A framework for Seveso-compliant cyber-physical security testing in sensitive industrial plants

The InfraStress-EU framework was defined in the context of the H2020 project InfraStress, to provide operators of sensitive industrial sites – i.e., industrial plants where dangerous substances are handled and are thus subject to the Seveso III Directive (2012/18/EU) – with a technically sound approach and an accompanying simulation tool for the prevention of accidents. The framework enables reliable and effective cybersecurity testing of industrial infrastructures, with the ultimate goal of improving the resilience of critical processes to cyber-physical attacks. It takes a cue from the TIBER-EU initiative, of which it extends the core penetration testing phases to “hybrid”–meaning consisting of a mix of real and simulated components–setups. By doing so, it relieves operators from their main concern, i.e., the risk of compromising the normal functioning of control systems when performing key security testing activities, such as gathering information on cyber-threats and/or trying out alternative response strategies. InfraStress-EU was implemented and evaluated in close cooperation with five operators, who contributed the requirements of real setups in their respective industrial sectors.