Cyber security is a growing risk to all critical infrastructure and industrial process plant. The latest edition of IEC 61511-1 (Ed. 2) requires that a security risk assessment be carried out already in the HRA phase. Further detailed security assessment (including audit of existing plant) may be carried out as per IEC 62443 (Namur NA 163).
Security vulnerabilities have been exposed in industrial control systems (e.g. Stuxnet, Industroyer, TRISIS/TRITON, EKANS, and co.) Many national governments are implementing legislation that requires Operators of critical infrastructure to systematically assess new or existing plant from a cyber-security perspective. International best practice standards such as IEC EN 61511-1 (latest Ed. 2) now define that a security risk assessment shall be already carried out in the HRA phase. Further detailed security assessment (including audit of existing plant) may be carried out as per IEC 62443.
PSC can carry out a cyber security risk assessment during the planning stages of a new project. Such assessment typically follows a similar methodology to HAZOP, but with relevant guide words. Areas of specific attention in the planning phase include:
- Client Policies & Procedures, industry-specific legal requirements
- Integration into existing systems (where applicable)
- Segmentation of the Control System Network
- Access control
- Design requirements to ‘harden’ the components of the System
- Monitoring & maintenance of System Security
- Training requirements for Personnel & Contractors
For existing plant, security threats will be typically reviewed via an on-site audit:
- Compromised Remote Support, Unauthorised Connections
- Modems, USB connections, Switches
- Misconfigured Firewalls, Office LAN, Infected Laptops
- RS-232 Links, External PLC Networks
PSC is a registered Participant in the Alliance for Cyber Security.