By Gregory Hale
Safety and security do go hand in hand and while the industry keeps moving forward to a more connected environment, the need to ensure secure safety systems continues to grow.
“There is a growing connectivity of safety instrumented systems,” said Marc Risser of BASF during his talk Wednesday at the 2017 27th Annual Triconex User Group meeting in Lake Forest, CA. “There is an increased risk of security incidents.”
While there are solid security standards out there and with the new version of IEC 61511 now requires a security safety risk assessment, Risser also talked about NAMUR NA163, which also lists a series of security components for safety instrumented systems (SIS).
Securing safety systems came into focus over the past week during the WannaCry incident.
WannaCry hit over 200,000 computers, from manufacturing to medical, in at least 174 countries starting last Friday and through the beginning of last week and this ransomware attack could easily have been prevented if manufacturers just follow some basic steps.
But the catch was, the industry didn’t follow the basic steps and left systems from control to safety vulnerable to a ransomware attack.
While there were no real cases of safety systems faltering, Risser gave some examples of how a security incident could escalate into a safety incident. One was a manipulated temperature measurement. Another case was a manipulated function block and, yet another was a manipulated HAZOP.
In talking about doing a NA 163 risk assessment, Risser said a user can:
• Find commonly used solutions
• Define standard models
• Perform a risk assessment
• Create controls
“We would like to do security by design,” Risser said.
The assessment, Risser said, can and should be performed by a SIS engineer, not a security expert, Risser said.
NA163 distinguishes between three cases:
1. Case 1: SIF will trip with demand, which is safe where there is only an availability issue
2. Case 2: SIF is disturbed and will not trip, which is not safe
3. Case 3: Case 2 plus trip demand is provoked, which is not safe and an unacceptable event
When doing a security assessment, Risser said, manipulation is considered to happen on purpose where an attacker will seek vulnerabilities. In addition, it is not enough to connect the most reliable hardware to be secure. A holistic assessment is required for connections, end points, data and persons/processes.
Securing Safety Highlights
• Safety instrumented systems are a target of IT threats
• German process industries defined a worksheet for SIS security assessment, NA 163
• Holistic assessment is required to protect SIS from IT threats
• Assessment has to be performed by an SIS engineer
• New challenges for SIS operating companies
• Desire for supporting tools for the plant’s security lifecycle
“We are used to building individual layers from a safety perspective,” said Steve Elliott, safety expert and senior director of offer marketing – process automation at Schneider Electric. “In security it is almost the same. Underpinning all of this is training and awareness,” he said.
As a basic rule, Elliott said a user should know the security risks the organization faces and then they should quantify and qualify risks. After that, they should be able to use key resources to mitigate security risks. In addition, they should define each resource’s core competency and identify any overlapping areas.
Two more areas they should do, Elliott said is abide by existing or emerging security standards for specific controls and create and customize specific controls that are unique to an organization.
Security is nothing new, but the growing threat for safety systems continues to grow, but there is hope.
“Safety protects man from machines, while security will protect machines from man,” Elliott said. “There is a lot you can do with your current technology to eliminate any issues.”