Cybersecurity has much to learn from industrial safety planning

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Robert M Lee, CEO, Dragos


• Safety engineering practices can be readily applied to cybersecurity.

• Developing safety ‘scenarios’ helps build a more comprehensive response to cyberthreats.

• Scenarios are also useful for communicating cybersecurity best practice to professionals outside the field.

A cybersecurity strategy informed from lessons learned in the safety engineering community will help executives and practitioners in the field reduce risks more efficiently. By considering scenarios instead of singular components of a cyberattack, as well adopting safety-engineering’s methodical approach to planning, cybersecurity professionals can put a more robust approach in place.

As a byproduct of more thoughtful and scenario-focused planning, it will also be possible to better communicate to operations staff and to other non-cybersecurity executives, including boards of directors, using cybersecurity scenarios as a storytelling mechanism. Currently, cybersecurity professionals using their own professional language are sometimes at odds with operational staff and business leaders.

Cybersecurity strategies should be based on scenarios and include the following three key recommendations:

  • Analyze scenarios instead of singular items.
  • Derive scenarios from intel-driven and consequence-driven analysis.
  • Prioritize and remove barriers for where cybersecurity and safety intersect.

By learning directly from the practices of safety engineering, the resulting insights can directly contribute to the most important functions of an organization, such as protecting human life.

1. Analyze scenarios instead of singular items

Intrusions into organizations are initiated by humans, not by malware. Which is why cybersecurity analysis should not be monopolized by a singular focus on controls such as patching or anti-malware. Instead, organizations should try to gain a holistic view across the intrusion lifecycle – particularly of the steps taken by the humans behind the malware.

Take, for example, the attack on a petrochemical plant’s safety instrumented systems in Saudi Arabia in 2017, which resulted in the first cyberattack targeted directly at human life. In this scenario, a preoccupation with malware and the final step of the adversary’s attack that caused the safety-system disruption, obscured valuable insights about the deeper risks posed by the attacker’s techniques across more than a dozen distinct steps they performed over three years. The organization focused on identifying and remedying the attack by sharing technical details about the malware; while important, this is easy for the adversary to change in any follow-up attack.

The attack had actually begun in 2014. From 2014-2017, the adversary compromised the organization and moved throughout their industrial networks learning about the operations and equipment. The team behind the attack, dubbed XENOTIME, engaged in a series of steps leading up to the deployment of their malware, called TRISIS or TRITON: over a dozen unique ones in total. In other cases involving this same adversary, many of the steps remained consistent, even though the specific malware leveraged was not observed again. This is common in cybersecurity where adversaries change capabilities, but maintain a level of consistency in the style of attack.

With each action in the chain, there are multiple compensating controls against the risk the adversary poses that would inform any organization how to prepare against such attacks. For example, monitoring for the way the adversary moves through the networked environment. Told across the full scenario, the case study presents a story of how to develop and communicate a defensive strategy that prepares organizations for any other adversary that shares any overlap with how XENOTIME operates. Sharing strategies is a common practice for cybercriminals and gives defenders an upper hand in responding.

A scenario-based analysis makes it easier to understand the risk, without a high degree of technical jargon or acumen. The longstanding practices of safety engineers can provide an excellent template for this kind of analysis. For instance, by performing a hazard and operability (HAZOP) analysis process that examines and manages risk as it relates to the design and operation of industrial systems. One common method for performing HAZOPs is a process hazards analysis (PHA) that uses specialized personnel to develop scenarios that would result in an unsafe or hazardous condition. It is not a risk reduction strategy that simply looks at individual controls, but considers more broadly how the system works in unison and the different scenarios that could impact it.

2. Derive scenarios from intel-driven and consequence-driven analysis

Cybersecurity threats are the work of deliberate and thoughtful adversaries, whereas safety scenarios often result from human or system error and failures. As a result, a safety integrity level can be measured with some confidence by failure rates, such as one every 10 years or 100 years. In contrast, trying to take frequency or likelihood into account for cybersecurity scenarios is a highly unpredictable and failing practice. Instead, organizations should view protection from these risk scenarios as a binary, yes-or-no decision. Either an organization wants to be prepared for that type of incident or not.

To create scenarios that maximize the commonalities between safety and cyber-risks, organizations should consider a two-pronged approach:

• Intelligence-driven scenarios – those based on real attacks – have the benefit of being a documented case of precisely what happened to other organizations that led to incidents. The study of previous cyberthreats and the methods utilized is an excellent teacher.

• Consequence analysis is more akin to the art-of-the-possible (i.e. thinking through a near-limitless range of possibilities) and should be conducted by a diverse team ranging in skill sets from cybersecurity to plant engineering. Understanding what consequences would be most impactful to the organization or plant site can then be thought through in terms of how they could be influenced or conducted through cyber means.

The combination of ground-truth reality and impactful art-of-the-possible scenarios will create overlapping layers of security and risk reduction that form the basis for meaningful cybersecurity strategies.

3. Prioritize and remove barriers for where cybersecurity and safety intersect

Cybersecurity efforts that can be tied directly to safety should be prioritized and resourced in the interest of the overall organization, the safety of plant personnel, and the safety of people and environments around our plants.

In many organizations, cybersecurity is billed as an IT service provided to business units or individual plants. However, most organizations have consistently deemed safety-related expenses a company-level expense, which does not negatively impact plant budgets, performance bonuses, and key metrics. Not all cybersecurity efforts contribute to safety, but those that do should be prioritized and fully resourced at corporate level, not expensed to individual plants.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

Through understanding broader cyberattack scenarios, and not focusing overly on any one step, preventive, detective and responsive controls can be crafted as part of an overall cybersecurity strategy. Scenarios that consider cybersecurity risks and that can impact safety directly should be prime candidates for prioritization and resourcing.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

European Commission increases support for the EU’s beekeeping sector

More protection for our seas and oceans is needed, report finds

Which country offers the cheapest mobile data?

INTERVIEW: ‘Defend the people, not the States’, says outgoing UN human rights chief

10 ways central banks are experimenting with blockchain

Can the US-Iran rapprochement change the world?

DR Congo elections: ‘historic opportunity’ for ‘peaceful transfer of power’ says Security Council

What can be done to avoid the risk of being among the 7 million that will be killed by air pollution in 2020?

Is there a de facto impossibility for the Brexit to kick-start?

How trust and collaboration are key in India’s last mile response to the COVID-19 crisis

Investors must travel a winding road to net-zero. Here’s a map

Engaging women and girls in science ‘vital’ for Sustainable Development Goals

‘No steps taken’ so far to end Israel’s illegal settlement activity on Palestinian land – UN envoy

In visit to hurricane-ravaged Bahamas, UN chief calls for greater action to address climate change

Illegal fishing plagues the Pacific Ocean. Here’s how to end it

How AI and machine learning are helping to fight COVID-19

EU tells Britain stay in as long as you wish

Financing fossil fuels risks a repeat of the 2008 crash. Here’s why

Here are 4 tips for governing by design in the Fourth Industrial Revolution

How curiosity and globalization are driving a new approach to travel

Coronavirus (COVID-19): truth and myth on personal risk perception

The battle for the 2016 EU Budget to shake the Union; Commission and Parliament vs. Germany

Innovation can transform the way we solve the world’s water challenges

#WorldBicycleDay: 5 benefits of cycling

Missile strike kills at least 12 civilians, including children, in Syria’s Idlib: UN humanitarians

4 steps to developing responsible AI

Mental health and suicide prevention – What can be done to increase access to mental health services in my region?

UN chief outlines ‘intertwined challenges’ of climate change, ocean health facing Pacific nations on the ‘frontline’

New US President: MEPs hope for a new dawn in transatlantic ties

Desires for national independence in Europe bound by economic realities

European Union and African Union sign partnership to scale up preparedness for health emergencies

Yemen war: UN chief urges good faith as ‘milestone’ talks get underway in Sweden

Spring 2019 Standard Eurobarometer: Europeans upbeat about the state of the European Union – best results in 5 years

Coronavirus: Commission approves contract with CureVac to ensure access to a potential vaccine

Outbreak of COVID-19: The third wave and the people

A day in the life of a Venezuelan migrant in Boa Vista, Brazil

EU Copyright Directive: Google News threatens to leave Europe while media startups increasingly worry

3 ways to fight short-termism and relaunch Europe

Accountability in Sudan ‘crucial’ to avoid ‘further bloodshed’, says UN rights office

UN committed ‘to support the Libyan people’ as Guterres departs ‘with deep concern and a heavy heart’

Antarctica: the final coronavirus-free frontier. But will it stay that way?

Mario Draghi didn’t do it but Kim Jong-un did

UN chief welcomes G20 commitment to fight climate change

MEPs: Access to adequate housing should be a fundamental European right

More countries are making progress on corruption – but there’s much to be done, says a new report

Mountains matter, especially if you’re young, UN declares

EU food watchdog: more transparency, better risk prevention

Young activists share four ways to create a more inclusive world

The European Sting @ the European Business Summit 2014 – Where European Business and Politics shape the future

More than one million sexually transmitted infections occur every day: WHO

These countries spend the most on education

How a new approach to meat can help end hunger

MEPs cap prices of calls within EU and approve emergency alert system

Electronic cigarettes: is it really a safe alternative to smoking?

China confirms anti-state-subsidy investigation on EU wine imports

Century challenge: inclusion of immigrants in the health system

Here’s how we reboot digital trade for the 21st century

Britain and Germany change attitude towards the European Union

UN, global health agencies sound alarm on drug-resistant infections; new recommendations to reduce ‘staggering number’ of future deaths

Ten new migratory species protected under global wildlife agreement

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s