Cyber risk – A major accident perspective for COMAH sites

SLR's new Safety Advisory team, who join us from our recent acquisition of HFL Consulting, have authored the article below discussing cyber risk for the Chemical Industry and the need for a good cyber risk management programme.

We are all aware of the famous major cyber-attacks, such as the Stuxnet attack upon the centrifuges for an Iranian uranium enrichment facility. Arriving at the nuclear facility by an infected USB, once inserted the worm found its way into the control systems for the centrifuges. The compromised control system remained in place for many months and ultimately caused the disintegration of the centrifuge through excessive spinning. How many of us consider this possibility as a threat to our operations involving major accident hazards?

It is certainly true that cyber-attacks are predominantly financially motivated, with an annual growth of 350% for ransomware attacks on businesses. Estimations are that for the UK chemical industry, industrial espionage costs up to GBP1.3bn with an increasing attractiveness brought about by a larger attack surface along with an increased value of data. Industry, however, also needs to remain focussed on the safety aspects of cyber-risk. By embarking on a good cyber-risk management programme, operators of major accident hazard sites can realise both safety and financial benefits.

Much like the Stuxnet attack, there are examples within industry which could have had a major safety impact. The Industroyer attack on Ukraine’s power grid highlighted the impact that a cyber-attack could have upon critical national infrastructure, while the Triton attack led to the compromising of Safety Instrumented Systems (SIS) in a manner which would have prevented the execution of their safety function.

What does this mean for COMAH / MAH / Chemicals Industry?

The chemical industry became a part of the government's critical national infrastructure in 2017 and, therefore, a high focus is placed upon site operators to manage all security risks, including cyber-risk. Additionally, for COMAH Establishments, the UK Health and Safety Executive (HSE) is involved in the regulation of industry and, in particular, ensuring that the operators of such industries have managed their risks to as low as is reasonably practicable (ALARP). Although industry has work to do in this subject, the solid groundwork is already in place from previous process safety work. Post Buncefield, much work was performed on the improvement of process safety leadership and proportionate risk assessment; there are many parallels between such work and what is now required to take industry forward in the field of cyber-risk management. Industry based cyber-risk management frameworks span the softer elements such as policy deployment, education, training and monitoring in addition to the assessment and management of risks.

So, what now?

A common issue is to assume that “the IT department looks after this”, however the reality is that a good cyber-risk management programme utilises the skills of multiple stakeholders. Currently, there is a weak alignment between the strategies employed by industry and their major accident hazard scenarios. The HSE have conducted trial inspections of COMAH Establishments and operational guidance (OG86) has been drawn up and issued. Operators of COMAH Establishments (lower and upper tier alike) are expected to be in the process of developing cyber-risk management systems and embarking upon cybersecurity risk assessments.

Assessing and managing cyber-risk requires a fundamental change of industries traditional habits and methodologies. Prior to assessing the risk, the operators must understand how their networks are structured and, in particular, linked. Without such information, a credible assessment of risk is not possible and, therefore, creating network diagrams which include the sites major accident hazards is a key first step. A second key change is that typical risk assessment processes are predicated on the assumption that deliberate compromises of systems do not occur. For cyber-risk, however, the risk is both permanently present, latent and could be either a deliberate or non-deliberate act. Furthermore, the traditional hierarchy of risk approaches used within process safety are also not well aligned with cyber-risk management. In traditional process safety management, a lower value is typically put-upon detection and mitigative measures, however in cyber-risk management such elements are key in both prevention and limitation of any damage done (financial or safety).

Links to Functional Safety

Closely linked to cyber-security is the subject of functional safety, which concerns industrial automation control systems (IACS) and, in particular, those which are performing safety instrumented functions. Functional safety is a strategic COMAH and, as such, COMAH Establishments are likely to be inspected on this subject. The benchmark functional safety standards such as BS EN 61511:2017 requires that a security risk assessment must be carried out to identify the security vulnerability of the SIS. Such approaches make logical sense since there is little purpose in proving the hardware reliability of a system while ignoring its systematic capability and, in particular, failures which could be introduced by people.

Whether you are looking for a review of how your cyber-security management system accounts for major accident hazards or require a security risk assessment for a SIS, we can help.

Visit our Safety Advisory page to learn more about our services and how we can support you.