Cyber Risk Assessment- Control Systems

ICS Cyber security risk assessment

Industrial facilities such as Oil & Gas rigs, Chemical Process Plants, Power generation plants (including Nuclear, Thermal, Hydroelectric), discrete parts manufacturing plants, electrical distribution grids, water and waste water facilities are all highly vulnerable to cyber attacks.

Carrying out periodic ICS Cyber Risk Assessment is essential for these facilities.

 

Why has ICS Cyber Risk Assessment become important today?

 

In the past few years cybersecurity has become an important part of securing them, in addition to normal physical perimeter security.

 

This may be shocking to those who are not from the Instrumentation, Control and Automation field.

 

The sad truth is that most of today’s plant control and automation systems follow an  older era of design where there was no internet, no USB drives, no connection with any business systems and therefore no possibility of these being attacked maliciously by cyber attacks. In olden times, the only way to damage a control system was to gain physical access to it, now it is not mandatory. Even today, in many facilities there is little to no control on who can access the control system.

 

The architecture of today’s control systems thus leaves much to be desired from a cyber security point of view.

 

Unlike a banking system or a stock exchange, attackers of Industrial Control Systems, are not interested in manipulating accounts or siphoning off money, rather they may be interested in causing disasters by manipulating the DCS, PLC or SCADA to behave in such a way that an undesired event can occur. This can result in asset damage (physical damage to plant and machinery) or cause loss of containment thereby triggering an environmental disaster or a gas discharge that can cause human injuries even outside the plant perimeter.

 

So you need to protect your ICS from these kinds of threats and the first step is to carry out a ICS Cyber Security Risk Assessment of your existing systems.

 

In fact the step before the first step (lets say Step 0) is to learn about this topic in depth, which you can do by taking our Industrial Cybersecurity course

Can an IT Cybersecurity professional carry out these risk assessments?

 

The answer is “It depends”. If the IT security professional is trained in Industrial Cybersecurity, knows about relevant standards such as IEC 62443 series, then they can do it. For example, many professionals who have undergone the Abhisam Industrial Cybersecurity training course can probably do it, if they have prior experience of carrying out IT security audits.

 

On the other hand, many generic cyber risk assessment consultants are basically Information Technology specialists, very good in business IT systems such as MIS or SAP (an ERP system) but may not completely understand the world of Industrial Control Systems (DCS, PLC, SCADA, SIS) , having never worked with them as a user or programmer or a system integrator or a developer.

 

Also they may have no idea about how industrial processes are controlled in the first place.

 

ICS security is a different animal from security of an ERP system like SAP or a business CRM system.

Unlike this situation, we at Abhisam have core specialization in Instrumentation, Process Automation and Control, coupled with Process safety, Functional Safety, plant operations and maintenance, design and installation/commissioning or large process plants. So we are in a much better position to evaluate the risks from your view point and can suggest and recommend measures that may not be thought of by IT specialists.

We can help you in carrying out an integrated Risk Assessment that also includes malicious attacks. Your normal HAZOP or LOPA will not cover this. Since this is a complex subject with many implications and moving parts, merely following a standard like IEC 62443 is not going to be enough. You may have to take guidance from a bunch of other standards and documents, to come up with your own plan.

We can help you in doing this.

Call us or email us today to know more.

SIS DCS architecture

A Typical ICS Architecture is shown above. This is unlike an ERP system or any other business IT system, from the outside as well from the inside.

Download the Abhisam Industrial Cybersecurity Report now!

Abhisam Industrial Cybersecurity Report

Related Courses and White Papers

Industrial Cybersecurity Course

Industrial Cyber Security Training Course

Learn all about  Industrial Cyber security in this easy self paced e-learning course from Abhisam. To know about the current state of Industrial Cyber security in various industries such as Oil & Gas, Automation, Chemicals, Water and others, you can download the Industrial Cyber security report now..

Covers everything that you need to know about ICS security. Spread over several modules, it covers basic concepts about Industrial Automation and Control Systems such as DCS, PLC, SCADA , SIS, cybersecurity fundamentals such as authentication, encryption, assymetric keys, firewalls. It also covers standards like IEC 62443, the MITRE ATT&CK for ICS Matrix, Honeypots, finding vulnerable systems with SHODAN and more.

Click here
Cybersecurity Myths-Infographic by Abhisam

Contact Us by filling the form below OR call us OR email

Contact Form Demo (#2)

Just get this Confined Space Safety e-learning course today and get trained in working safely in confined spaces.

Note that it includes all the knowledge that you need to have to know how to work safely in confined spaces.

Can I not get this information free from elsewhere?

There is a  common myth  “Just Google it”

It is a myth that you can simply Google for Confined Space   information and get everything that you need to know.

Most likely you will get a large number of occupational safety articles and information, some videos, some power point slides, but much of the information may be in bits and pieces.

While you can get some basic information about confined space safety from these sources, it may not be complete. Even if you do find enough material, it will take you a long time to sequence it all together in one coherent document that makes sense to you.

Even after doing all this there is a possibility that you may not get what you really need to know from an OSHA compliance perspective

Plus you will spend several hours of your time doing all this for zero returns on your investment!

On the other hand, when you take this Abhisam Confined Space safety course, you know that

    1.  It is very carefully made, with subject matter experts in the field of Occupational Safety, Process Safety & Industrial operations who have spent decades in the actual field creating permit systems, investigating incidents and streamlining methods to reduce or eliminate confined space safety accidents.
    2. Utilizes easy graphics, animations and simulations, real life examples of dos and donts, correct and incorrect practices  that enable you to understand everything easily.
    3.  Earn a Certificate when you pass the associated exam and also get an electronic badge that can be displayed online on places such as LinkedIn. Get Noticed.

Can I not simply buy a book? That will be much cheaper!

Of course, you could always pass this up and decide to go for  buy a book on this topic,

but,

remember that there are some disadvantages with this approach

    1.  The first is that not a single book is available  that covers all the topics that you need to know. On the other hand, there will be many books on general workplace safety, occupational safety, permit systems, that may be relevant to only those working in normal workplaces, not those having confined spaces.
    2.  Some of these books may be outdated and obsolete.
    3.  Nobody gives you a certificate if you simply read a book!

 

What does the $7 trial include?

The $7 trial includes trial access to ALL the courses in the Abhisam Catalog for a limited time including this Confined Spaces Safety course

After the trial is over you can choose to either buy an individual course OR subscribe to the GOLD or PLATINUM membership plans.

Your card will not be billed automatically.

Which versions are available?

This course is available as either stand alone (select the Standard version above), Professional, or as part of the Abhisam GOLD membership level.

The Standard version allows you to access the course online from any device (PC/tablet/smartphone) that has an internet connection and a browser that supports HTML 5 (such as Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, etc). You can access the course for a period of one year, within which you need to take the exam to earn a Certificate (electronic). You will also earn an electronic badge that can be displayed online on LinkedIn and similar portals.

The Professional version allows you access to the course for 3 years online. You will also earn an electronic badge that can be displayed online on LinkedIn and similar portals.

The content in the Standard and Professional versions is the same.

What is the Abhisam GOLD membership?

When you subscribe to the Abhisam GOLD membership, you get access to all the courses in the Abhisam Catalog, by paying just one low monthly subscription with no commitment as you can cancel anytime. You can also get a free certification exam every month. If you are interested in taking a bunch of courses, then the GOLD membership gives you an affordable plan to do this. This is available to individuals only.

What is the Abhisam Platinum membership?

This is meant for organizations with multiple learners. When you subscribe to the Abhisam Platinum membership, your learners get access to all the courses in the Abhisam Catalog, by paying just one low Enterprise yearly subscription. You can also get a free certification exam every month. 

Additionally Platinum membership gives you a Dashboard where your Training Manager can see the progress of the learners, such as learner module completion, login times, test scores, etc.