About this program
Safety Instrumented Systems (SIS) and vendor remote access are the two paths most likely to take a plant offline. Targeted audit.
Risks addressed
- Critical SIS reachable from process-control network
- Critical Vendor remote session has standing always-on access
- Critical No alerting when safety logic is modified
Controls (7)
-
SIS air-gapped or strongly segmented
CriticalSIS air-gapped or strongly segmented
How to test + evidence
Testing procedure: SIS on its own zone; only diode / one-way flow out for monitoring.
Evidence to collect: Network diagram + ACL export.
-
SIS write-protect (key-switch / engineering mode)
CriticalSIS write-protect (key-switch / engineering mode)
How to test + evidence
Testing procedure: Engineering keys held by named individuals; default state is run / write-protected.
Evidence to collect: Photo + custody log.
-
Alerting on safety-logic changes
CriticalAlerting on safety-logic changes
How to test + evidence
Testing procedure: Any logic change generates a high-priority alert + ticket.
Evidence to collect: Alert config + last alert.
-
Vendor remote access is time-bound + ticketed
CriticalVendor remote access is time-bound + ticketed
How to test + evidence
Testing procedure: Per-session approval; access window expires automatically.
Evidence to collect: Ticket + session log sample.
-
Vendor session recording
HighVendor session recording
How to test + evidence
Testing procedure: Privileged session recording captures every vendor connection.
Evidence to collect: PSM tool config + sample recording.
-
Annual safety + cyber joint review
MediumAnnual safety + cyber joint review
How to test + evidence
Testing procedure: Process safety + cyber owners jointly review every 12 months.
Evidence to collect: Review minutes.
-
Tabletop exercise covering OT incident
HighTabletop exercise covering OT incident
How to test + evidence
Testing procedure: IR tabletop scenario includes OT impact + safety implications.
Evidence to collect: Tabletop AAR.