Functional safety in times of rising cybercriminality
By Dr Alexander Horch*
Friday, 08 September, 2017
Every production process has inherent risks, and cybercriminality is now one of these risks. To achieve the greatest possible degree of safety and security in production processes, it is important for enterprises in the process industry to implement effective separation of their process control and safety systems.
Recently in Australia, some of the biggest businesses have been hit by cyber attacks from criminal elements. The Cadbury factory in Tasmania was the first Australian company to be hit, with the Petya ransomware bringing down its IT systems. The same cyber attack was also responsible for shutting down the monitoring system of Ukraine’s Chernobyl nuclear power plant.
Petya is the name given to a ransomware program that holds data hostage by scrambling it until a payment is made. It not only encrypts files but also a computer’s master boot record, thus ensuring that nobody can retrieve the affected information without first paying the criminals for a key.
Australia’s cyber safety minister, Dan Tehan, has warned that more Australian businesses could still be impacted by cyber attack. Leading industry analysts say that Australian companies are under constant cyber attack and that unreported attacks are rife.
For the process industry, it is crucial to take precautions against cyber attacks by having a safety system independent from the process control system. This offers the highest degree of safety and security in safety-critical applications.
To better understand the interaction of safety and security, it is helpful to clarify several terms. There are numerous definitions of safety; however, a general definition is that safety is the absence of danger. This means that a condition is safe when there are no prevailing hazards. It is frequently not possible to eliminate all possible risks, especially in complex systems, so people in the industry often say that safety means the absence of unacceptable risks.
Reducing risks to an acceptable level is the task of functional safety. This means that the safety of an application depends on the function of a corresponding technical system, such as a safety controller. If this system fulfils its protective function, the application is regarded as functionally safe. This can be clarified by the following example: if oil is flowing out of a pipeline and endangering people in the vicinity, then this is a safety issue. If a system cannot prevent icing in a pipeline, even though that is exactly its task, and a critical situation subsequently arises, that is a functional safety issue.
Functional safety systems protect people, facilities and the environment. For example, they start up or shut down systems when hazardous situations arise suddenly and people do not respond or are not able to respond, or when other safety precautions are not adequate. Functional safety systems are intended to prevent accidents and avoid costly or undesirable downtime of equipment or systems.
Separate safety layers reduce risks
Enterprises in the process industry are becoming increasingly aware of the importance of relevant standards for the safety and profitability of their systems. The IEC 61511 standard for functional safety clearly defines the best way to reduce the risk of incidents and downtime. It prescribes separate safety layers for control, monitoring, prevention and containment, as well as emergency measures (see Figure 1). Each of these three layers provides specific functions for risk reduction, and collectively they mitigate the hazards arising from the entire production process.
IEC 61511 also prescribes independence, diversity and physical separation for each protection level. To fulfil these requirements, the functions of the different layers must be sufficiently independent of each other. It is not sufficient to use different I/O modules for the different layers because automation systems are also dependent on functions in I/O bus systems, CPUs and software. To be regarded as autonomous protection layers in accordance with IEC 61511, safety systems and process control systems must be based on different platforms, development foundations and philosophies. In concrete terms, this means that the system architecture must fundamentally be designed so that no component in the process control system level or the safety level can be used simultaneously.
Rising risk of cyber attacks
Since the attack by the Stuxnet virus on an industrial controller in 2010, we have known that industrial systems are vulnerable and are attractive targets for cyber attacks. In the last five to 10 years, the risk of cyber attacks on industrial systems has risen significantly due to increasing digitalisation. In addition to endangering information security, these attacks increasingly pose a direct threat to system safety.
System operators must be aware of these risks and actively address them. This can be done by means of various systems and measures to increase cybersecurity. Unlike functional safety systems, which are mainly intended to protect people, these systems and measures protect technical information systems against intentional or unintentional manipulation, and from attacks intended to disrupt production processes or steal industrial secrets.
Due to the conditions mentioned above, safety and security have become closely meshed topics. Cybersecurity plays a key role, particularly for safety-oriented systems such as those in the process industry, because it forms the last line of defence against a potential catastrophe.
Standards define the framework
Compliance with important international standards is necessary in the design, operation and specification of safety systems. The first of these is IEC 61508, the basic standard for safety systems, which applies to all safety-oriented systems (electrical, electronic and programmable electronic devices) in all industry sectors. The previously mentioned IEC 61511 standard, which is derived from the basic standard, is the fundamental standard for the process industry and defines the applicable criteria for the selection of safety function components.
The IEC 62443 series of standards for IT security in networks and systems, which effectively forms the standard for cybersecurity, must also be considered. Among other things, it specifies a management system for IT security, separate protection layers with mutually independent operating and protection facilities, and measures to ensure IT security over the full life cycle of a system. It also requires separate zones for the enterprise network, control room, safety instrumented system (SIS) and basic process control system (BPCS), each of which must be protected by a firewall to prevent unauthorised access (see Figure 2).
Cybersecurity by design
Safety and security are closely related aspects of process systems, which must be considered separately and as a whole.
Standardised hardware and software in process control systems require regular updates to remedy weaknesses in the software and the operating system. However, the complexity of the software architecture makes it difficult or impossible to analytically assess the risks which could arise from a system update. For instance, updates to the process control system could affect the functions of the safety system integrated into the control system.
To avoid critical errors with unforeseeable consequences in safety-relevant processes as a result of control system updates, the process control system must be technologically separate from the safety system. This is the only way to ensure that control system updates do not impair functional safety.
For effective cybersecurity, it is not sufficient to upgrade an existing product by retrofitting additional software functionality. Every solution for functional safety must be conceived and developed with cybersecurity in mind, right from the start. This applies equally to the firmware and the application software.
Effective protection against cyber attacks
A safety system that utilises a proprietary operating system specifically designed for safety-oriented applications and excludes all other functions is much more immune to typical attacks on IT systems. The operating systems of such controllers should be tested for resistance to cyber attacks during the development process.
Any programming and diagnostic tools that run in a Windows environment need to be able to work in a manner that is as independent as possible from Windows functions. This enables secure operation without interference from other programs or updates, and provides maximum protection against operator error when programming the safety PLCs.
Cybersecurity is essential for functional safety
A noteworthy common feature of the process industry standard and the cybersecurity standard is that both require separation of the SIS and the BPCS. Along with being a basic prerequisite for the effective protection of process systems, this independence of safety systems is a good idea from practical and economic perspectives, for example, because the SIS and BPCS have very different life cycles and rates of change. System operators are thus free to choose ‘best of breed’ solutions from different manufacturers.
Integration of comprehensive operational and maintenance data is however also necessary to enable cost-effective operation of safety systems. Despite the required independence, open integration capabilities should allow integration into the process control system using high-performance, manufacturer-independent communication standards.
In summary, systems that are independent of the process technology and which also provide open integration, so that they can be easily be integrated into process control systems despite physical separation, offer the highest degree of safety and security in safety-critical applications. Practical experience shows that they are the best way to increase the operational reliability and availability of process systems and thereby to improve the profitability of production processes.
Every production process has inherent risks, and cybercriminality is now one of these risks. To...
When implementing technical protective measures, each risk reduction measure will be associated...
Once considered to be a dangerous practice, integrated safety is now becoming accepted for the...