Major accidents triggered by malicious manipulations of the control system in process facilities

Security threats on the industrial automated control systems (IACSs) are becoming a growing concern for all the industrial facilities, and in particular for those where large quantities of hazardous substances are stored or handled (e.g. Seveso sites in Europe). Remote (cyber) or physical malicious manipulations of the automated control system of Seveso sites may have consequences comparable to those of conventional major accidents due to internal causes (e.g. loss of containment of hazardous materials, fires, explosions). While consolidated approaches exist to manage and control the cybersecurity of IT and OT systems of a facility, there is an evident lack of procedures to assess the actual link between malicious manipulations of the safety and control systems and the major accidents that can be triggered. In the present study, a specific methodology (PHAROS) was developed to address the identification of major accident scenarios achievable by malicious manipulation of physical components of the plant through the control and safety instrumented systems. The methodology, which exploits a reverse-HazOp concept, also analyses the role of the existing safety barriers in contrasting the chain of events triggered by the malicious manipulation, and may support the definition of design specifications and/or possible IT protection requirements for such barriers. The methodology was applied to a demonstrative case study to understand the features of the results obtained and their potential towards the improvement of the security of the process facility.