, we cannot overlook such attacks. Nevertheless, due to the scarcity of event data, we lack the means to estimate a reliable probability, making it challenging to make well-informed decisions regarding risk mitigation. So we need to rethink the concept and find another approach. This is exactly what ROPA does.

We can envision security as a system of protection rings, which can be defined at different abstraction levels. At a high level of abstraction, a protection ring might represent something like ‘personnel security,’ focusing on trust, awareness, and knowledge. At a more detailed level, we might consider that the security of a HART transmitter directly connected to an I/O board of a controller depends on the security measures within the controller itself. There are many such rings, with each inner ring partially relying on the protection of the outer ring. These relations are dependencies, and there are various types of dependencies.

To estimate a conditional probability, we need knowledge about the attack methods used, an understanding of how effectively our security measures can thwart or detect these methods, and a counterfactual risk analysis engine to calculate a conditional probability referred to as the Probability of (Defense) Failure if Attacked (PFA). Essentially, this is a probability that measures the effectiveness of our defense against a collection of cyber attacks. The better we defend against methods that are effective against multiple vulnerabilities, the better our security.

This approach doesn’t depend on the event frequency of threat actors but rather assesses the likelihood of a method’s success based on available statistical data of vulnerabilities. Such data is readily accessible from various sources, including vulnerability databases, proof of concepts, and threat modeling exercises. Consequently, we can assess a target’s resilience against a range of cyber attacks by using a counterfactual risk analysis engine to test all conceivable attacks from a library of potential threats.

However, this represents a different approach. Most individuals tend to cling to the hypothesis that we lack sufficient statistical data, rather than reconsidering the problem in a format for which we have ample data. This highlights the challenge of addressing the mindset of mental misers within the OT security world—those who prefer to adhere to old views rather than embrace innovation. The examples may not differ significantly, such as an ISA 62443 framework based on risk-based security levels and a risk analysis method relying on conditional risk. Nevertheless, in order to progress we must confront the discomfort of doubt before we can realize this progress.

Sinclair Koelemij

With 45 years of experience in process automation, Sinclair brings a wealth of expertise, with 25 years dedicated to process control and an additional 20 years specializing in networking, security, and risk management for process automation systems. During his extensive 43-year tenure at Honeywell, he played key roles in servicing, engineering, and securing diverse control and process safety solutions, spanning basic and advanced control systems. Sinclair also possesses hands-on experience in software development and the implementation of control and safety solutions for over 100 installations owned by various asset owners, varying in scale from smaller setups with fewer than 1,000 I/O points to large installations exceeding 100,000 I/O points. Furthermore, Sinclair holds several patents in the field of cyber-physical risk evaluation and mitigation..