Table of Contents vList of Figures xiList of Tables xiiiAcronyms and Abbreviations xviiGlossary xxiiiAcknowledgments xxixPreface xxxiiiPart 1: Introduction, Background, and History of Cybersecurity 11 Purpose of this Book 11.1 Target Audience 61.2 What is Cybersecurity? 61.3 What is Operational Technology (OT)? 101.4 Which industries have OT? 131.5 Scope 151.6 Organization of the Book 172 Types of Cyber-Attacks, Who Engages in Them and Why 192.1 Types of Cyber-Attacks 192.2 Who Commits Cybercrimes and Their Motives 262.3 Summary 303 Types of Risk Receptors / Targets 333.1 What is Cybersecurity Risk 353.2 What are Common Cybersecurity Targets? 383.3 Types of Cybersecurity Consequences 433.4 Summary 454 Threat Sources and Types of Attacks 474.1 Non-Targeted Attacks 494.2 Targeted Attacks 534.3 Advanced Persistent Threats (APT) 584.4 Summary 625 Who Could Create a Cyber Risk? Insider vs Outsider Threats 655.1 Insider Cybersecurity Risk 655.2 Outsider Cybersecurity Risk 695.3 Summary 716 Case Histories 736.1 Maroochy Shire 736.2 Stuxnet 776.3 German Steel Mill 816.4 Ukrainian Power Grid 846.5 NotPetya 916.6 Triton 956.7 Düsseldorf Hospital Ransomware 996.8 SolarWinds 1016.9 Florida Water System 1056.10 Colonial Pipeline Ransomware 1076.11 Summary 110Part 2: Integrating Cybersecurity Management into the Process Safety Framework 1137 General Model for Understanding Cybersecurity Risk 1137.1 Cybersecurity Lifecycle 1137.2 Integrated Cybersecurity and Safety Lifecycle 1217.3 NIST Cybersecurity Framework 1297.4 Summary 1388 Designing a Secure Industrial Automation and Control System 1418.1 The Disconnect between IT and OT Risk Management 1418.2 Inherently Safer vs Inherently More Secure 1468.3 Defense-in-Depth 1498.4 Network Segmentation 1538.5 System Hardening 1738.6 Security Monitoring 1768.7 Risk Compatibility Assessment 1808.8 Summary 1829 Hazard Identification and Risk Analysis (HIRA) 1839.1 Use of Process Safety Tools to Identify and Manage Cybersecurity Risk 1859.2 Qualitative Methods 1879.3 Quantitative Methods 2179.4 How to Prioritize Risk Reduction Measures? 2319.5 Revalidation/Reassessment 2329.6 Summary 23310 Manage the Risk 23510.1 Management Approach 23510.2 Initial Steps 23610.3 Cybersecurity Culture 24010.4 Compliance with Standards 24210.5 Cybersecurity Competency 24610.6 Workforce Involvement 24810.7 Stakeholder Outreach 25110.8 Process Knowledge Management 25210.9 Operating Procedures 25610.10 Safe Work Practices 25910.11 Management of Change 26210.12 Asset Integrity and Reliability 26610.13 Contractor Management 27210.14 Training and Performance Assurance 27510.15 Operational Readiness 27810.16 Conduct of Operations 28110.17 Emergency Management 28510.18 Incident Investigation 29010.19 Measurements and Metrics 29510.20 Auditing 30010.21 Management Review and Continuous Improvement 30410.22 Summary 30711 Implementing a Holistic Approach to Safety and Cybersecurity 31111.1 Cybersecurity Management Systems (CSMS) 31211.2 Integrating CSMS with Process Safety Management 32711.3 Summary 334Part 3: Where Do We Go from Here? 33712 What's Next? A Look at Future Development Opportunities 33712.1 Cybersecurity Adoption Trends 33812.2 Emerging Technologies 35012.3 Summary 35313 Available Resources 35513.1 Local, Regional, and Global Topics 35513.2 Cybersecurity Incident Repositories 36213.3 Competency Requirements and Training Availability 36313.4 Administration vs Accountability Functions 36813.5 Summary 370Appendix A Excerpt from NIST Cybersecurity Framework 371Appendix B Detailed Cybersecurity PHA and LOPA Example 377B.1 System Basis 377B.2 Initial Risk Assessment 382B.3 Detailed Risk Assessment (Cyber PHA/HAZOP) 387B.4 LOPA/ Semi-Quantitative SL Verification 405Appendix C Example Cybersecurity Metrics 411Appendix D Cybersecurity Sample Audit Question List 413Appendix E Management System Review Examples 419References 421Index 437

The Center for Chemical Process Safety (CCPS) has been the world leader in developing and disseminating information on process safety management and technology since 1985. The CCPS, an industry technology alliance of the American Institute of Chemical Engineers (AIChE), has published over 100 books in its process safety guidelines and process safety concepts series, and over 30 training modules through its Safety and Chemical Engineering Education (SAChE) series. CCPS is supported by the contributions and voluntary participation of more than 200 companies globally.