Incorporating Resilience in Safety and Control Layers
Published on : Tuesday 02-02-2021
Are you putting all your eggs in the same basket, asks Deepak Naik, and suggests a holistic approach to address security and safety management systems.
The future of the process industry is digital. Digital transformation holds many opportunities for plant operators to enhance efficiency, increase flexibility and make their plants future-proof. At the same time, the growing level of automation and connectivity can be a door-opener for serious threats to plant security. In recent years, large-scale professional cyberattacks and chip hardware vulnerabilities affecting industrial plants around the globe have clearly shown the need for the process industry to take segregation and cybersecurity more seriously
Why we need Segregation on all layers including Control and Safety?
In late 2017 a safety controller deployed in a process facility in the Middle East was hacked. The Safety Instrumented System (SIS) was compromised and initiated a plant shutdown. While no damage or injuries occurred, the incident should serve as a wake-up call to heighten awareness of segregation and cybersecurity in the industry as it was the first publicly-known successful attack on a safety instrumented system – which is the last line of defence in any process plant. Furthermore, critical hardware vulnerabilities affecting most modern processors have recently been identified. Attack modes such as Meltdown and Spectre exploited these in order to steal data from computers all around the world. It again reopened the discussion around the layer of protection and additional segregation requirement in different layers. An independent protection layer (IPL) is a device, system, or action that is capable of preventing a scenario from proceeding to its undesired consequence independent of the initiating event or the action of any other layer of protection associated with the scenario
Standards and Segregation
The purpose of modern functional safety solutions is to reduce safety and security risks to a minimum. Therefore, a holistic approach is needed, which not only includes the core SIS (final control elements, logic solver including I/O module and sensors), but also its environment like the engineering station, asset management tools (AMS) and handhelds as well as field entry panels and HMIs.
To reduce the risk in all prevention layers, international standards provide guidelines and recommendations. For instance, Safety Standard IEC61511-2 states clearly that Basic Process Control System (BPCS) and Safety Instrumented System (SIS) should be completely separated, isolated and independent (Clause 11.2.4). The standard states that SIS is normally separated from the BPCS for the following reasons:
a) To reduce common cause, common mode and systematic failures, minimising the impact of BPCS failure on the SIS
b) To retain flexibility for changes, maintenance, testing and documentation relating to the BPCS
c) To facilitate the identification and management of the SIS devices, making the validation and FSA of the SIS more straightforward and clear
d) To support access security and enhance cyber security for the SIS, such that revision to BPCS functions or data do not impact the SIS, and
e) To reduce the amount of analysis that should occur to ensure that the SIS and BPCS are properly designed, verified, and managed.
This separation can be achieved via identical separation (same technology) or diverse separation (different technology). For SIL-3 and SIL-4 requirements diverse separation have to be adopted and identical separation is not sufficient. As stated in the IEC61511 standard, nowadays, users prefer to utilise Programmable Electronics (PE) technology for both the BPCS and the SIS. As it provides maximum flexibility and the ability to interchange information between the BPCS and the SIS. But unfortunately these characteristics can be counterproductive when trying to maintain separation and independence between the BPCS and the SIS.
ICSS is a concept with both BPCS and SIS integrated. It simplifies the configuration by using a common network domain, common software library, Common Engineering workstation. ICSS concept adopted for SIL-3 requirement, directly contradicts with IEC 61511-2, clause A9.4.2 for having different manufacturers for diversity. It also does not fulfil completely the measures of “Differences” as per IEC61511, Clause 11.2.4
There is no safety without security
The security requirements deserve to be defined in a similar manner which is to specify protection layers and provide separation between the layers. This is because the security environment is the protecting layer which prevents security threats reaching the SIS. Befitting this concept, Zones and Conduits concept is described per the international standard for automation security, IEC 62443-3-2.
A zone, in line with this standard, is a dedicated part of an overall application where identical security recommendations apply. Each Zone is having clearly defined perimeters and dedicated interfaces to other Zones as shown in the Figure – Zone and Conduits (IEC 62443).
For each of the Zones (or layer) we need to define what level of security protection measures are to be implemented.
These measures are the ‘Foundational Requirements’ as per IEC 62443-3-3 and listed as following:
1. Identification and authentication control
2. Use control
3. System integrity
4. Data confidentiality
5. Restricted data flow
6. Timely response to events, and
7. Resource availability.
The intent is to keep the threat or risk in a zone from reaching another. Hence each zone acts as a protection layer and any interface or conduit should have enough measures to avoid breach of security. Therefore the BPCS, SIS, Maintenance and Engineering workstations and office zones should be segregated.
Why do we need Safety and Security management?
A well-structured management plan for the Safety and Security should go in tandem. Data flow requirements, interfaces and required defence systems have to be designed and built according to the International Standards IEC 61508/61511, Security Standard IEC 62443 and others.
The holistic approach should address security and safety management systems, secure communication infrastructure and ZonesLayers capable of withstanding security breaches. For instance for an effective cyber-defence, the computer infrastructure should be set up with a secure firmware (BIOS) management, reduced access rights and with only the required Windows services activated. Portable devices (laptops) should not be used as engineering stations as they can be easily moved between zones. The engineering station should be kept completely separate from other functions and the engineering station for one zone should not handle the other zones. All devices (controllers, PCs, remote IOs, firewalls, etc.), should feature an intelligent password management system and install mission specific set of application programs alone which are to be regularly updated with necessary patch management to list a few measures.
The need of the day is a lifecycle management approach for both Security and Safety. The design, realisation, operation and maintenance should all provide a management plan for Security and Safety. This approach should not be applicable for the industry alone but users, manufactures, vendors, service providers all should take the responsibility to incorporate safety and security lifecycle management for themselves. We need to act now against a common threat.
“The world is a dangerous place to live;
not because of the people who are evil,
but because of the people who don’t do anything about it.”
Deepak Naik is an accomplished Automation Solutions Expert with over 34+ years of experience in the automation industry. He is currently Director Business Development of HIMA Middle East FZE, a 110+ years old German Independent Safety and Security Expert who provides solutions in Process as well as Rail Industry. He has worked with various companies in India and GCC including Siemens, Schneider electric as well as E&I Integration Companies prior to joining HIMA in 2013 in HIMA's regional office in Dubai.
Deepak has worked on numerous green field and strategic projects with several prestigious customers including ONGC, Shell, Chevron, TOTAL, BP and EXXON Mobile in the Middle East, Caspian Region and Indian Sub-continent in Oil & Gas sector. He has significantly contributed to enhancement of various safety applications in the region such as ESD, F&G, Pipeline Management Solutions and several safety applications for Railways.