The Bridge - Issue 2, 2023 - 7

A Barrier-based Approach to Cyber Security in Critical Infrastructures
Feature
shape of a bow-tie, with the incident being the knot; thus,
the name bow-tie diagram. See examples of the use of
bow-ties for cybersecurity in Bernsmed et al. [3].
Integrated safety and cybersecurity barrier management
is not something that has received a lot of attention [4],
and in the following, we will describe an initial contribution
toward rectifying this situation.
publish new parts covering requirements for organizations
(processes), systems, and IACS components. These
ongoing revisions and drafting of new parts (with resulting
inconsistencies between different parts) make IEC 62443
challenging to use for regulators. IEC 62443 does not
clearly separate requirements on control, monitoring, and
safety functions implemented into IACS. It is therefore
worth mentioning ISA-TR84.00.09 [13], which is directed
to a specific part of IACS, the safety-instrumented systems
(SIS). This technical report is often used in combination
with the IEC 62443 documents.
Figure 1. Bow-tie model with barriers
II. BACKGROUND
A. Cyber Security Regulations and Guidelines for
Critical Infrastructure
The NIS Directive [5] - the first EU-wide cybersecurity
law - and other EU cybersecurity documents, such as
the Cybersecurity Strategy [6] and the EU cybersecurity
package [7], do not refer to barriers explicitly but use terms
like security measures and safeguards. We have found that
it is primarily the oil and gas industry that explicitly uses
the term barriers, as evident in the regulations from the
Norwegian Petroleum Safety Authority (PSA), e.g., in the
Management Regulations (§5 Barriers) [8]. However, the
regulations have been criticized for not being specific about
cybersecurity barriers [9], although it is implicitly understood
that the regulations also apply to cybersecurity barriers. This
is further elaborated in the next section.
The PSA regulations refer to national industry-developed
guidelines for cybersecurity for industrial control systems
(ICS) [10] and have also been criticized for not referring to
international standards such as IEC 62443 [11], which at
least some of the major industry actors have started using
[12]. As discussed in the next section, the term barrier is
rarely used in these standards and guidelines.
IEC 62443 is currently the most comprehensive
international standard that covers cybersecurity of industrial
control and automation systems (IACS). Its development
engages a wide range of manufacturers, system integrators,
and end users, and the standard seems to take the
position as one of the preferred frameworks. The standard
comprises several parts, with the first one published in
2009. Currently, extensive effort is made to revise and
B. Cybersecurity barrier management
Safety barriers and barrier management have been wellknown
concepts for years, but barriers applied in the same
sense for cybersecurity have received less attention [4],
and the term barrier is thus rarely used in cybersecurity
standards and guidelines.
In the past few years, PSA has funded several studies
that consider various aspects of cybersecurity in the
petroleum sector [14]. Cybersecurity barrier management
is, however, not treated specifically in the reports; only the
visualization of countermeasures as barriers. In addition,
the current approaches do not clearly illustrate or model
the possible relationship between the status of security
barriers and safety barriers. A degraded security barrier may
result in a degraded safety barrier that can go unnoticed,
and such information may be critical in the event of an
emerging cyberattack. Although not explicitly stated in
current regulations, it is implicitly understood and generally
accepted that barriers should also be established for ICT
incidents, especially based on the clarifications in the
Barrier Memorandum [1].
C. Safety barrier management
A typical safety barrier management process [14] is
illustrated in Figure 2. The main input to the barrier
management process is an overview of the risk picture
along with a plan for the barrier management. The
risk picture can be established through, e.g., Hazard
Identification (HAZID), Quantitative Risk Analysis (QRA),
Emergency Preparedness Analysis (EPA), and the
Emergency Preparedness Plan (EPP). The result is used as
input when dividing the installation into different areas (step
1) and to identify accidental events with major accident
potential. These events are documented as Defined
Situations of Hazard and Accident (DSHAs) or as Major
Accident Hazards (MAH) (step 2a). The division into areas
should ensure that the systems inside an area experience
the same level of risk, somewhat similar to how a facility
should be partitioned into zones according to IEC 62443.
Step 2b identifies the barrier functions needed to mitigate
the events with major accident potential identified in
HKN.ORG
7
https://hkn.ieee.org/
The Bridge - Issue 2, 2023

Table of Contents for the Digital Edition of The Bridge - Issue 2, 2023
