A major European oil and gas company that acquires, explores, produces and supplies chemical and petroleum products had a cybersecurity challenge. Company leadership wanted a better way to quantify and respond to the industry’s increasing levels of cybersecurity risk.
Cybersecurity challenges
Pioneers were looking for a new way to understand better and improve their company’s OT cybersecurity. As part of this effort, pioneers wanted to compare the company’s current levels of protection against a series of hypothetical attacks to identify gaps.
With operations in several locations and a supply chain network of over 1,000 gas stations, auditing and improving the company’s cybersecurity would be no small task.
csHAZOP services
To help overcome these challenges, the company called in Honeywell and, specifically, its Honeywell Cybersecurity HAZOP (csHAZOP) services team to perform a detailed design evaluation based on OT cybersecurity risk.
The Honeywell csHAZOP solution is designed to deliver a comprehensive set of analysis and recommendations – it goes beyond the standard cybersecurity vulnerability assessment or IEC 62443 compliance audit by adding deeper analysis that is designed to:
- Investigate a significant amount of what can go wrong, including approximately 500+ attack scenarios – evaluating these for multiple threat actors and different consequences.
- Address – via risk assessments – both the likely risk reduction through the regular IT type of countermeasures (AV, firewall, hardening, etc.) and the consequence severity reduction through the implementation of safeguards (e.g., hardwiring critical control signals).
- Estimate residual risk for each hazard, allowing identification and quantification, making mitigation actionable.
- Focus on process automation cybersecurity risk (csHAZOP stage 1) or production process cybersecurity risk (by adding csHAZOP stage 2 vs. cybersecurity production risk) to add a higher level of cybersecurity analysis from an OT perspective unique in the industry.
Determining cybersecurity hazards
The Honeywell cybersecurity professionals also identified some high-risk design deficiencies
For this project, the Honeywell OT cybersecurity professionals used the Honeywell proprietary csHAZOP method to identify several concrete recommendations for immediate remediation and technical design in the company’s ICS to be considered in upcoming migrations. The Honeywell cybersecurity professionals also identified some high-risk design deficiencies.
The Honeywell csHAZOP framework was also used to identify levels of residual risk to determine which cybersecurity hazards were more critical to address versus others.
Cybersecurity assessments
Honeywell provided targeted guidance on several aspects of the study, using experience from real-world cyber attacks in the industry. Honeywell’s csHAZOP service is one of the few cybersecurity assessments available on the market that is designed to apply counterfactual risk analysis.
Given a system’s protective measures, this method helps a company evaluate which cyber attacks (based on countermeasures, security protections, and type of threat actor) may succeed. This evaluation directly links OT cybersecurity to loss prevention and process safety. Honeywell’s csHAZOP report for this oil and gas refinery was considered successful by the customer because of its well-defined procedure, the tools Honeywell has specifically designed for OT systems, and the team’s experience and efforts in OT cybersecurity.
Customer's quote
“The results of the cshazop assessment from Honeywell went beyond our expectations. We have received a detailed and analytical cybersecurity hazard and operability report concerning both identified risks and realistic recommendations for remediation," said a major refinery in Europe.
"Additionally, the report is a valuable tool for future upgrades of our systems as well as new projects and the development of an incident response plan. We intend to repeat this assessment periodically, as it is a valuable tool in our continuous efforts to improve security for our systems from the ever-evolving cybersecurity threats.”