Cybersecurity. Sarabjit Purewal Principal Specialist Inspector BSc ACGI PGDip CEng MIET. Humber Chemical Focus Group 21 July 2016

Transcription

1 Health and and Safety Executive Cybersecurity Sarabjit Purewal Principal Specialist Inspector BSc ACGI PGDip CEng MIET Humber Chemical Focus Group 21 July 2016 Crown July 2016

2 What we will cover Why cybersecurity is an issue How cyber threats can impact on safety of people and harm the environment-links to MAH Trends in cyber threats What guidance is out there HSE operational guide current status HSE operational guide scope How and when it will be used

3 Why cybersecurity is an issue Nearly all new control and safety instrumented systems are programmable Open standardised protocols are used allowing interconnectivity between different systems Increasing interconnectivity between control systems, IT systems and Internet Control and protection being merged into the same system rather then being physically separate

4 Why cybersecurity is an issue Due to these factors systems can be susceptible to viruses and malware that can render them ineffective. Multiple failings can result. A dangerous state and failure to protect against it can occur at the same time. Layers of independent protection no longer a valid assumption.

5 Links to MAHs Threats can be malicious or accidental They can originate from networks (Intranet, or internet), or through maintenance activities. E.g. software upgrades, USB sticks, lap tops etc. Equipment can have malware when it is delivered to site or can be introduced via maintenance personnel from vendors. The controls by vendors are important

6 Links to MAHs If a threat (deliberate or accidental) occurs it can lead to: Mal-operation of a control system leading to an unsafe state Mal-operation of a safety system such that it does not operate Both can occur at the same time Both the above will lead to: Increased risk of a MAH An actual incident

7 Trends Are cyber threats increasing How serious are they Some well publicised incidents Stuxnet worm. Damaged centrifuges at an Iran nuclear facility (through use of USB) Duqu.Looked for information such as design that could help mount a future attack, including on industrial control system facilities.

8 Trends An attack on a steel works in Germany causing significant damage, by disrupting the control systems such that a blast furnace could not be properly shut down. More recently. Ukraine. The power network was disabled that lasted for 8 hours. Many others less well publicised incidents

9 What guidance is out there Very good guidance is available, but it can be overwhelming, and it s not all limited to safety and environmental risks. ISA-TR Security Countermeasures Related to Safety Instrumented Systems (SIS). The Centre for the Protection of National Infrastructure (CPNI) Security for Industrial Control Systems.

10 What guidance is out there NIST Publication Guide to Industrial Control Systems (ICS) Security r2.pdf 10 steps to Cyber security available via link ures/pages/relaunch-10-steps-to-cyber-security.aspx IET Code of Practice Cyber Security in the Built Environment EEMUA Information sheet 2. Cyber security assessment process for industrial control systems

11 Applicable Standards IEC Ed 2 has specific requirements for cybersecurity threats. This is the benchmark Standard HSE uses for safety instrumented systems. BS EN Some parts in draft. Note this is not limited to functional safety and is wide ranging. Part 1: Framework and threat-risk analysis Part 2: Security assurance Part 3: Security requirements Part 4 Relevant to system integrators.

12 HSE Operational guidance (OG) Why is this needed For specialist HSE C&I specialist inspectors It is targeted at HSE (and CA) MH regulated industries and intended to comply with the requirements of IEC Ed 2. It is specific to relevant regulations covering safety and the environment It provides for proportionate risk reduction and ALARP Consistent with the wider available guidance

13 Current status of HSE OG Currently in draft External consultation. Comments from: CPNI, Energy Institute, EEMUA UKPIA, Association, IntM&C O&G UK, National Grid Second draft in preparation Publication subject to further discussions.

14 What does it cover Specific, short concise document on proportionate approach for managing risk from cyber threats to MAH scenarios. Covers risk identification, and its management including design, maintenance, operation, management systems and competency of staff. Once published it will form part of the EC&I operational delivery guide in CEMHD consistent with other similar operational guides.

15 What does it cover Key steps include: Implementing cyber security management arrangements. Competency. This is an issue at present as its new technology for C&I staff.

16 What does it cover Defining the systems that are susceptible to cyber threats Risk assessment and ALARP demonstrationnote the issues here. Putting proportionate control measures. The guide identifies a range of example measures. Operation and maintenance Audit, monitor and review Change control

17 Next steps GCHQ National Cyber Security Centre being set up Publication subject to further discussions The guide has the status of an interpretive standard under EMM. HSE EC&I specialist inspectors training Implementation date yet to be decided

18 Thank You Questions