Introduction

Safe production of on-specification chemical products typically relies heavily on a range of digital tools and data sources, protection of which via cybersecurity is essential. Defence in Depth (DID) is the prevalent term used in IT to describe independent layers of protection made up of a combination of hardware and software to prevent or mitigate unauthorised access. It refers to procedural, engineered or technical, and physical security controls. The concept is similar to the layers of protection paradigm often commonly adopted to address process safety, which typically consists of a hierarchy of independent technical, procedural, and physical protection layers, such as process design and control functions, manual and automated safety functions, and emergency responses. However, the distinction between procedural and technical can be more easily blurred in data protection than in process safety, because procedures can be more readily enforced by technical means in the digital space. 

There is another difference with cybersecurity in that attacks can come from different ‘angles’, so the traditional one-dimensional Swiss cheese model that applies well to process safety does not necessarily translate well to cybersecurity. Only good training and awareness can effectively and consistently prevent phishing attacks. This fact page describes data protection strategies and defence in depth, and outlines how a combination of good technical design and maintenance procedures, plus physical security, can improve the cybersecurity of chemical processes and reduce the risk of technical attacks. 

Procedural strategies – reduce the internal staff risk 

User training and cybersecurity awareness are the best defences against phishing and similar social engineering techniques used to access secure systems and data. Recommended and common practice in security conscious organisations is to have a prominent training package as part of new starter inductions. Periodic reinforcement through reassessment is also common and wise. 

Well supported software should receive reactive security ‘hotfixes’: minimalist updates that only fix security issues. Regularly patching software protects the system that the program is part of against recently identified technical vulnerabilities. The target nature of these updates reduces the risk of introducing operability issues associated with making larger changes to a production system, which may be a concern in risk-averse environments. Network infrastructure is also increasingly ‘smarter’, with its own updateable firmware, and servers often have small management systems with high levels of access restriction and security. These easy-to-miss components are also potential access points, and should not be neglected during routine software maintenance.  

Formally endorsed responsibility matrices (‘RASCI’) and management of change practices that consider cybersecurity help to minimize neglect in this space, which can arise when responsibilities are divided between IT and OT) stakeholders. 

Technical strategies – make it hard to get in 

1. Rigorous authentication

Do not rely on passwords alone. Require multifactor authentication, including a combination of something only the authorised user would know (eg a strong password), something they have (eg one-time passwords, dongle codes) and something they are (e.g. fingerprint reader). 

2. Layered/levelled/zoned networks

Firewalls limit access to network locations using rules such as where the request is coming from, where it is going and what it is for. Networks are traditionally organised into layers or levels, navigating between which is inherently difficult for authorised reasons and ought to be impossible for malicious reasons. Best practice is to ignore as many requests as is practical for your organisation to function – such as ping requests or responding to port scanners – so that attackers are then unable to easily explore your network if they do get access. This provides security by obscurity. 

3. Air-gapping  

Historical physical isolation of process control systems was a perfect solution. However, with the increased prevalence of digitalisation and the expectation of remote access for daily work and technical support, this strategy is becoming impractical, though it is still prevalent for safety systems. Modern control systems are more than just a safety PLC and control PLC with field sensors – IoT style instrumentation, complex historians, and networked black boxes for supervisory control are increasingly common. Each of these features has the potential to be a cybersecurity risk because they provide digital access paths to network layers. Network ‘zones’ or digital ‘air gaps’, which act like layers within a layer, can be implemented to mitigate this risk at the cost of additional network complexity. 

4. Network monitoring 

Software, hardware and combination packages are available that provide continuous monitoring of network traffic. Detection of abnormal traffic is usually reliant on an effective algorithm provided by a vendor, or on routine inspection of collected data. Some of these solutions may require network downtime or enabled infrastructure to implement; however, the relative cost of these may be negligible compared to that of an incident. 

Physical strategies – limit access at the keyboard 

Common wisdom is that if unauthorised physical access occurs, then no other protections are effective. Network security and software updates simply cannot protect against the physical removal of hardware containing data to be accessed later, or malicious hardware being added to create a new, unknown means of access. Security guards and patrols are the traditional physical safeguards. For this to be effective, security procedures and authorised person records should be kept up to date, especially for contract staff who may be less known to the operator. 

Local authentication (ie logging in to a workstation) and encryption of data may also prevent access locally, but a risk assessment should be performed to determine whether hindering authorised access in this manner is safe or appropriate. If decryption keys are lost, or there is an issue with the encryption mechanism, however unlikely, this may make the data or workstation inoperable, although this can be addressed by having robust backups available. 

A suggested practice to further limit entry is to disable unnecessary access, for example restricting or banning the use of USB storage devices on particular hardware systems, as these have been known to intentionally carry malware across plant boundaries. 

DID in the process industries 

Defence in Depth (DID) is ubiquitous across security-conscious organisations for whom data is often their business; however, the process industries have additional critical systems that must be protected to maintain safety, protect the environment, and ensure product quality. 

Process safety is central in modern process design, curricula and operating practice; however, the cybersecurity analogue is seldom given the same attention. Cybersecurity involves specific and often unfamiliar terminology, and the defences are often invisible compared to safety devices like relief valves, alarms or big red shutdown buttons. However, by putting cybersecurity concerns front and centre and implementing robust practical training across the organisation, a good awareness and cybersafe culture is more likely to develop. 

Who should be responsible? 

Data protection and cybersecurity are not often spoken about within the context of process safety management; however, the consequences of it going wrong could directly compromise the safety of a plant, as well as significantly impacting the surrounding community. However, the assignment of responsible persons to safeguard operations technology is contentious. Leveraging the expertise from available in each relevant team, ie IT, functional safety and instrumentation/electrical, may offer an adequately diverse skillset to achieve a practical and comfortable level of cybersecurity. However, as with process safety, a system can only be effective if its users are aware, trained, and subscribed. Organisational culture is therefore key, and data protection and cybersecurity should be promoted as everyone’s responsibility in the process industry.