The Bridge - Issue 2, 2023 - 10

Feature
A Barrier-based Approach to Cyber Security in Critical Infrastructures
Another example is patch management. Patching in itself
is comparable to maintenance; something that affects the
performance of what is being patched (or maintained).
If this is e.g., a server, then it is the server that may be a
barrier, depending on the function of the server.
Following the reasoning of PSA, the main motivation for
limiting what is included as barriers is to focus on the cyber
security countermeasures that can detect and mitigate
an ongoing cyber intrusion; the cyber security analogy is
to a system being outside normal operating conditions.
Establishing requirements for the barriers (and verification/
follow-up during operation) is mandatory according to the
Norwegian petroleum regulations; however, this does not
mean that you cannot or should not define requirements
for performance influencing factors or control measures; it
is just not mandatory.
IV. METHOD
The approach used is multi-faceted, including an overall
action research approach with close and iterative interaction
with the main stakeholders, engaging experts in specific
domains (e.g., international standards and cybersecurity
project execution), and engaging the relevant cybersecurity
community in professional forums (including authorities,
petroleum companies, system integrators, product
suppliers, consultants, research institutes, and academia).
Detailed methods include traditional approaches such
as document reviews, literature review, workshops,
and interviews.
V. RESULTS
A. Current status in the industry
The practices for cybersecurity barrier management were
briefly described in Sections II-D and E. It is mainly based
on close dialogue with two companies (A and B). For both
companies, cybersecurity barrier management has been
included as an " add-on " to safety barrier management;
thus, it depends on how safety barrier management is
practiced, which differs between the two companies (and
most other companies). One difference is that company
A attempts to use a barrier panel to automatically visualize
the status of technical cybersecurity barrier elements on a
daily basis, whereas company B provides a status based on
more manual considerations every three months.
Company A follows a typical safety barrier management
approach as described in Section II-C. They map the
cybersecurity barrier elements against requirements in
the NOROG 104 guideline [10] (and some requirements
from IEC 62443 [11]). These requirements are included
in a cybersecurity performance standard (PS). All the
requirements are regularly followed up during operation,
whereas the status of some safety critical equipment, such
THE BRIDGE
as servers, firewalls, gateways, and domain controllers, is
provided daily in the barrier panel based on, e.g., failures
reported in the maintenance management system.
Company B has developed a somewhat similar
performance standard for cybersecurity as company A,
where the status is presented every three months together
with all the (20 or so) safety performance standards (which
is the same as what company A is doing using the barrier
panel). The requirements in the cybersecurity performance
standard are based on NIST CSF [15] and IEC 62443.
Company B applies a more comprehensive approach for
assessing the status of the important systems, including
manual assessments.
Whereas company A follows a typical barrier management
approach, starting with an installation-specific (security)
risk analysis and ending with an area specific cybersecurity
barrier strategy and a PS on cybersecurity, company
B follows a different track, also ending with a PS on
cybersecurity but without an installation- and area-specific
cybersecurity barrier strategy document.
However, the approaches for indentifying performance
requirements are, de facto, rather similar. Both companies
map requirements from a cybersecurity framework to
" barrier " functions. It is the cybersecurity PS that is actively
used in operation. The prior steps are meant to develop
the PS.
B. Most relevant standards
Standards and guidelines for functional safety and
cybersecurity, and the bridging of these domains, are
illustrated in Figure 4 (inspired by Kanamaru [20]). The
most relevant standards are those dealing with operational
technology (OT) - here labeled IACS security - or the
integration between IT and OT, such as the NIST Cyber
Security Framework (NIST CSF) [15].
The most relevant standards in our context are IEC
62443 [11], IEC 63069 [21] and IEC 61511 [22], as
well as IEC 61508 [23]. However, there are currently no
standards addressing barrier management, either for safety
or cybersecurity, or combined or integrated. The most
relevant standards for integration are IEC 63069 [21], and
ISA-TR84.00.09 [13]. Whereas ISA-TR84.00.09 focuses
extensively on integrating cybersecurity into the functional
safety lifecycle with reference to IEC 61511, IEC 63069
explains and provides guidance on the common application
of IEC 61508 and IEC 62443 more broadly, including lifecycle
recommendations.
DNV-RP-G108 [24] is a guideline for use of IEC 62443
in the petroleum industry, especially in the Norwegian
petroleum industry. HSE OG-0086 [25] has certain parallels
with DNV-RP-G108 for the process industry in the UK. The
The Bridge - Issue 2, 2023

Table of Contents for the Digital Edition of The Bridge - Issue 2, 2023
