(97c) A Provider-Driven Cyber Risk Assessment Method for Process Digital Twin Solutions
AIChE Spring Meeting and Global Congress on Process Safety
2023
2023 Spring Meeting and 19th Global Congress on Process Safety
Industry 4.0 Topical Conference
Cybersecurity in the Chemical Industry II
Tuesday, March 14, 2023 - 3:45pm to 4:30pm
The recent well-documented success of process digital twins delivering real value to the process industries, often as part of Industrial Internet of Things and Industry 4.0 initiatives, has accelerated the convergence of information (IT) and operational (OT) technologies. The well-documented economic and environmental benefits of a digital transformation strategy supported by digital twin technologies have encouraged more and more businesses to accelerate this convergence. Digital Applications (DAs) are key components of such digital twins. They offer high-fidelity online process-modelling capabilities which cover an array of specific purposes and can be deployed in a wide range of digital architectures dependent on the client setup. Providers of such solutions face the complex challenge to adapt a design that can be overlaid onto the recipientâs IT/OT infrastructure without compromising its integrity while taking into account a multitude of IT and OT standards set both by the recipient and industry. The guiding principle of âsecurity-by-designâ is an intrinsic expectation of such systems.
It is widely recognized that connected process systems within facilities such as oil refineries, large petrochemical sites or critical manufacturing plants carry a high likelihood of being targeted by cyber-attacks, with potentially significant consequences. Therefore, the digital twin solution provider must be especially conscious of cybersecurity risks through their introduction of hybrid IT/OT digital twins which are in contact with safety zones of the cyber-physical systems typically found in the process industries. Digital twin solutions are increasingly being connected, in near-real time, to live and historical process data and thus operators are increasingly unlocking traditionally closed systems and allowing hybrid connectivity as long as this can be achieved in a manner where risks are managed and controlled. The provider is often seen as a risk that may undermine the security of the recipient's organization and needs to be managed as part of a Cybersecurity Management System (CSMS). This is traditionally led by the recipient organization in a number of ways such as through the implementation of rigorous provider screening processes, third-party software vulnerability scanning mechanisms and agreements that put liability firmly on the provider. It should be noted that the solution provider will always have the best understanding of its own technologies and should therefore be involved collaboratively in developing a trustworthy implementation.
Integral to the process digital twin solution, a typical Digital Application will comprise several key elements: a single or several data clients to read plant or historical data; software which might include execution scheduling and optimization routines; data handshake routines; a database for calculation results; a human machine interface (HMI) to present results to the user; a link to other computers/machines on the IT/OT network; and a link for live data to/from external sources. These elements are designed and placed within the context of the recipientâs infrastructure to satisfy its scope of operation and realize the benefits. The variation of context compels each implementation to be treated uniquely when assessed against organizational & international standards as well as when risks are being identified for mitigation. These activities must be led by the provider working closely with the recipient. There are many established means of scanning, assessing and accrediting individual components of a solution at a technical and granular level, such as known-vulnerability scanning/patching and product certification based on IEC62443-4-1. However, there are few documented methods of assessing the risks introduced by a full solution architecture, as in the case of a DA, within the context of the recipientâs infrastructure. The provider must be seen as part of the solution to an overall sustainable cyber risk management strategy if an organization is to successfully leverage leading process digital twin technologies.
In this paper, we present a provider-driven method of performing a holistic, context-driven risk assessment which not only encourages a âsecure-by-designâ approach to a process digital twin solution, but also acts as a continuous improvement mechanism to the provider itself. It describes an adaptable framework for identifying technical and non-technical risks that may be overlooked by granular methods and aims to give confidence that the risks of a new hybrid digital application solution are acceptable and manageable when placed within the operational context of an organization and adjacent to cyber-physical systems.
This method consists of three key phases: scoping; analysis; and control. Scoping will describe the digital-twin solution completely within the recipientâs technical and operational context and include elements such as the definition of data flows between components and identification of authorized operational workflows and personnel. Crucially, it also needs to recognize internal processes which may later affect the delivery of the solution, such as change management and software whitelisting procedures. The analysis phase identifies risks created by authorized and unauthorized operational and other scenarios. It takes into account the people elements in assembling and guiding the right team to conduct such an assessment and in identifying the responsibilities of all stakeholders. It also takes relevant international (e.g. ISA95, IEC62443) and the recipientâs own internal standards into account and thus acts as an opportunity for the provider to ensure that the solution is aligned with expectations. Finally, the control phase produces a series of mitigation measures categorized as targeted instructions to the recipient (e.g. triggering change management, whitelisting and credential creation processes), technical design decisions for the solution (e.g. data validation requirements prior to transmittal to an ICS), internal process improvement suggestions to the vendor itself (e.g. improvements to internal data handling) and a clear framework for the recipient and provider to collaborate (e.g. controlled remote access for installation and commissioning) to deliver a secure-by-design solution and operational workflows.
In summary, the approach provides a template that the supplier or solution provider can use to proactively work with the recipient to formulate appropriate controls in relation to identified risks. Providers are shown to be a key contributor to an organizationâs cyber strategy and should be involved collaboratively to ensure superior cyber-compliant digital twin designs rather than solely being perceived and controlled as a risk.
By applying this risk-based cyber-assessment to Digital Twin solutions, the systems will be designed and protected with security in mind and clients can fully and safely benefit from these new cutting-edge technologies now entering the process industries market.
It is widely recognized that connected process systems within facilities such as oil refineries, large petrochemical sites or critical manufacturing plants carry a high likelihood of being targeted by cyber-attacks, with potentially significant consequences. Therefore, the digital twin solution provider must be especially conscious of cybersecurity risks through their introduction of hybrid IT/OT digital twins which are in contact with safety zones of the cyber-physical systems typically found in the process industries. Digital twin solutions are increasingly being connected, in near-real time, to live and historical process data and thus operators are increasingly unlocking traditionally closed systems and allowing hybrid connectivity as long as this can be achieved in a manner where risks are managed and controlled. The provider is often seen as a risk that may undermine the security of the recipient's organization and needs to be managed as part of a Cybersecurity Management System (CSMS). This is traditionally led by the recipient organization in a number of ways such as through the implementation of rigorous provider screening processes, third-party software vulnerability scanning mechanisms and agreements that put liability firmly on the provider. It should be noted that the solution provider will always have the best understanding of its own technologies and should therefore be involved collaboratively in developing a trustworthy implementation.
Integral to the process digital twin solution, a typical Digital Application will comprise several key elements: a single or several data clients to read plant or historical data; software which might include execution scheduling and optimization routines; data handshake routines; a database for calculation results; a human machine interface (HMI) to present results to the user; a link to other computers/machines on the IT/OT network; and a link for live data to/from external sources. These elements are designed and placed within the context of the recipientâs infrastructure to satisfy its scope of operation and realize the benefits. The variation of context compels each implementation to be treated uniquely when assessed against organizational & international standards as well as when risks are being identified for mitigation. These activities must be led by the provider working closely with the recipient. There are many established means of scanning, assessing and accrediting individual components of a solution at a technical and granular level, such as known-vulnerability scanning/patching and product certification based on IEC62443-4-1. However, there are few documented methods of assessing the risks introduced by a full solution architecture, as in the case of a DA, within the context of the recipientâs infrastructure. The provider must be seen as part of the solution to an overall sustainable cyber risk management strategy if an organization is to successfully leverage leading process digital twin technologies.
In this paper, we present a provider-driven method of performing a holistic, context-driven risk assessment which not only encourages a âsecure-by-designâ approach to a process digital twin solution, but also acts as a continuous improvement mechanism to the provider itself. It describes an adaptable framework for identifying technical and non-technical risks that may be overlooked by granular methods and aims to give confidence that the risks of a new hybrid digital application solution are acceptable and manageable when placed within the operational context of an organization and adjacent to cyber-physical systems.
This method consists of three key phases: scoping; analysis; and control. Scoping will describe the digital-twin solution completely within the recipientâs technical and operational context and include elements such as the definition of data flows between components and identification of authorized operational workflows and personnel. Crucially, it also needs to recognize internal processes which may later affect the delivery of the solution, such as change management and software whitelisting procedures. The analysis phase identifies risks created by authorized and unauthorized operational and other scenarios. It takes into account the people elements in assembling and guiding the right team to conduct such an assessment and in identifying the responsibilities of all stakeholders. It also takes relevant international (e.g. ISA95, IEC62443) and the recipientâs own internal standards into account and thus acts as an opportunity for the provider to ensure that the solution is aligned with expectations. Finally, the control phase produces a series of mitigation measures categorized as targeted instructions to the recipient (e.g. triggering change management, whitelisting and credential creation processes), technical design decisions for the solution (e.g. data validation requirements prior to transmittal to an ICS), internal process improvement suggestions to the vendor itself (e.g. improvements to internal data handling) and a clear framework for the recipient and provider to collaborate (e.g. controlled remote access for installation and commissioning) to deliver a secure-by-design solution and operational workflows.
In summary, the approach provides a template that the supplier or solution provider can use to proactively work with the recipient to formulate appropriate controls in relation to identified risks. Providers are shown to be a key contributor to an organizationâs cyber strategy and should be involved collaboratively to ensure superior cyber-compliant digital twin designs rather than solely being perceived and controlled as a risk.
By applying this risk-based cyber-assessment to Digital Twin solutions, the systems will be designed and protected with security in mind and clients can fully and safely benefit from these new cutting-edge technologies now entering the process industries market.