The increasing use of Ethernet and open standard protocols in the process industry means that process plants are more vulnerable than ever before. Threats, whether caused by unintentional human error or by active malignant manipulation, can have catastrophic consequences in plants in the process industry. (Leo Wolfert/Fotolia) Fig. 1: The reliability of an SIS can affect the functional safety of the whole plant. Therefore IEC 61511:2016 requires risk assessment of the SIS and appropriate measures. (Source: Rösberg) Fig. 2: Possible “invasion gateways” for cyberattacks. (Source: Rösberg)
Any chain is only as strong as its weakest link. The increasing networking of systems in the process industry, and connection to the internet, mean that plants are more vulnerable than ever before. For plant owners, too, IT security is a red-hot topic, not only because of the experiences with Stuxnet. The hacker attack on a German steelworks just over two years ago, for instance, clearly demonstrated what dangers can ensue from inadequate IT security in industrial plants: the attackers gained control of a blast furnace, to the extent that the plant operators themselves could no longer intervene. The plant could not be run down and sustained severe damage. On the one hand, the financial damage caused by attacks of this kind is immense. On the other, they constitute a serious risk to human life and the environment – a risk it is absolutely essential to avoid. This is the point at which the changes in EU legislation are brought to bear.
The standard IEC 61511, revised in 2016, requires a Security Risk Assessment with regard to IT security, that is to say a risk assessment for Safety Instrumented Systems (SIS). What are the implications of this for plant owners in the process industry with respect to security systems that have already been put in place, and also regarding future integration?
Relevant for security: The IT of safety systems IEC 61508 (functional safety) makes concrete provisions for the avoidance of systematic and stochastic failures in a plant, and for containing their impacts. This standard covers electrical, electronic and programmable electronic safety-related systems. Nevertheless, until now the causes for errors have been sought almost exclusively among the hardware components built into a plant. However, a safety system (SIS) consists not only of actuators that bring the plant into a safe state in an emergency, plus sensors that deliver the necessary signals to the actuators – there is also the relevant control, responsible for reliable communication. Thus other considerations need to be addressed here. Do security gaps in the software of the safety control influence the whole functional safety of the plant? And if so, what are the dangers? Can dangers to security be analyzed in a HAZOP (hazard and operability) study, and can relevant avoidance and containment measures be implemented in the safety systems, as required by the revised IEC 61511? Can software-related systematic failures also be avoided, and stochastic failures discovered and contained more quickly, by the consistent use of a functional safety management system?
Standard requires risk assessment of the IT security of Safety Instrumented Systems Plant owners should most urgently do everything they can to prevent cyberattacks on industrial plants, not only because of the potential economic damage and danger to people and the environment. The loss of image resulting from an attack and its ensuing consequences can be enormous. At the same time, the legal situation is quite clear. EU legislation requires plant operators to carry out a regular risk assessment regarding the IT security of the plant’s safety systems in order to identify risks (Fig.1). IEC 61511:2016 has applied for more than a year now as an international standard for the process industry; in Germany, VDI 2180 is in preparation at present, with the purpose of fixing the requirements of the Standard at a national level. The part of IEC 61511 that is particularly relevant for safety systems is section 8.2.4.
Requirements for safety systems according to IEC 61511, section 8.2.4 The standard specifies that an IT security risk assessment has to be carried out both for the safety system itself and for the BPCS (Basic Process Control System), together with all systems connected to the safety system. It is important to identify all potential threats, whether they might be caused by unintentional human error or active malicious manipulation. The possible consequences of these threats should then be assessed for extent of damage, probability of occurrence, the time spent by people in the relevant area, and the possibilities for avoiding the potential danger. When making this assessment, it is important to consider all phases in the life cycle of the safety system, from development, implementation and commissioning, to operation, maintenance and repair. For all these phases, measures for risk reduction have to be determined and appropriately documented.
To ensure a safe networked system, the following aspects have to be considered: the diagnostics and error handling of the safety system; protection from unwanted program changes; protection of data relating to error search in the safety functions; and protection from circumvention of restrictions, so that alarms and manual switch-offs are not deactivated. It is also important to safeguard the activation and deactivation of read and write access with a sufficiently secure procedure.
IEC 62443 (Industrial Network and System Security) makes very concrete specifications for risk analysis regarding protection from cyberattacks. IEC 61511 refers to this and specifically states that the IT Security Risk Assessment of the safety system may generally take place as part of a risk analysis of a plant’s whole process automation. Thus it is easier for companies to implement IEC 61511 if they have already implemented a functional safety management system in their enterprise.
Risk analysis is the responsibility of the plant operator However, for many companies, implementation of the standard is a great barrier, since it calls for know-how in the areas of process automation, functional safety and IT security that frequently exceeds their own core competences. Nevertheless, plant operators have the obligation to ensure that their safety systems are not vulnerable. This applies both to newly-built industrial plants as well as to existing ones. In both cases it may make sense to take external experts on board, because the standard specifies not only that risk assessment is a compulsory part of plant development in the functional safety life cycle, but also that it must be repeated whenever there is a change in the safety system and also in regular inspections, in order to ensure that a plant is technically up-to-date regarding functional safety.
External service providers, for instance like Rösberg Engineering GmbH from Karlsruhe, Germany, can provide support from concept planning to plant changes, can carry out the necessary risk assessment, and can document it reliably to fulfill the obligation of proof. The standard explicitly requires cyber security as well as functional safety to be considered throughout the safety life cycle of a plant. Thus it is a good idea to bring in the functional safety consultant at an early stage in the project. When checking cyber security, the whole communication network including the system control always needs to be considered, possible weak points identified, and security gaps closed. External service providers make a valuable contribution here, not only because they have a neutral view, but also because they are specialized in the aspects of functional safety and IT security, and are familiar with the relevant procedures.
Functional Safety Management Systems and IT Security The experts from Karlsruhe anticipated the market demand for support in the area of functional safety early on. Thus for years now they have been concerned not only with the automation of plants, but also with the related aspects of functional safety. Experts in both areas work hand in hand. The colleagues specializing in functional safety have already been responsible for installing a functional safety management (FSM) system in numerous enterprises. The FSM system used is based on the relevant legal regulations, specifications and standards, and on the safety life cycle as defined in IEC 61511. To avoid systematic failures, for instance, the FSM system uses so-called style sheets. These help to systematically check up on potential causes of failures, e.g. in maintenance work. The experts from Karlsruhe have even developed their own style sheets, which are made available to plant operators during consultation. Just as important as this documentation is the systematic naming of SIL levels and the naming of the individuals responsible for verification of the individual steps.
FSM System plus IT Security Risk Assessment The automation experts have now enlarged the tried and tested FSM system by adding an IT Security Risk Assessment module that incorporates the experience of many years. This tool guides users systematically through hazard analysis and risk assessment, for instance in order to find concrete points of attack for cyberattacks (Fig. 2). This procedure can also locate problems throughout the safety system, including the software of the PLC, which may affect the functional safety of the whole plant. Based on this information, it is possible to clarify the preventive or impact-reducing measures that can be adopted by the plant owner to ensure the functional safety of a plant even if there are problems with the safety system. An essential part of a hazard analysis and risk assessment is clear documentation in compliance with legal requirements. Combined know-how in the areas of cyber security and functional safety makes the company an ideal contact partner for all questions concerning functional safety, FSM systems and IT security risk assessment.