Ian Curtis, Siemens Industry Automation, looks at what is set to be a growing issue facing pharmaceutical process control operators – protection from cyber attacks
Gone are the days when it was essential that a safety system was standalone and totally isolated from its associated process control system. In order to reduce costs and improve operational efficiencies, organisations are looking at safety and process systems that can more easily integrate through use of common, open technology for both types of application. However, this market trend opens the door to potential cyber security issues, which companies ignore at their peril.
The UK government launched its cyber security strategy in 2009 amid concerns that the UK was facing a growing online threat from criminals and hostile states. The country’s critical national infrastructure is more reliant on technology than it was even five years ago, and terrorists who have used the Internet for fundraising and propaganda are also believed to have the intent – if not yet the capability – to carry out their own cyber attacks.
Of course, this is a global issue. The White House has appointed its first cyber tsar who has been tasked with uniting various disparate agencies and organisations to shore up the USA’s defence against cyber attack.
Within the process industries, many companies have switched to commercial off-the-shelf (COTS) technologies. This trend has raised the spectre of potential cyber security vulnerabilities to a critical level. Indeed, one recent study found that 80–90% of process control systems are connected to the company’s enterprise network, which in turn is connected to the Internet. This approach can provide the pathway for cyber attacks originating from outside the process plant.
This also applies to the use of safety instrumented systems (SIS), whose purpose is to mitigate the risk of serious incidents that could lead to personnel injury, damage to equipment or the environment, as well as disruption to production performance.
In the past, safety systems were independent and completely isolated from their associated process control systems. Now process companies with safety critical operations are evaluating and adopting increasing levels of integration of safety and process control systems as a means to reduce the cost of configuration, training and support, as well as to improve overall operational efficiency.
Currently, international safety standards, including IEC 61508, IEC 61511 and S84, provide a basic framework and specific requirements when addressing the integration of safety and basic process control systems with the following stated positions in three critical areas:
Operator interface – ‘Where the SIS operator interface is via the basic process control system operator interface, account shall be taken of credible failures that may occur in the basic process control operator interface.’
Engineering interface – ‘The design of a programmable electronic SIS maintenance/ engineering interface shall ensure that any failure of this interface shall not adversely affect the ability of the SIS to bring the process to a safe state.’
Communication interface – ‘The design of the SIS communication interface shall ensure that any failure of the interface shall not adversely affect the ability of the SIS to bring the process to a safe state.’
Such standards do not specifically address security implications yet. It is likely that the forthcoming modifications to the IEC 61508 standard will not attempt to address security directly, but will reference best practice from other security standards.
The heightened concern regarding the security of safety systems is not unfounded and there are plenty of examples that clearly illustrate the need for concern. For instance, in a live demonstration performed at the Applied Control Systems Security Conference in 2008, a company showed that it was able to ‘hack’ into a TUV-approved safety controller, putting it into an unsafe state.
Viruses and worms originating from the Internet have also has a direct effect on the operation of safety systems. Back in 2003, the SQL Slammer worm infected the plant network of a nuclear power plant, resulting in the disabling of the Safety Parameter Display System (HMI) and the plant process computer for several hours. In addition, the Sasser worm affected several oil platforms in the Gulf of Mexico when it disabled a panel used to monitor crucial safety indicators and caused the plant’s process computer to fail.
There are many business benefits that can be achieved through integration of safety and process control systems. In the past couple of years several suppliers have introduced safety systems that share a common set of hardware and software (engineering tools) with their associated process control system. The use of common technology opens up significant commercial benefits such as:
- Removing the need to implement and support multiple networks
- Easier integration of components and systems
- Minimising the quantity of spare parts that need to be kept on the shelf
- Easier engineering and maintenance for one system
- Reduced training requirements
- Improved accessibility and remote support
- Common HMI to allow the operator more effectively to monitor the process
When safety systems are designed, the safety engineer evaluates the likelihood of the safety instrumented system being able to bring the process to a safe state and considers the effect of random hardware faults.
Cyber security vulnerabilities inject a new variable into these calculations and must be considered. A cyber security incident could unleash additional systematic software faults that compromise the Safety Integrity Level (SIL) capability of the safety system and, potentially, the other layers of protection alongside the safety system.
One must also ensure that any vulnerability that can cause a basic process control system controller to fail does not also compromise the associated safety system.
In general terms, three aspects of safety systems are of greatest concern when it comes to security protection:
- The ability to make unauthorised configuration changes to the safety system controller from the Engineering Station
- The ability to manipulate safety system inputs and outputs
- The ability to interfere with the HMI’s accurate representation of the status of the SIS – e.g. the loss of alarms, ‘spoofing’ the operator, or total loss of visibility.
false sense of security
Some people advocate that the only way to ensure the security of a safety system is to keep it isolated from other networks and systems by implementing an ‘air-gap’. This approach, however, eliminates the potential benefits from improved process visibility and results in a higher lifecycle cost (engineering, maintenance, spare parts, etc.). Security cannot be taken for granted, even in this case. In fact, by thinking their SIS is secure because it is isolated, users may ‘let their guard down’ and take actions that compromise the air-gap.
There are several common scenarios where an isolated system can become compromised. These are consistent with documented cases of actual cyber security incidents. For example, if an engineer transports data onto the safety system engineering station by copying files from a USB memory stick, then the system could become infected with a worm or virus from the memory stick.
When it comes to connectivity of process control and safety systems there are differing degrees of integration (interfaced, integrated and common). Each approach has its advantages and disadvantages from a safety point of view, and each presents challenges from a security protection standpoint as outlined below:
Interfaced – This is where the process control system and the safety system utilise different control and I/O hardware (typically from different suppliers), and are connected by a gateway for exchange of data. The two systems use separate engineering tools and dedicated operator interfaces. One purported advantage of this approach is the reduction in common cause failure modes, but it comes with higher costs for hardware and installation, higher engineering and maintenance costs, additional training, as well as gateway issues.
Integrated – Here, the process control system and safety system use separate, dedicated control and I/O hardware, but share a common network, engineering tools, and operator interface. This gives the advantage of reduced costs for hardware and installation, reduced engineering and maintenance costs, lower training requirements, no gateway issues and fewer spare parts. However, integration potentially reduces system access control and reduced use of diverse technology may impact on the system’s resistance to common cause failures.
Common, – The process control system and safety system are on a common platform and are combined into a single system. They use common control and I/O hardware as well as engineering tools and operator interface. Standard and safety-related programmes are executed in parallel and independent of each other. This approach offers lower hardware costs and the need for fewer spare parts. However, higher false trip rate can be experienced, together with increased potential for common cause failure, management of change issues. Increased system complexity and a reduction of system access control are other issues.
In summary, there is no safety without security. Cyber security vulnerabilities can reduce the level of safety protection provided by a SIS and security breaches can affect the operation of a safety system by causing nuisance trips, or worse. Because of this, security should be considered hand-in-hand with safety during control system selection and design, especially when considering connectivity between the two systems.
Companies should look to maximise the overall safety and security of a plant’s automation infrastructure and be aware of, and take into account, security considerations, which ultimately may lead to the selection of a different architecture than if only safety is considered.
Common technology for safety and process control opens up new possibilities for maximising both safety and security. The use of control systems that take advantage of certified safety communication provides a safe and secure method for connectivity that enables operators to reduce costs and improve overall operational efficiency.
