Get in touch

Secure-by-Design (part 2) – Cyber security risk assessment and countermeasures

Energy transition assets are prime targets for cyber attacks by individuals, criminal groups, or even nation states in the case of critical national infrastructure like offshore wind. As well as targeting information technology (IT) systems to cause disruption and demand ransom payments, sophisticated attackers can take over operational technology (OT) systems and stop operations or initiate major accidents such as a fire or structural collapse. So how does an organisation proactively identify the cyber vulnerabilities of its assets and implement robust countermeasures to fortify its cyber defences?

This article is the second of a three-part series that aims to set out an approach to help ensure energy transition assets are “secure-by-design”.

INTRODUCTION

The first article of this three-part series described the range of cyber attackers and the havoc they can wreak on energy transition assets. It established that the cyber threat extends beyond commercial disruption of the business, with the potential to impact the physical safety of personnel. As such, the UK regulatory environment requires the cyber risk to be reduced as low as reasonably practicable (ALARP). Which means an asset cannot be “safe-by-design” unless it is also “secure-by-design”. This article presents the concept of “secure-by-design” and how an organisation can go about achieving it.

THE PROTECTED ASSET

To fully protect an asset requires an integrated approach to managing risks across several security domains (see Figure 1).

Figure 1 – The protected asset

These domains are interconnected and overlap, or can occasionally conflict, when it comes to protecting critical assets like offshore wind farms, solar farms, or hydrogen storage facilities. For example, a cyber attack that successfully encrypts an asset’s secure information and data such as engineering drawings and safe operating procedures like the permit-to-work system, could cause the asset to shut down on safety grounds. Or a physical breach could enable an attacker to gain direct access to OT components and manipulate or disrupt the control systems. Cyber security does not exist in isolation.

While cyber security and the other security domains each have their own distinct focus areas, their objectives often intersect, requiring close collaboration and alignment between the respective teams responsible for managing them. Effective coordination and integration of security measures are essential for organisations to comprehensively protect their assets.

SECURE-BY-DESIGN

An organisation’s business goals will drive its cyber security objectives (see Figure 2). Typical business goals in the energy transition include maximising energy generation and revenue, ensuring operational safety and regulatory compliance, minimising operational costs and disruptions, maximising the asset lifespan and reliability, and maintaining a positive public and stakeholder reputation.

Cyber threats can jeopardise all these goals including operational safety. Cyber security objectives therefore need to be set to ensure cyber risks are reduced ALARP. This approach ensures that cyber security countermeasures are not implemented in isolation, but rather as an integral part of the organisation’s overall business strategy and risk management framework. The core objective for a new asset should be to achieve “secure-by-design”.

Figure 2 – Security objectives

Secure-by-design is about designing an asset in such a way that the cyber risks associated with its entire lifecycle are eliminated wherever reasonably practicable through design. However, in an ever increasing digitally interconnected world, elimination is often not possible. Secure-by-design then requires the cyber risks to be reduced to acceptable levels through the provision of robust countermeasures. Secure-by-design increases cyber resilience by taking a consistent approach to building effective and proportionate cyber countermeasures into the asset’s OT.

THE HIERARCHY OF CYBER RISK CONTROLS

The “hierarchy of risk controls” is an invaluable risk management tool that neatly illustrates the preferred order in which risk reduction measures should be applied, from most to least effective. A version of this hierarchy applied to cyber risk reduction is shown in Figure 3. It provides a useful model for thinking about a “defence-in-depth” approach, where multiple layers of security countermeasures are deployed to increase resilience against cyber threats.

Figure 3 – Hierarchy of cyber risk controls

The most effective approach during the design phase of a new asset is to eliminate entirely the potential for a cyber attack, for example designing analogue or passive OT systems, or to eliminate paths for a cyber attack, for instance not connecting a system to the internet. This approach minimises the “attack surface”.

Where elimination is not possible, the preferred approach is to reduce cyber attack paths in the design of the system, for example by reducing the number of logical entry points. Next, consideration is given to isolating critical OT systems and networks from other networks such as the corporate IT network, by, for example, deploying industrial demilitarised zones (DMZs) and firewalls, restricting communication to only necessary traffic.

Control measures include administrative, technical, and physical controls, for example, installing physical access controls such as locks and keys, introducing multi-factor authentication (MFA) to restrict access to authorised personnel only, encryption, and secure remote access solutions to control and secure access to OT systems and data. One of the best defences against persistent attack is an intrusion detection system which monitors traffic between devices and promptly flags any suspicious activity for further investigation. More advanced systems can automatically cut communications.

Protection measures involve establishing and enforcing cyber policies and procedures, as well as training programmes to promote a positive culture of cyber security awareness and best practices for personnel responsible for operating and maintaining OT systems. Protection measures also include the incident management procedures for limiting the adverse impact of a detected attack and cleansing and returning systems to normal operations. Relying on disciplinary measures to address the failure of personnel to adhere to security procedures and to not engage in actions or behaviours that could compromise the security of OT systems is the least effective risk control.

Risk assessments and periodic reviews are necessary to ensure the effective implementation of these controls during the design stage and, once operational, to adapt to evolving cyber threats in the OT environment.

CYBER SECURITY RISK ASSESSMENT

The primary goal of cyber security risk assessment (CSRA) is to make risk informed decisions about mitigation strategies. However, unlike traditional safety risk assessments where the likelihood of incidents can be estimated from publicly available data sources, the cyber threat landscape is constantly evolving. It is not possible to predict the likelihood of specific threats with any degree of certainty, as they originate from various sources, and the threat level can change regularly. The best way forward therefore is a consequence-only approach, which not only simplifies the assessment process but also allows effort to be focused on those issues posing the greatest impact on the asset.

The first line of cyber security defence is a secure network design. Therefore, the starting point of the CSRA is a detailed and accurate network drawing and associated asset register listing all the network devices. These devices range from the SCADA (Supervisory Control and Data Acquisition) system, control systems, and field devices, through to the supporting infrastructure like servers, workstations, and network components. Where this information is not readily available or up to date, significant effort may be required to create it.

The CSRA process is summarised in Figure 4. The first step is to screen out non-essential devices and services, concentrating only on those that impact safety or the generation of electricity. For instance, on an offshore wind farm, devices like workstations, printers, and servers used for administrative or office functions that are not directly connected to the OT systems controlling the wind turbines would be screened out, leaving devices such as the wind turbine control systems, SCADA system, and electrical substation automation systems for further assessment.

Next, any vulnerabilities in these systems are identified and the potential consequences ranked should those vulnerabilities be exploited. For example, wind turbine control systems may use outdated firmware or software with known vulnerabilities that could be exploited by attackers to gain unauthorised control or disrupt operations.

Figure 4 – Cyber security risk assessment

Suitable pragmatic countermeasures are then proposed. For instance, implementing a robust patch management process to ensure that wind turbine control systems are promptly updated with the latest security patches and firmware updates provided by the vendor or manufacturer. These countermeasures need be in line with recognised good practice and constraints of technology and tailored to suit the organisation’s risk appetite and expected threat level.

In the UK, the HSE’s cyber security operational guidance (Ref. 1) identifies a basic level of countermeasures to address the lower levels of risk based on the National Cyber Security Centre (NCSC) “baseline” cyber assessment framework (CAF) profile (Ref. 2). Where the threat level is perceived as higher, the basic countermeasures may need to be improved to address the “enhanced” profile. For example, a basic level of access control countermeasures for individual accounts would be usernames and passwords, with dual factor authorisation (DFA) for remote logins, whereas an enhanced level would start with DFA and extend to dedicated links to specific remote machines.

Cyber security is about understanding the asset’s cyber vulnerabilities and making them difficult to exploit, but also being prepared to respond. Monitoring of network traffic and early detection of anomalous events is crucial, as well as mitigation activities designed to contain or limit the impact of the compromise. Finally, processes need to be in place to restore essential functions so as to minimise the adverse impact of the cyber attack.

REGULATORY COMPLIANCE

In the UK, there is a duty to reduce the risk of harm to ALARP under the Health and Safety at Work Act 1974 (HSAWA), even when the risks originate from a cyber attack. A system can only be safe if it is secure. Many operators of energy transition assets are likely to be classed as an “operator of essential services” under the Network and Information Services (NIS) Regulations 2018, and a loss of business continuity and essential services will be a reportable incident.

For HSAWA, the UK Health and Safety Executive (HSE) is the competent authority and for NIS the competent authority is Ofgem. Some assets will need to satisfy both competent authorities, each with different priorities and different assessment criteria. Taking a structured, risk-based, secure-by-design approach will enable regulatory compliance.

CONCLUSION

Cyber threats can exploit the OT of energy transition assets and pose a significant business risk as well as potential safety risk. Cyber security needs to be addressed as part of a comprehensive approach to ensuring an asset is fully protected from all forms of security risks. Secure-by-design aims to increase cyber resilience by taking a consistent approach to building effective and proportionate cyber countermeasures into the network and OT. Secure-by-design ensures cyber risks associated with the entire asset lifecycle are eliminated wherever reasonably practicable through design, or, where not, are reduced to an acceptable threat level through the provision of effective countermeasures.

The third and final article of this cyber security series will focus on the steps an organisation can take to create a cyber security management system, and develop a proactive culture dedicated to maintaining cyber security.

References 

  1. Cyber Security for Industrial Automation and Control Systems (IACS), HSE OG-0086 (Operational Guidance), Edition 2, August 2021.
  2. Which CAF profile should I use?, National Cyber Security Centre, https://www.security.gov.uk/guidance/govassure/which-caf-profile (accessed 22.5.24).

RELATED CAIRN CONTENT

Secure-by-Design (part 1) – The cyber threat, and regulatory expectations
Secure-by-Design (part 1) – The cyber threat, and regulatory expectations
Sustainable-by-Design –Pioneering engineering for a better future
Sustainable-by-Design –Pioneering engineering for a better future

Contact Us

Want to discuss your requirements?
Get in touch

Jump to Top