Computer Hazard and Security Evaluation (CHASE™) has been developed in conjunction with Andy Geddes – we’ve combined 80 years of Process and Control experience in a variety of critical industries to propose a pragmatic, effective & efficient approach to the dynamic challenge of Cyber-Security.
We presented the above video to the Emerson User Exchange 2021. The CHASE™ concept is described in the following sections…
At the heart of CHASE is a fundamental principle of first understanding logical and physical assets before attempting to identify and address vulnerabilities.
Understanding your assets is facilitated via familiar graphical platforms to visualise relationships between Information Technology (IT), Operational Technology (OT) and Physical Technology (PT) and the digital threats that can escalate into process consequences if not prevented, slowed or mitigated via technical and organisational measures.
We developed this because Cyber-Security is wrongly perceived as the responsibility of the IT department in the same way as Functional Safety is attributed to the Control & Instrumentation engineering discipline. In practice, cyber security is the ultimate responsibility of the company Executive Team and covers people, procedures, physical & IT security, asset management and risk assessment.
The threats and consequences associated with cyber security are very broad and visualisation assists with understanding and addressing the vulnerabilities. We’ve integrated our control & process experience to develop a solution that considers not only the obvious Adversarial but also Accidental, Structural & Environmental challenges.
Scoping and Screening
High-level or preliminary risk assessment (per HSE OG-0086) starts with a topological representation if the physical assets which are categorised according to their potential for Major Accident (MA), Loss of Essential Service (LES), Environmental Impact or Commercial & Reputational damage.
The severity of tangible consequences is determined by the hazards and the likelihood is derived from the vulnerability of the IACS. As cyber attacks are becoming more complex and less predictable, vulnerability is considered to be pragmatic method for determining the potential for attack.
The above left diagram shows IACS component vulnerability using the criteria in the NCSC Cyber Assessment Framework (CAF). The above right diagram shows the risk (considering both hazard severity and attack likelihood) for the logical assets.
Analysis of Logical Assets
Using the checklist from HSE OG-0086 Appendix 5, the most anticipated attacks and expected countermeasures are visualised on a Logical Asset (IACS) bowtie.
A basic security hygiene check can be conducted to confirm if Threats are credible and if countermeasures are present.
Thereafter Threat likelihood can be evaluated using Characteristics from NIST SP 800-30 and Barrier effectiveness based on the NCSC CAF.
Impact on Physical Assets
Detailed risk assessments use the bowtie technique to visualise specific Threats to the IACS (including Adversarial attacks via inter-zone conduits and Accidental, Structural or Environmental challenges) which could escalate (if not slowed/stopped by countermeasures or barriers) to result in serious Consequences typically associated with Loss of Containment (Major Accident) or Denial of Service (Loss of Essential Service).
The connection between logical and physical bowties utilises bow-tie chaining. More detailed analysis can be conducted using Audit functionality and Systems & Parts.
Conclusions
- Proportionate and practical visual risk assessment technique for evaluating and addressing cyber security risks using bowties
- Builds on existing process hazard and risk assessments
- Beware utilities may not have a HAZOP or PHA
- Don’t have to be a cyber expert in the early stages
- Usable by C&I engineers
- Understandable and explainable to non-technical management and operations personnel
- Scenario visualisation provides common understanding to assist with decision making and resource deployment
- Can be done in stages
- Helps focus effort where it is most needed
- Scalable – High Level & Detailed
- Not just Major Accident or Essential Services sites
- Enables integration of Cyber and Process knowledge silos
- Information [IT] Operational [OT] Physical Technology [PT]
For more information on CHASE™, please contact us.