Our society depends on its critical infrastructures for oil, gas, water and energy transmission and indeed on the systems controlling their safe and efficient operation.
During recent years it became apparent that these modern control systems are as susceptible to cyber attacks as IT-networks (e.g. Flame, Stuxnet and Duqu). Unfortunately in addition to potential loss of information and productivity attacks to these control systems may result into reduced availability of the controlled infrastructure and safety relevant events with potential effects on large communities.
As a consequence legislative activities have started in various countries in order to impose standards based requirements for systematic implementation of cyber security measures to critical infrastructures.
Since unauthorized physical access to control equipment and its auxiliary systems (e.g. HVAC, UPS) may easily result in cyber and physical attacks, it is clear that there can be no cyber security without physical security.
Hence we will give an overview to a systematic risk based methodology for green field and brown field application, which ensures that cyber and physical security are considered in an integrated approach to support process safety with a reliable control system.
While process equipment just has to be maintained as long as there are no changes to the process, security solutions have to be adapted periodically due to new threats and technical evolution. Hence it is necessary to install a security management program together with the initial cyber security project. This program shall establish policies and procedures for operation and maintenance of the security solution as well as training to raise security awareness. As this program has to involve several departments like plant security, cyber security and process it has to be driven by upper management.
In conclusion it is high time to put cyber security on the agenda and to deal with it systematically.