The boundary for a CSRA system under consideration is likely to be far larger than the immediate process control system, safety systems and process equipment and may include elements with no permanent physical connection to the process plant such as building management systems, site WiFi communications, remote connections e.g. telecommunications and VPN, USB drives, etc.
An individual process control system may be an attack target accessed via a complex sequence of jumps from the internet to a site’s corporate IT network, to an individual office work station, to an engineering workstation, through the OT network, to the target SCADA, PLC or sensor – OR – the same process control system may be an easy landing point for an attacker to establish a covert presence on the site network, traverse onto the corporate IT network, escalate their privileges and encrypt the site’s operational data for ransom (or spread into a global corporate cloud and affect multiple sites around the world).
Cyber-attacks rarely conform to the single point of failure or simple cause / consequence pair notion followed in process risk assessments e.g. HazOp, they frequently use combinations of methods to target multiple systems at once in order to bypass mitigation methods and maximise their effect. CSRA need to consider both cyber and physical security flaws.
Cyber risk is differentiated from process risk in that an attack is a deliberate malicious action where the method and timing of the attack are entirely at the discretion of the attacker (try calculating all of the variables in that likelihood!)
The potential scope of negative outcomes from a cyber-attack go beyond the health, safety, environmental and asset damage considerations of process safety risk assessments and are only limited by the skill, resources and motivation of the attacker. The cyber attack gamut runs all the way from minor nuisance through theft of intellectual property, small to massive ransomware attacks up to election rigging and regional or geopolitical destabilisation (when you start looking at nation state actors).
Process safety is predicated on the assumption that a member of your engineering team or a process operator is not going to deliberately subvert your process design to cause an adverse outcome, this assumption cannot hold true in CSRA as the attacker could well be an insider with full knowledge, and access to, the process, the plant and its control and safety systems.
Digital technologies are a human construct bounded only by their creators’ intellect and creativity, it is naïve to assume that the same intellect and creativity cannot be found in those who would wish to subvert those technologies for malicious ends or financial gain.