Productivity has the highest priority for companies. It is generally acknowledged that functional safety protects systems and thus helps maintain this productivity. Autonomous safety controllers also help to significantly reduce security risks and thus significantly reduce lifecycle costs. Properly setting up the safe controller is the last line of defence against cyber attacks.
As cyber attacks on plants via networks increase, it becomes essential for functional safety and safety-related automation solutions to support cybersecurity. The trend of linking office IT with automation IT in an open network architecture only increases the security risks to plant automation.
There is good news. SIL 3 controllers designed especially for functional safety include features that are also quite helpful for cybersecurity protection. The basic requirements that current and future security standards impose on the integration of safety controllers, and how autonomous safety systems—such as HIMax® from Paul Hildebrandt GmbH—can help reduce the security risk in plants, are presented below. The robustness and reliability of autonomous safety systems simultaneously increase the availability and productivity of plants.
Functional safety is the basis for any type of process plant, since without mastery of the functional safety risks, operation of the plant is not allowed. In addition to safety, productivity is a crucial factor for the enterprise. To ensure productivity a safety system must be integrated in the plant process control system. However, such integration increases the risk that safety products will be negatively influenced via interfaces and networks. An attack on the integrity of the safety controller also jeopardises the integrity of functional safety. Consequently, the same demanding requirements imposed on functional safety features must also be imposed on the security features of a safety controller.
Integrated solution cannot be easily mastered
At first glance, economic reasons can be a persuasive factor for implementing an integrated safety system from the same company that manufactured the process control system. After all, a uniform system concept and a common bus, as well as a single engineering tool for the standard automation and functionally safe automation, promise several advantages. The advantages of convenience, however, come with disadvantages in the areas of functional safety and security, as anything that a user or the controller can do, an attacker can also do. A larger attack surface is the consequence.
With an integrated control system and safety system from a single source, all automated processes and convenience advantages must be critically tested. The more open and integrated a safety controller is, the more effort is required for organisation and security. Security attack vectors in this area include automated processes, such as diagnostic displays, the automatic interaction between engineering tool and controller, and the interaction between the visualisation of the control system and the safety system.
Standards require separate levels of protection
To reduce systematic errors, standards IEC 61511-1 (Safety) and IEC 62443-3-3 (Security) require separate levels of protection and autonomy of the operating equipment and protective equipment. By design, an autonomous process control system and a safety system from different manufacturers require different engineering tools, databases, and operating procedures. Such systems from different manufacturers avoid common cause risks and reduce the security risk through diverse technology.
Diverse technology also ensures a clear separation of the areas of responsibility and supports the different handling of operating equipment and protective devices, in practice. With operating equipment the focus is on daily optimisation, updating, and change; in contrast, risk is reduced when protective equipment is operated rarely, and then only by qualified personnel. Each access to protective equipment constitutes a risk, and changes are only permitted via a management of change process.
The international standard IEC 62443-3-3, "Industrial communication networks – Network and system security," requires compartmentalisation of production networks. To accomplish this, individual zones are determined (enterprise network, control room, safety system, process control system, etc.) that are connected via defined transitions (conduits). In accordance with the respective data or protocols that must be exchanged, protection is installed at each conduit in the form of a firewall. For this concept it is strictly required that exchanged data be clearly defined. Appropriate protective measures can only be provided if this structure is known to the user.
The forthcoming revision of standard DIN IEC 61511-1, "Functional safety – Safety instrumented systems for the process industry sector," moves in this direction. It advocates testing, evaluating, and ensuring the independence, diversity, physical separation, and avoids common cause errors between levels of protection. Moreover, it includes the clear statement that a safety system should be physically separated where feasible. Current discussions in standardisation bodies such as NAMUR and DKE likewise address the topic that autonomous secure separation and an appropriately defined conduit are required for mastery of security risks. If there is doubt in this regard, automatic convenience functions must also be deactivated to reduce the complexity and thus the security risks.
By Stefan Ditting, Product Manager, HIMA Paul Hildebrandt GmbH
and Thomas Janzer, Product Manager, HIMA Paul Hildebrandt GmbH
Edited from technical paper by Joe Green
Read the article online at: https://www.hydrocarbonengineering.com/special-reports/05032015/safety-security-first-part-one-383/