Safety Implications of Security Often End Up Overlooked, Learn How to Assess, Manage and Mitigate Risks
By Lee Lane
As organizations implement connected, information-enabled architectures to improve productivity, efficiency and safety that means industrial security cannot be too far behind.
Whether it’s remote access to production machinery, wireless access to pumping stations, or connecting plant-floor equipment to the IT infrastructure, greater connectivity can provide significant improvements in productivity and safety. But it also increases risks – not only to intellectual property, profits and mission-critical production assets, but also to people and the environment.
Safety systems are designed to detect faults, alert operators and automatically intervene. By altering or attacking safety systems, security breaches can force a standard control system to operate beyond its safety parameters, damage equipment and the environment, or even place workers and the public in unsafe situations.
The connected enterprise unites people, processes and things. It brings together enterprise-level IT and plant-level operations technology (OT) systems into a common network infrastructure. And it harnesses the power of enabling technologies, from data and analytics software to smart devices that make up the Internet of Things (IoT).
What does this mean for manufacturers and industrial operators? It means production intelligence for measuring and improving nearly every aspect of their operations, including quality, productivity, uptime and overall equipment effectiveness (OEE). It means enterprise-wide connectivity for instantaneous information sharing and seamless collaboration across an organization. It means remote monitoring of critical production assets and systems dispersed across remote locations.
For all the opportunities, however, there are also risks.
More connection points can create more entrance points for security threats. These threats can be physical or digital, internal or external, and malicious or unintentional. And they can pose a danger in many ways, including intellectual property loss, disrupted operations and compromised product quality.
Safety is perhaps the least discussed implication of security threats.
Safety as Attack Vector
Breached machine- and process-safety systems can create cascading safety consequences.
For starters, compromised safety systems that don’t stop machines when they reach a dangerous state or when a safety device ends up triggered can expose workers to the very threat they should receive protection from. Additionally, safety systems that aren’t able to stop production beyond certain operating conditions can expose other employees or an entire plant to risks, such as fires, chemical leaks or explosions.
The risks can be especially high in industries where employees work with hazardous or volatile materials, such as in chemical manufacturing. And the risks will only grow as collaborative robotics become more prevalent, with employees and robots working side-by-side on production lines.
Compromised safety systems also could put consumers at risk. Consider the potential impact of a cyberattack that alters processes in a food or pharmaceutical manufacturing operation. It could result in harmful or even deadly contaminations. And even if an attack ends up discovered before affected product leaves the facility, it could delay the delivery of urgently needed products like life-saving medications.
Likewise, tampered or disrupted processes in critical-infrastructure facilities could impact the critical water and energy supplies on which populations depend.
Security breaches and vulnerabilities resulting in safety risks aren’t just theoretical. They’re a reality:
• A cyberattack on a German steel mill resulted in parts of the plant failing and a blast furnace workers could not shut down through normal methods. The plant suffered “massive damage.” The incident illustrated the destructive – and potentially harmful – effects that security threats can create in industrial operations.
• The FDA put out an alert to medical device manufacturers and health care facilities about certain medical devices vulnerable to security breaches. One of the vulnerabilities cited was the potential for malware to infect or disable the devices.
• Verizon reported a likely cybersecurity breach at a facility responsible for supplying and metering water usage. The report showed unexplained valve and duct movements, including manipulation of PLCs that “managed the amount of chemicals used to treat the water to make it safe to drink.”
• An oil pipeline explosion in Turkey was publicly blamed on a malfunction, but news reports revealed it was the work of hackers. The explosion resulted in 30,000 barrels of spilled oil. As Bloomberg reported, “Hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line.”
Security risks that can result in safety implications can take many forms. Some key risk types include:
Employee Errors: Security risks don’t always originate from malicious intent. In fact, one of the most common security risks comes from innocent mistakes. This could include employees or contractors who unwittingly make a network misconnection, download the wrong program to a controller, or plug an infected device into the system. Such seemingly simple mistakes could in fact have major consequences if they lead to systems operating beyond safe parameters.
Disgruntled Employees: Current or former employees familiar with an organization’s control system and industrial network can present security and safety threats. A prime example of this involved a worker in Australia who broke into a sewage-equipment control system installed by his former employer and caused 800,000 liters of raw sewage to spill into local parks and rivers.
Hackers Seeking Political or Financial Gain: A manufacturer’s intellectual property can be a lucrative target for hackers. At the same time, hackers also may seek to disrupt a manufacturing or industrial operation for financial, competitive or political reasons.
Corporate Espionage: State-sponsored espionage targeting high-value infrastructure and production assets is a constant threat. U.S. Department of Justice officials have said thousands of companies have been targeted and that such activities represent a “serious threat” to national security.
Cyberterrorism: Malicious acts could seek to disrupt, infect or cripple critical infrastructure. Potential targets could include nuclear plants, water supplies and oil refineries. One such attack involved hackers attempting to seize control of a small dam in New York. The attack failed because the dam was offline for maintenance.
Secure Environment Means Safety
Governments concerned about disruptive and dangerous cybersecurity attacks on plants and critical-infrastructure operations are already working with manufacturers and industrial operators.
For example, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 295 cybersecurity incidents in 2015 across 16 critical-infrastructure sectors. The three sectors that garnered the most responses were:
1. Critical manufacturing (97 incidents)
2. Energy (46 incidents)
3. Water and wastewater (25 incidents)
Still, much work remains. Organizations need to be more proactive in addressing safety through security. They should incorporate four key elements into their approach:
• Standards compliance
• Safety and security integration
• Risk analysis
• Risk mitigation measures
Some requirements do exist within safety standards to help manufacturers and industrial operators address safety through security:
Section 7.4 of IEC 61508 (“Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems”) directs companies to conduct a security threat analysis if their hazard analysis identifies a reasonably foreseeable “malevolent or unauthorized action” that constitutes a security threat. The problem is, however, it is rare any company follows the rule.
The second edition of IEC 61511 (“Functional Safety: Safety Instrumented Systems for the Process Industry Sector”), which released late last year, will require security risk assessments to end up conducted for safety instrumented systems (SIS). The SIS design also must deliver the necessary resilience against the identified security risks.
These requirements may not be elaborate, but they do provide formal compliance guidelines for addressing security-based safety risks. They should be followed. Meanwhile, standards bodies are also exploring additional updates that could go further in detailing how industry must identify and address safety through security.
Integrating Safety and Security
Safety and security have traditionally been viewed as separate entities, but there is a commonality between them in the approaches used to analyze and mitigate risks.
For example, the concept of “access control” is common between safety and security. In both cases, policies and procedures emanate from business practices, risk-management approaches, application requirements and industry standards. Both also seek to help protect an organization’s assets, including its people, processes, equipment and intellectual property.
Manufacturers and industrial operators that want to reduce the likelihood of security-based safety incidents will need to rethink safety in this way. Specifically, they need to start thinking of safety and security in relation to each other.
To understand how this can happen, organizations should first consider the “three Cs of safety,” which is a set of practices that best-in-class manufacturers share:
• Culture (Behavioral): Employee and company behaviors – including values, priorities, attitudes, incentives and beliefs – that help define how well a company embraces safety.
• Compliance (Procedural): Policies and procedures that help a company achieve compliance with appropriate safety standards.
• Capital (Technical): Contemporary safety technologies and techniques that help optimize both safety and productivity.
Next, organizations should consider how security can integrate into each of these core safety pillars. For example:
Culture: In addition to protecting intellectual property, processes and physical assets, security personnel must make protecting safety systems a core value in everything they do. Greater collaboration between EHS, operations and IT teams also is more important. For example, all three teams should work together to develop co-managed objectives for safety and security, and to identify critical safety data requirements from plant-floor systems. And because a strong safety culture involves every employee, a companywide understanding of the relationship between security and safety is needed.
Compliance: Compliance efforts should meet the security requirements in safety standards, such as IEC 61508 and 61511. Conversely, security efforts should follow a defense-in-depth approach, recommended in the IEC 62443 (“Security for Industrial Automation and Control Systems”) standard series (formerly ISA-99) and elsewhere, and address safety-related security risks at all levels of an organization.
Capital: Companies should use safety technologies with built-in security features. They also should use security technologies that help protect against safety-system breaches and enable speedy recoveries should a breach occur.
Companies should implement a companywide risk-management strategy to manage security threats and vulnerabilities, as well as their potential implications on safety. Two assessments are essential to this strategy:
• A safety risk assessment is necessary to confirm compliance with existing safety standards, including the security requirements in IEC 61508 and 61511. The assessment should address not only standard operator functions but all human-machine interactions, including machine setup, maintenance, cleaning and sanitation, and training and administrative requirements. Companies should also expand their existing methods for performing safety risk analysis to analyze risk from cyberattack.
• A security risk assessment should describe an organization’s overall current security posture regarding software, networks, control system, policies and procedures, and even employee behaviors. It also should outline steps to take to achieve the desired level of security.
While these assessments are separate from each other, they should work toward the same company-level risk management goals of protecting workers, customers and the environment.
Companies that use a third-party vendor to conduct these assessments should seek out a vendor with expertise in safety and security. This can help confirm consistency and alignment between the two assessments.
Risk Mitigation Measures
The specific mitigation measures an organization implements will depend on its unique set of security risks and their potential impacts on safety. However, there are some key mitigation measures that most manufacturers and industrial operators should implement as a best practice:
• Segmentation into zones: This is a core security best practice. Every plant should do it as part of a holistic defense-in-depth security approach to help limit access to safety systems. An industrial demilitarized zone (IDMZ) with firewalls and data brokers can securely segment the plantwide network from the enterprise network. Also, using virtual LANs (VLAN) and a layer-2 or layer-3 switch hierarchy can create functional sub-zones to establish smaller domains of trust and simplify security policy enforcement.
• Physical access: Quite a few organizations use RFID cards to manage facility access control. But physical-access security should go further than that to protect safety systems. Lock-in, block-out devices should end up used to prevent the unauthorized removal of cables and to close unused or unnecessary ports. And users should lock control cabinets to restrict walk-up and plug-in access to the industrial automation and control system devices. More advanced physical-access security also is emerging, such as IP video surveillance systems that can use analytics for facial recognition.
• Network-integrated safety and security: CIP Safety and CIP Security are extensions to the common industrial protocol (CIP), which is the application-layer protocol for EtherNet/IP. CIP Safety allows safety devices to coexist on the same EtherNet/IP network as standard devices, and enables a safe shut down in the event of a denial-of-service attack. CIP Security incorporates data integrity and confidentiality into EtherNet/IP communications. Working together, devices that incorporate CIP Safety and CIP Security can help protect against data corruption and malicious attacks on safety systems.
• Safety products with built-in security: Safety systems and other hardware should include built-in security features. For example, a safety controller that uses keyed software can ensure firmware only downloads from a trusted source, while an access door can restrict physical access to the controller. An industrial managed switch with access control lists (ACL) also can be sure only authorized devices, users and traffic are accessing a network.
• Authentication and authorization: Security software features can restrict wired and wireless access to the network infrastructure. For example, authentication and authorization security is a key element in human-machine interface software and can limit safety-system access to only authorized individuals. This can help protect against malicious and accidental internal threats. Security personnel can define who can access the software, what specific actions they can perform and on which specific hardware, and from where they can perform those actions.
• Asset and change management: Asset-management software can automate the discovery of new assets and centrally track and manage configuration changes across an entire facility, including within safety systems. It can detect malicious changes in real time, log those activities and report them to key personnel. If unwanted changes occur, the software can access archived copies of a device program for fast recovery.
• Vulnerability management: Processes and procedures should make sure fast action occurs after safety and security advisories release. This includes having processes in place to immediately review advisories and determine their potential impact. It also includes implementing patch-management procedures for affected products.
Security isn’t only about protecting data and uptime. It’s about protecting people and the environment, as well as the critical infrastructures and supplies on which populations depend. Organizations that want to stay ahead of these risks will need to achieve compliance with the latest standards, holistically integrate safety and security, conduct a comprehensive risk analysis, and implement risk mitigation measures using the latest technologies.
Lee Lane is the chief product security officer at Rockwell Automation, responsible for the enterprise level product security strategy, guidelines, secure development lifecycle policies and procedures, red team testing, and incident response handling.