Managing Cybersecurity in the Process Industries: A Risk-based Approach

by CCPS (Center for Chemical Process Safety)

Length: 480 pages
Edition: 1
Language: English
Publisher: Wiley-AIChE
Publication Date: 2022-04-19
ISBN-10: 1119861780
ISBN-13: 9781119861782
Sales Rank: #205919 (See Top 100 Books)

The chemical process industry is a rich target for cyber attackers who are intent on causing harm. Current risk management techniques are based on the premise that events are initiated by a single failure and the succeeding sequence of events is predictable. A cyberattack on the Safety, Controls, Alarms, and Interlocks (SCAI) undermines this basic assumption. Each facility should have a Cybersecurity Policy, Implementation Plan and Threat Response Plan in place. The response plan should address how to bring the process to a safe state when controls and safety systems are compromised. The emergency response plan should be updated to reflect different actions that may be appropriate in a sabotage situation. IT professionals, even those working at chemical facilities are primarily focused on the risk to business systems. This book contains guidelines for companies on how to improve their process safety performance by applying Risk Based Process Safety (RBPS) concepts and techniques to the problem of cybersecurity.

Cover
Table of Contents
Title Page
Copyright
List of Figures
List of Tables
Acronyms and Abbreviations
Glossary
Acknowledgments
Managing Cybersecurity in the Process Industries
Preface
Part 1: Introduction, Background, and History of Cybersecurity
    1 Purpose of this Book
        1.1 Target Audience
        1.2 What is Cybersecurity?
        1.3 What is Operational Technology (OT)?
        1.4 Which industries have OT?
        1.5 Scope
        1.6 Organization of the Book
    2 Types of Cyber‐Attacks, Who Engages in Them and Why
        2.1 Types of Cyber‐Attacks
        2.2 Who Commits Cybercrimes and Their Motives
        2.3 Summary
    3 Types of Risk Receptors/Targets
        3.1 What is Cybersecurity Risk
        3.2 What are Common Cybersecurity Targets?
        3.3 Types of Cybersecurity Consequences
        3.4 Summary
    4 Threat Sources and Types of Attacks
        4.1 Non‐Targeted Attacks
        4.2 Targeted Attacks
        4.3 Advanced Persistent Threats (APT)
        4.4 Summary
    5 Who Could Create a Cyber Risk? Insider vs. Outsider Threats
        5.1 Insider Cybersecurity Risk
        5.2 Outsider Cybersecurity Risk
        5.3 Summary
    6 Case Histories
        6.1 Maroochy Shire
        6.2 Stuxnet
        6.3 German Steel Mill
        6.4 Ukrainian Power Grid
        6.5 NotPetya
        6.6 Triton
        6.7 Düsseldorf Hospital Ransomware
        6.8 SolarWinds
        6.9 Florida Water System
        6.10 Colonial Pipeline Ransomware
        6.11 Summary
Part 2: Integrating Cybersecurity Management into the Process Safety Framework
    7 General Model for Understanding Cybersecurity Risk
        7.1 Cybersecurity Lifecycle
        7.2 Integrated Cybersecurity and Safety Lifecycle
        7.3 NIST Cybersecurity Framework
        7.4 Summary
    8 Designing a Secure Industrial Automation and Control System
        8.1 The Disconnect between IT and OT Risk Management
        8.2 Inherently Safer vs. Inherently More Secure
        8.3 Defense‐in‐Depth
        8.4 Network Segmentation
        8.5 System Hardening
        8.6 Security Monitoring
        8.7 Risk Compatibility Assessment
        8.8 Summary
    9 Hazard Identification and Risk Analysis (HIRA)
        9.1 Use of Process Safety Tools to Identify and Manage Cybersecurity Risk
        9.2 Qualitative Methods
        9.3 Quantitative Methods
        9.4 How to Prioritize Risk Reduction Measures?
        9.5 Revalidation/Reassessment
        9.6 Summary
    10 Manage the Risk
        10.1 Management Approach
        10.2 Initial Steps
        10.3 Cybersecurity Culture
        10.4 Compliance with Standards
        10.5 Cybersecurity Competency
        10.6 Workforce Involvement
        10.7 Stakeholder Outreach
        10.8 Process Knowledge Management
        10.9 Operating Procedures
        10.10 Safe Work Practices
        10.11 Management of Change
        10.12 Asset Integrity and Reliability
        10.13 Contractor Management
        10.14 Training and Performance Assurance
        10.15 Operational Readiness
        10.16 Conduct of Operations
        10.17 Emergency Management
        10.18 Incident Investigation
        10.19 Measurements and Metrics
        10.20 Auditing
        10.21 Management Review and Continuous Improvement
        10.22 Summary
    11 Implementing a Holistic Approach to Safety and Cybersecurity
        11.1 Cybersecurity Management Systems (CSMS)
        11.2 Integrating CSMS with Process Safety Management
        11.3 Summary
Part 3: Where Do We Go from Here?
    12 What's Next? A Look at Future Development Opportunities
        12.1 Cybersecurity Adoption Trends
        12.2 Emerging Technologies
        12.3 Summary
    13 Available Resources
        13.1 Local, Regional, and Global Topics
        13.2 Cybersecurity Incident Repositories
        13.3 Competency Requirements and Training Availability
        13.4 Administration vs. Accountability Functions
        13.5 Summary
Appendix A Excerpt from NIST Cybersecurity FrameworkExcerpt from NIST Cybersecurity Framework
Appendix B Detailed Cybersecurity PHA and LOPA ExampleDetailed Cybersecurity PHA and LOPA Example
    B.1 System Basis
    B.2 Initial Risk Assessment
    B.3 Detailed Risk Assessment (Cyber PHA/HAZOP)
    B.4 LOPA/Semi‐Quantitative SL Verification
Appendix C Example Cybersecurity MetricsExample Cybersecurity Metrics
Appendix D Cybersecurity Sample Audit Question ListCybersecurity Sample Audit Question List
Appendix E Management System Review ExamplesManagement System Review Examples
ReferencesReferences
Index
End User License Agreement