Cybersecurity has much to learn from industrial safety planning

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Robert M Lee, CEO, Dragos


• Safety engineering practices can be readily applied to cybersecurity.

• Developing safety ‘scenarios’ helps build a more comprehensive response to cyberthreats.

• Scenarios are also useful for communicating cybersecurity best practice to professionals outside the field.

A cybersecurity strategy informed from lessons learned in the safety engineering community will help executives and practitioners in the field reduce risks more efficiently. By considering scenarios instead of singular components of a cyberattack, as well adopting safety-engineering’s methodical approach to planning, cybersecurity professionals can put a more robust approach in place.

As a byproduct of more thoughtful and scenario-focused planning, it will also be possible to better communicate to operations staff and to other non-cybersecurity executives, including boards of directors, using cybersecurity scenarios as a storytelling mechanism. Currently, cybersecurity professionals using their own professional language are sometimes at odds with operational staff and business leaders.

Cybersecurity strategies should be based on scenarios and include the following three key recommendations:

  • Analyze scenarios instead of singular items.
  • Derive scenarios from intel-driven and consequence-driven analysis.
  • Prioritize and remove barriers for where cybersecurity and safety intersect.

By learning directly from the practices of safety engineering, the resulting insights can directly contribute to the most important functions of an organization, such as protecting human life.

1. Analyze scenarios instead of singular items

Intrusions into organizations are initiated by humans, not by malware. Which is why cybersecurity analysis should not be monopolized by a singular focus on controls such as patching or anti-malware. Instead, organizations should try to gain a holistic view across the intrusion lifecycle – particularly of the steps taken by the humans behind the malware.

Take, for example, the attack on a petrochemical plant’s safety instrumented systems in Saudi Arabia in 2017, which resulted in the first cyberattack targeted directly at human life. In this scenario, a preoccupation with malware and the final step of the adversary’s attack that caused the safety-system disruption, obscured valuable insights about the deeper risks posed by the attacker’s techniques across more than a dozen distinct steps they performed over three years. The organization focused on identifying and remedying the attack by sharing technical details about the malware; while important, this is easy for the adversary to change in any follow-up attack.

The attack had actually begun in 2014. From 2014-2017, the adversary compromised the organization and moved throughout their industrial networks learning about the operations and equipment. The team behind the attack, dubbed XENOTIME, engaged in a series of steps leading up to the deployment of their malware, called TRISIS or TRITON: over a dozen unique ones in total. In other cases involving this same adversary, many of the steps remained consistent, even though the specific malware leveraged was not observed again. This is common in cybersecurity where adversaries change capabilities, but maintain a level of consistency in the style of attack.

With each action in the chain, there are multiple compensating controls against the risk the adversary poses that would inform any organization how to prepare against such attacks. For example, monitoring for the way the adversary moves through the networked environment. Told across the full scenario, the case study presents a story of how to develop and communicate a defensive strategy that prepares organizations for any other adversary that shares any overlap with how XENOTIME operates. Sharing strategies is a common practice for cybercriminals and gives defenders an upper hand in responding.

A scenario-based analysis makes it easier to understand the risk, without a high degree of technical jargon or acumen. The longstanding practices of safety engineers can provide an excellent template for this kind of analysis. For instance, by performing a hazard and operability (HAZOP) analysis process that examines and manages risk as it relates to the design and operation of industrial systems. One common method for performing HAZOPs is a process hazards analysis (PHA) that uses specialized personnel to develop scenarios that would result in an unsafe or hazardous condition. It is not a risk reduction strategy that simply looks at individual controls, but considers more broadly how the system works in unison and the different scenarios that could impact it.

2. Derive scenarios from intel-driven and consequence-driven analysis

Cybersecurity threats are the work of deliberate and thoughtful adversaries, whereas safety scenarios often result from human or system error and failures. As a result, a safety integrity level can be measured with some confidence by failure rates, such as one every 10 years or 100 years. In contrast, trying to take frequency or likelihood into account for cybersecurity scenarios is a highly unpredictable and failing practice. Instead, organizations should view protection from these risk scenarios as a binary, yes-or-no decision. Either an organization wants to be prepared for that type of incident or not.

To create scenarios that maximize the commonalities between safety and cyber-risks, organizations should consider a two-pronged approach:

• Intelligence-driven scenarios – those based on real attacks – have the benefit of being a documented case of precisely what happened to other organizations that led to incidents. The study of previous cyberthreats and the methods utilized is an excellent teacher.

• Consequence analysis is more akin to the art-of-the-possible (i.e. thinking through a near-limitless range of possibilities) and should be conducted by a diverse team ranging in skill sets from cybersecurity to plant engineering. Understanding what consequences would be most impactful to the organization or plant site can then be thought through in terms of how they could be influenced or conducted through cyber means.

The combination of ground-truth reality and impactful art-of-the-possible scenarios will create overlapping layers of security and risk reduction that form the basis for meaningful cybersecurity strategies.

3. Prioritize and remove barriers for where cybersecurity and safety intersect

Cybersecurity efforts that can be tied directly to safety should be prioritized and resourced in the interest of the overall organization, the safety of plant personnel, and the safety of people and environments around our plants.

In many organizations, cybersecurity is billed as an IT service provided to business units or individual plants. However, most organizations have consistently deemed safety-related expenses a company-level expense, which does not negatively impact plant budgets, performance bonuses, and key metrics. Not all cybersecurity efforts contribute to safety, but those that do should be prioritized and fully resourced at corporate level, not expensed to individual plants.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

Through understanding broader cyberattack scenarios, and not focusing overly on any one step, preventive, detective and responsive controls can be crafted as part of an overall cybersecurity strategy. Scenarios that consider cybersecurity risks and that can impact safety directly should be prime candidates for prioritization and resourcing.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

The Japanese have a word to help them be less wasteful – ‘mottainai’

Commission adopts €70 million package for early access to EU COVID-19 vaccines in the Western Balkans

Who holds the key to the future of biotechnology? You do

UN rights chief bemoans unilateral sanctions on Venezuela, fearing ‘far-reaching implications’

Aid used for trade is helping developing countries diversify

OECD leading multilateral efforts to address tax challenges from digitalisation of the economy

UN rights expert calls for end to ‘purgatory’ of ‘international inaction’ facing Myanmar’s remaining Rohingya

Trump wants to implicate China in US attacks against global order

Is “Sustainable Development” a concept that integrates Health Literacy and Health Policy as a global health action?

With science ‘held back by a gender gap’, Guterres calls for more empowerment for women and girls

Human Rights Council election: 5 things you need to know about it

EU budget: Boosting cooperation between tax and customs authorities for a safer and more prosperous EU

Eurozone plans return to growth

Climate change update: consistent global actions urgently needed as we are running out of time

Fair completion rules and the law of gravity don’t apply to banks

Eurozone very close to a sustainable growth path

FROM THE FIELD: For refugees and migrants in Europe, healthcare’s essential but a challenge to find

Coronavirus: Commission receives first preliminary application for support from the EU Solidarity Fund for health emergency from Italy

On Human Rights Day European Youth Forum calls for end to discrimination of young people

With Gaza violence ‘escalating as we speak,’ UN envoy calls for ‘immediate stop’

Suffering of thousands of war-affected Syrian children ‘unprecedented and unacceptable’

#TwitterisblockedinTurkey and so is Erdogan

Ukraine: €8 million in humanitarian aid to withstand winter

‘Agile’, multilateral response vital to combat terrorism – UN chief Guterres

5 facts you might not know about why forest biodiversity matters

Recovery and Resilience Facility: Belgium, Italy, Austria, and Slovenia submit official recovery and resilience plans

Australia wants to build a giant underground ‘battery’ to help power the nation

Commission proposes to top up support for refugees in Jordan, Lebanon and Turkey

Four things workers want implemented by their bosses post-pandemic

Industrial price dive may lead to point of no return

5 creative alternatives to plastic packaging

FROM THE FIELD: Malawi farmers diversify to fight climate change

The JADE Spring Meeting is about to begin

Boris to end up in jail if he loses the next elections?

6 ways to ensure AI and new tech works for – not against – humanity

Pushing for tax fairness in a digital world

‘Global clarion call’ for youth to shape efforts to forge peace in the most dangerous combat zones

Global health challenges require global medical students

Safer products: EP and Council close deal to beef up checks and inspections

Nagasaki is ‘a global inspiration’ for peace, UN chief says marking 73rd anniversary of atomic bombing

Investing in nature gives industry and business a competitive advantage. Here’s why

CLIMATE CHANGE FOCUS: Climate-proofing Timor-Leste

UNICEF warns of ‘lost generation’ of Rohingya youth, one year after Myanmar exodus

Here’s how we get businesses to harmonize on climate change

EU allocates over €43 million in humanitarian aid to South Sudan

The 5 lessons from New York Climate Week to help us combat deforestation

UN rights office calls on Zimbabwe Government to end ‘crackdown’ in response to fuel protests

1 in 13 young British people have PTSD. Here’s why

The blackened white coat of the doctors

The clothes of the future could be made from pineapples and bananas

COVID-19: Team Europe supports African, Caribbean and Pacific countries to access finance through digital technology

Christine Lagarde: the three priorities for the global economy

“Asia-Pacific takes stock of ambitious development targets”, written by the Heads of UNFPA and ESCAP

Healthcare guidance apps to professional’s continued education?

End fossil fuel subsidies, and stop using taxpayers’ money to destroy the world: Guterres

Youth not prioritised in new Commission

State aid: Commission approves €286 million Finnish measure to recapitalise Finnair

A bad marriage can be as unhealthy as smoking and drinking

Coronavirus Global Response: Commission joins the COVID-19 Vaccine Global Access Facility (COVAX)

Eurozone’s sovereign debt not a problem anymore?

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s