The Bridge - Issue 2, 2023 - 11

A Barrier-based Approach to Cyber Security in Critical Infrastructures
Feature
61508 Association [26] provides lifecycle maps for the
process industry based on either IEC 62443 or HSE
OG-0086.
Finally, NAMUR NA 163 [27], a German guideline, refers
to the IEC 61511 requirement of performing a security
risk assessment for SIS, but IEC 61511 does so without
providing specific guidance. NAMUR NA 163 provides a
practical risk assessment method for SIS engineers
based on ISO/IEC 27005 [28] and IEC 62443-3-2 [29].
It also provides a checklist of security measures as an
additional document.
As stated in Section II-A, regulations and standards,
including IEC 62443, rarely use the term barrier. More
commonly used terms are " countermeasures " (currently
used in IEC 62443) and " security measures " , as used in
the NIS Directive (and also to be adopted in the future
by IEC 62443). However, the main question is how the
countermeasures or security measures used in relevant
cybersecurity standards and guidelines relate to the barrier
term used within safety barrier management. This was
discussed in Section III.
VI. DISCUSSION
Based on the definition of a cybersecurity barrier as
discussed in Section III, only a subset of cybersecurity
activities will be included in the barrier management
process. Care must be taken to ensure that cybersecurity
activities inside and outside of the barrier management
process are harmonized. As an example, patching of a
system after a vulnerability has been disclosed may be
delayed due to operational concerns (e.g., excessive costs
associated with testing and shutdown of the process), a
decision that will be made outside the barrier management
process. To reduce some of the risk caused by this decision,
it may be desirable to configure intrusion detection and
anti-virus solutions to better detect and prevent attempts
at exploiting the vulnerability. As opposed to patch
management, this is an activity that will be performed as
part of the barrier management process.
Even if the breakdown of barrier functions to barrier
elements follows a traditional safety barrier management
process (cf. Figure 2), the barrier elements are mapped
against standards and guidelines, thus capturing
" everything, " i.e., all countermeasures or security measures,
not only requirements for barriers, as defined in Section III.
However, whether a traditional safety barrier management
approach, with its restricted definition of barriers, is
appropriate for cybersecurity " barriers, " still needs further
consideration.
VII. CONCLUSION
In this article, we outline an initial effort to adapt the
barrier management process in the safety domain to
the cybersecurity domain. In the safety domain, a barrier
is something that comes into effect to regain control or
mitigate the consequences when a system is outside its
normal mode of operation. To remain coherent with this
approach, following the reasoning of PSA, cybersecurity
barriers are a subset of cybersecurity countermeasures,
excluding those that can be regarded as part of good
practice security operations (e.g., audit logs) and those that
affect the performance of a barrier (e.g., patching).
The two companies mentioned in the article both
determine performance requirements for cybersecurity by
mapping requirements from standards and frameworks
(e.g., IEC 62443 and NIST CSF) to barrier functions.
However, some companies report that the development
of cybersecurity requirements is not the main challenge,
but rather to verify compliance with the requirements and
assess the status of the cybersecurity solutions.
The most relevant standards for bridging functional safety
and cybersecurity are IEC 62443 [11], IEC 63069 [21], and
IEC 61511 [22], as well as IEC 61508 [23]. However, there
are currently no standards addressing barrier management,
either for safety or cybersecurity, or combined or integrated.
The most relevant standards for integration are IEC 63069
[21] and ISA-TR84.00.09 [13].
We will continue to explore how to integrate cybersecurity
barrier management into the existing safety barrier
management regime, including the definition of
cybersecurity barriers.
ACKNOWLEDGMENT
The authors are grateful for the participation of the CDS
Forum members.
REFERENCES
[1] A. Eltervåg, et al., 'Principles for barrier management in the
petroleum industry', Jan. 2019. Accessed: Dec. 01, 2022. [Online].
Available: https://www.ptil.no/en/technical-competence/exploretechnical-subjects/news/2017/barrier-memorandum/
[2]
S. Øie, A. Wahlstrøm, H. Flataker, and S. Rørkjær, 'Barrier
Management in Operation for the Rig Industry - Good Practices',
DNV-GL, 2013-1622, Mar. 2014.
[3] K. Bernsmed, C. Frøystad, P. H. Meland, D. A. Nesheim, and Ø. J.
Rødseth, 'Visualizing Cyber Security Risks with Bow-Tie Diagrams',
in Graphical Models for Security, Cham, 2018, pp. 38-56. doi:
10.1007/978-3-319-74860-3_3.
[4] K. Øien, S. Hauge, M. G. Jaatun, L. Flå, and L. Bodsberg, 'A
Survey on Cybersecurity Barrier Management in Process Control
Environments', in Proceedings of 2022 IEEE International
Conference on Cloud Computing Technology and Science,
Bangkok.
HKN.ORG
11

https://www.ptil.no/en/technical-competence/explore-technical-subjects/news/2017/barrier-memorandum/ https://www.ptil.no/en/technical-competence/explore-technical-subjects/news/2017/barrier-memorandum/ https://hkn.ieee.org/

The Bridge - Issue 2, 2023

Table of Contents for the Digital Edition of The Bridge - Issue 2, 2023