Many people in the valve industry recognize the name John Spears because he has been a featured speaker at VMA’s Market Outlook for many years. Attendees and those who read what VMA reports in VALVE Magazine and online rely on Spears thoughts on the oil and gas industry and where it’s headed to keep them up to date on “the oil patch,” the term he uses for the industry.

Few know, however, just how deep his roots lie.

Two recent events over the last month brought together valve manufacturers and end users, and VMA members and staff were there to learn all that’s new in the industry.

In late November, the biennial Valve World Expo was held again in Dusseldorf, and, according to Stephane Meunier, director of international business development at Cowan Dynamics, the show proved the valve industry is still strong. “Despite a reduced number of exhibitors, the show was very well attended,” he said. Older companies showcased some of their newest technology alongside some new names to the global valve and actuator industry. “With many of the industry leaders pursuing various realignment activities, the pulse was indicative of an exciting 2019 ahead.”

Cybersecurity is a major concern for industrial control systems, but the continually evolving nature of the field and the sheer amount of existing threats and vulnerabilities make it a daunting task to figure out where to begin addressing cybersecurity concerns.

It could be argued that currently the biggest cybersecurity challenge for industrial networks is not the multitude of cyberthreats, but the inability to effectively identify and mitigate cybersecurity risk. Inaccurately identifying the risks can result in the use of a system that is both costly and still vulnerable to attack. This article will focus on a practical example for a high-level risk assessment that forms the basis for effective management of cybersecurity risk.

THE BASICS

The International Electrotechnical Commission (IEC) 62443 standard provides performance-based guidelines for improving the security of Industrial Automation and Control Systems (IACS) systems. IEC 62443 outlines a lifecycle approach to: analyze cybersecurity risk, design and implement countermeasures to mitigate this risk, and operate and maintain the IACS securely.

Analysis, the first phase of the lifecycle, is based on the completion of two risk assessments: high-level risk assessment and detailed risk assessment. The purpose of the first risk assessment is to quickly understand the severity of consequences per device in the event of a breach and to identify the highest areas of risk in the IACS that require a more thorough detailed risk assessment.

High-level risk assessments provide an entry point into the cybersecurity lifecycle and jumpstart the further deployment of cybersecurity activities.

Example: Styrene Chemical Facility

In our example we will look at a medium-sized bulk chemical plant that converts 1,3-butadiene through a two-stage reaction to provide high-purity styrene. Before diving into the high-level risk assessment, it is important to define a plant as the physical basis for the evaluation with the key inputs for the assessment:

• Hazards identified during the process hazard assessment: Styrene plants have several physical hazards including: flammable, toxic and reactive chemicals; the potential for runaway exothermic reactions; and potential rupture of reaction vessels and other process equipment. These hazards can have serious safety, business and environmental consequences, which must be considered when looking at the ultimate consequence of cybersecurity attacks.
• Corporate risk criteria: These define the boundaries between an unacceptable risk for an organization and what is tolerable risk. These risk criteria are typically documented in the form of a risk matrix or risk graph and are the guidelines used to evaluate risk during the assessment.
• Device inventory list: Often the device inventory for the IACS will be documented in a network diagram showing the connections between devices on the control network. A simplified diagram showing the equipment for the styrene plant is shown in Figure 2.

WORST-CASE CONSEQUENCE

The first step for the high-level risk assessment is to determine the worst-case consequence per device if compromised. As shown in Figure 3, the worst-case consequence for each device considers the impact on safety, business or environment from the loss of that device’s expected function or the use of that device for an unintended and potentially hazardous purpose.

Focusing on the enterprise workstation, we can see how the direct result of a device being compromised is correlated to the corresponding worst-case consequence. If the basic process control station (BPCS) engineering workstation is compromised, it would allow attackers to download altered controller code modifying the correct function of the BPCS. In the styrene plant, this could result in overflowing the reactor vessels with reactants leading to a runaway exotherm with serious safety and business consequences.

SECURITY LEVEL TARGETS

Security Levels (SL) are roughly correlated to Safety Integrity Levels (SIL) from functional safety, in that each increasing security level (SL-1 is the lowest, SL-4 is the highest) corresponds to the order-of-magnitude increases in provided risk reduction, but there are fundamental differences between SL and SIL (i.e., the capability and testing requirements.)

When targeting security levels in the high-level risk assessment, the likelihood of a successful attack is assumed to be one, and the overall risk is determined based on consequence severity, to develop a useful but quick estimate of the required security level.

The correlation between consequence severity and required security level is determined per the corporate risk criteria. Figure 4 shows the description of the business and safety consequences corresponding to each security level based on the example risk criteria, as well as what the target security level is for each device based on the consequence.

Considering the BPCS engineering workstation, a security level 3 is targeted based on the risk criteria because the runaway exotherm in the reaction vessel could result in significant business consequence and potentially a single fatality in the event of a vessel rupture.

NETWORK SEGMENTATION

Network segmentation is an essential strategy for improving the security of industrial networks. It provides boundary devices (firewalls or managed switches) that block unnecessary communication between zones, making it more difficult for attackers to access critical devices.

By grouping devices with similar security targets to the same zones, it is possible to secure them to the level required without unnecessary security features for devices that don’t need them, while allowing devices to have the necessary connections to operate the IACS. Based on the severity levels from our example the network was segmented into four zones: enterprise, demilitarized, BPCS and SIS (see Figure 5).

INCIDENT RESPONSE PLAN

The last step in the high-level risk assessment is to develop an initial incident response plan. This response plan outlines the steps to be followed in the event of a breach and provides guidance on the ways to restore operations as quickly as possible, communicate the information with the necessary stakeholders, preserve data for investigating the incident, report incident as necessary, and proactively manage future IACS incidents by modifying policies, practices and procedures to mitigate the risk of other similar attacks.

CONCLUSION

Through the high-level risk assessment, the key information needed to jumpstart future security lifecycle tasks is gathered supporting the subsequent completion of analysis (detailed risk assessment), design (security level verification) and the operations (incident response) phases.

In addition to preparing for the completion of future lifecycle tasks, the high-level risk assessment provides tangible and immediate benefits. It aligns cybersecurity risk management with corporate risk criteria, identifies the highest areas of risk and develops a segmentation strategy to secure those zones. It also documents the expected response to cybersecurity events per zone. The high-level risk assessment provides both immediate and lasting benefits that support effective management of cybersecurity risk by reducing the likelihood of a successful attack and helping to recover more quickly from cybersecurity incidents.

This email address is being protected from spambots. You need JavaScript enabled to view it. is safety and cybersecurity engineer at Exida. 

At VMA’s Annual Meeting this year, Sept. 25-27, members heard from two economists who revealed their predictions for the 2019 economy and offered suggestions to help members and end users navigate the economic waters over the next year.

Speaking on the domestic economy, Connor Lokar of ITR Economics said that, while the economy is doing “incredibly well,” we’re at the top of the business cycle, which means there is likely going to be a downturn. According to Lokar, that doesn’t mean a recession, it merely means a slowdown in growth from 2.5% in 2018 to 0.5% in 2019. However, ITR predicts the slowing will last only one year and that 2020 will return to higher growth, at 2.7%.

The Long View

Lokar noted that, while the administration’s tax cuts last year were a shot in the domestic economy’s arm, they do not present a long-term benefit to the economy. “It’s more like a temporary boost,” he said. “You’d think we would have taken the economic growth and used it to reduce debt. But that didn’t happen. This is really going to hurt us is in the 2030s.”

To avoid serious problems then, the U.S. would have to reduce federal spending by 2% a year right now just to hold the line on debt, but “we keep kicking the can down the road,” he warned. He offered many suggestions about how the upcoming generations can prepare for serious economic downturns that ITR expects in the 2030s, brought about, in part, by the out-of-control public debt.

What to Tell the Kids

1. Live below their means.

2. Learn a second language and become fluent in important languages like Spanish or Mandarin. This increases your value as an employee.

3. Each household should have multiple or diverse income streams so that all income isn’t coming from the same sector.

4. Choose careers oriented toward the “opportunities”

5. Pay off as much debt as possible by 2030. Get fixed rate loans. Amass cash.

6. Be ready to buy at the price cycle low in the depression. Think about paying for things that make money, such as multi-unit properties.

7. Most important, be self-reliant instead of advocating that everything be taken care of by the government.

While ITR’s projections for 2019 have improved, there are still risk factors for the next year.

Inflation is a concern and tariffs are just making this worse. This is directly inflationary to the consumer. If they buy more expensive goods, then they have less money to spend on other things. As of the date of the presentation, there were $60 billion worth of goods subject to tariffs aimed at China. “That means the manufacturers need to pass on those extra costs to the consumer. Inflation will happen as a result, and that leads to a huge amount of uncertainty,” warned Lokar. “Businesses are taking their foot off the gas because they don’t know what will happen. We see this as being mostly negative. There is hope for trade agreements, but that is not a guarantee.”

Another concern is in the labor market. There are not enough skilled, motivated employees to ascend into the space left by the retiring baby boomers. Migration is also a concern for states like California where high taxes and housing costs are causing people to move away.

“Retention is paramount; you just have to hold on to them,” said Lokar. “Right now, there are 425,000 open manufacturing jobs open in the U.S., the most ever.”

Actionable Takeaways

Connor recommended that companies invest in themselves to augment productivity to combat increasing labor costs and scarcity. Prioritize profitable opportunities and have a plan in place to handle elevated input costs. Part of that is being willing to increase prices. In anticipation of the slowing in 2019, build cash reserves now and develop your internal rates-of-change so that you can recognize when you are nearing your peak.

The Global Outlook

Jeremy Leonard of Oxford Economics offered his take on the global economy in a presentation titled “Industrial upcycle boosts valve prospects but growth peak has passed.”

Despite trade uncertainty and escalating tensions between the U.S. and China, there is still growth momentum around the world. The U.S. did benefit from the fiscal stimulus, although the second quarter of 2018 was likely the peak. The recently concluded USMCA (United States-Mexico-Canada Agreement and the truce between the EU and U.S. are also positive factors for the global economy, but rising protectionism and European concerns about tariffs and rising oil prices are expected to stymie growth, according to Leonard.

He also expressed concerns about higher interest rates because they, and rising commodity prices and capacity constraints, are putting upward pressure on inflation. Rising oil prices are also eroding household income, but because consumer spending is disproportionately for services, not goods, the headwinds are more likely to affect service industries.

While Leonard does not predict a global recession in the immediate future, if U.S.-China trade wars escalate to the point where the tariffs affect 3% of global trade, the worldwide economy would be impacted. The Asian companies that are most integrated into Chinese supply chains could be dramatically affected. “If we really get into this trade war, we would be skirting with a global recession,” said Leonard.

Trade slowdown is a worry for valve-using sectors, and capacity constraints, which we are seeing for the first time since the financial crisis, are starting to cause issues. Even though many companies are running full-out, CAPEX spending is not happening as it should because of the uncertainty that is deterring investment. “That’s why investment numbers are not going up,” he said. “There is a pull back in confidence, but the need to invest is still there. When we have some clarity, we will see investment increase.”

The Valve Market

Leonard said that most valve categories are set for growth in the coming years. “There were several years of relatively weak markets in the industry prior to the pickup in 2017. But that year exceeded expectations, and while 2018 will see less growth, it is still solid.”

The global valve market is estimated to have expanded 6.7% in 2017. All global regions posted increases, with Europe outpacing the U.S. and only slightly below the global average. Actuator markets saw more modest growth of 2.5% last year, partly because of the stronger performance relative to valves in 2016. Leonard foresees growth of 5.4% this year for valves, while the less cyclical actuators will see a more modest 3% expansion.

Regarding end-user industries, the water and wastewater, chemical and manufacturing sectors have seen the most growth, and Leonard expects this to continue into 2019.

There are risks, though. If the U.S.-China trade war intensifies, it could lead to rising prices for heavily traded goods, which would lead to reduced trade flow and slow industrial growth. Leading indictors of world trade have already weakened before implementation of many of the threatened tariffs, so this spells cooler growth even at the current levels of tariffs.

Oil prices are on the rise despite strong U.S. production. This is in part due to supply disruptions of product from Iran and Venezuela. Also, if central banks misjudge the path to policy normalization, there are risks of market turbulence if interest rates rise too fast.

Cybersecurity

Attendees of the annual meeting also heard from cybersecurity expert Maurice Uenuma. VALVE will be publishing a comprehensive report on his prescription for counteracting and preventing cyber crime in your plants, so be sure to check back in the next few weeks.

This email address is being protected from spambots. You need JavaScript enabled to view it. is senior editor and This email address is being protected from spambots. You need JavaScript enabled to view it. is editor in chief of VALVE Magazine.