By Gregory Hale
A misconception promulgated over the years that safety systems were immune from cyber attacks, but that mindset came screeching to a halt when a safety system was hit a few years back. At that point all bets were off.
If that safety system didn’t shut down that facility like it was supposed to do, who knows what unimaginable destruction could have occurred.
ABB: Digital Future; Security Backbone
Guide to Assessing IoT System Security
ARC: How to Prevent USB Attacks
ARC: Safety and Profitability Work Together
ARC: Safety, Security Hand in Hand
“Safety and security is about risk mitigation,” said Luis Duran, global product line manager at ABB in a Monday talk entitled, “The rocky relationship between safety and security” during the ABB Customer World in Houston, Texas. “In safety, we want to prevent something bad from happening to people, facility and environment. In cybersecurity, the goal is to prevent illegal or unwanted penetration into a system. There are similar ideas behind risk management, but the ways to go about it are different.”
Along those lines, Duran mentioned there are three myths that need to be broken:
1. Security is an IT item
2. Air gaps
3. Product certification
“Air gaps do not resolve cybersecurity issues or address industry best practices,” he said. “A safety system is not connected to anything? How do you program it? It is connected to a system. Is it Windows-based? These were not designed with cybersecurity in mind. Safety systems are exposed to cyber threats. They are isolated from process control systems, but it is connected to other systems. Air gaps are not the answer.”
“Certification is important first start, but not the end of the journey,” he said.
Companies need to “define security policies that work over the plant lifecycle by collaborating with suppliers across IT and OT. A collaboration of minds is about what is best for the installation,” he said.
Safety and security are similar but there are differences. Safety will keep man protected from machines, while security will protect machines from man. Either way, if one element goes bad, it can lead to a safety issue.
“Cybersecurity awareness is ongoing,” Duran said. “It is important; attacks are happening and they are real. Cybersecurity can lead to system failure and when a system goes down, it affects the safety system because it is the system of last resort to protect against a catastrophic event.”
Duran mentioned some well-known cases of cyber attacks in the industry:
• 2010 Stuxnet attack against an Iranian nucelear facility
• 2014 Blast furnace attack in Germany
• 2015 and 2016 Black out in Ukraine
• 2017 Triton attack against refinery in Saudi Arabia
In a SANS survey, respondents pointed to their primary business concerns and 67 percent perceived severe or high levels of threat to control systems, which was up from 43 percent in 2015.
To get to a point of some point of security for safety and for control systems, users need to apply basic best practices like following international standards like IEC 62443. There are multiple parts to the standards where various parts focus on specific areas of concern.
In addition, users need to apply a defense-in-depth approach. “Segregate layers to prevent a delay of attacks on systems. A flaw in one layer can be mitigated by other layers,” Duran said.
In addition, Users need to follow cybersecurity for the product lifecycle:
• Secure by design
• Secure by default
• Secure in deployment
“Security doesn’t start in the design,” Duran said. “It starts before you write the first line of code. At the end of the day, the security of the whole installation has to come into play.”