On first inspection, it is easy to think that Cyber Risks to the process can be managed with the same tools we’ve always used for process risk – where we determine risk by identifying the worst-case consequences and then evaluating likelihood. Once these two elements of risk are understood, we can work out how much risk reduction is then required. For Cyber Security our worst-case consequences can be derived from our process safety approach (since the worst-case consequence for the plant is constant, irrespective of the cause). Where the paths diverge is:
- Scope – The scope which requires to be considered when assessing cyber risk is rarely limited to an individual process, plant, or even site.
- Likelihood - For process safety, the factors that make up likelihood (the failure rate of the control system, the chance of a human error, the probability of ignition) can be estimated and are expected to remain largely constant over the life of the plant. For Cyber security, likelihood is very difficult to determine. Cyber-attacks are deliberate malicious actions rather than single points of failure and the threat landscape of system vulnerabilities and methods of exploiting them is continually evolving. Some years ago, the likelihood of a ransomware attack would have been very low – today it is almost certain that every day our control systems are being scrutinised for vulnerabilities which could allow such an attack. Our defences may have withstood these attacks so far, but there is no guarantee that, with the adoption of increasing levels of process automation technology, new vulnerabilities won’t be found and new forms of cyber-attack won’t be developed.
Managing Cyber Risk requires specialist knowledge and a different approach. For further discussion on this topic – click here.