Defence in depth: protecting safety instrumented systems from cyber attacks
15 December 2017
The concept of complete connectivity is helping process plants become more efficient and increase productivity, but it also brings extra security risks. Rob Sharrock, Andy Crosland and Ben Worthy from Emerson Automation Solutions look at the issues facing operators, and explain what measures can be taken to help keep control and safety systems secure.
Cybersecurity – a growing threat
The process industry automation market has evolved from the purpose-built systems of the previous century to an increasing use of more widely available COTS (commercial off-the-shelf) technologies within Industrial Automation and Control Systems (IACS). Today’s IACS have much in common with more general IT networks, using PCs running Windows operating systems and Ethernet networks and switches using IP addressing, etc. As adoption of Industrial Internet of Things (IIoT) technology advances, users of IACS seek ever-more accessible and open systems, providing connectivity with corporate intranet and ultimately the internet to enable the exchange of process and equipment data. The ability to collect and remotely analyse ever more sensor data is undoubtedly beneficial, informing intelligent operating decisions to improve efficiency, reliability and productivity. However, the concept of complete connectivity brings an element of risk, with modern IACS potentially becoming targets for cyberattack via viruses and malware.
The frequency of attacks against critical industrial infrastructure is growing. UK government figures for 2016  reveal that 65 percent of all large firms detected a cybersecurity breach or attack during the year. The average cost of a breach to a large business was £36,500, with the costliest breach identified in the survey being a staggering £3 million. Yet while 69 percent of businesses regard cybersecurity as a high priority, only 51 percent of companies have taken recommended actions to identify risk, only 29 percent have formal written cybersecurity policies, and only 10 percent have a formal incident management plan.
Several high-profile cyberattacks with far-reaching consequences have taken place in recent years, including:
* In 2010, Stuxnet - a malicious computer worm - was blamed for causing widespread damage to Iran’s nuclear enrichment programme by destroying up to 1,000 centrifuges for separating nuclear material at the Natanz facility.
* In 2014, hackers took control of production software at a German steel mill and caused significant damage to a blast furnace which could not be properly shut down. A virus had been in the system for six months before finding its target.
* In 2015, a cyberattack on three energy distribution companies in Ukraine led to 30 substations being disconnected, leaving 225,000 customers without power for several hours.
Cybersecurity from a process safety viewpoint is less about data security and more to do with defining measures that can be taken to protect IACS and safety instrumented systems (SIS) against unauthorised access or attack, to prevent similar incidents. Malicious hackers accessing these systems clearly have the potential to disrupt transport, energy or water supplies, or cause catastrophic damage. Effective protection is therefore of paramount importance.
Areas of vulnerability
The range of systems for control and safety functions which can be vulnerable to cyberattack includes:
* Distributed control systems (Basic Process Control Systems) (DCS/BPCS)
* Programmable logic controllers (PLC)
* Supervisory control and data acquisition systems (SCADA)
* Safety instrumented systems (SIS)
* Plant information systems such as data historians, programming interfaces and data servers
* Network infrastructure to provide connectivity to all the above
* Connected systems outside the IACS.
Process risk assessment techniques such as HAZOP are well known. However, the same techniques are not sufficient to address IACS/SIS security, as they do not consider malicious, or multiple simultaneous events. Therefore, new techniques are required.
Standards and guidance
The IEC61511 standard is widely recognised as good practice when engineering SIS. The 2016 edition of IEC61511 introduces a mandatory security risk assessment to identify any SIS vulnerabilities to cyberattack and references the ISA/IEC62443 series of standards and technical reports for guidance on implementing electronically secure IACS. However, as this series is still evolving, with some parts not complete, achieving compliance is difficult for asset owners, systems integrators, security practitioners and control and safety system suppliers.
Against this evolving regulatory backdrop, government agencies and industry associations in major European countries  are working to provide guidance to help process operators improve cybersecurity. For example, the UK’s Health and Safety Executive (HSE) has issued an Operational Guidance document  representing its interpretation of current standards on industrial cybersecurity. Following this guidance could help operators show that cybersecurity risks have been managed to be as low as reasonably practicable (ALARP), if challenged to demonstrate compliance with relevant health and safety legislation.
The HSE guidance focuses on three main principles for implementing risk reduction:
* Protect, detect and respond – worms, Trojans and viruses can be in the system for a long time before finding their target. It is important to detect possible attacks and respond in an appropriate and timely manner, to minimise their impact.
Integrated security – defence in depth
* Defence in depth – no single security measure provides absolute protection. Multi-layer protection is required to avoid single point failures.
* Management and organisational procedures are required – technology alone is not enough to provide robust levels of protection.
Asset owners and operators may use IT and business cybersecurity solutions (firewalls and antivirus software, for example) to improve the security of their IACS, but these solutions need to be applied as part of a holistic approach incorporating people, process and technology.
Cybersecurity risk assessment
Process safety risk assessments determine the likelihood and potential consequences of a range of events for which appropriate measures can be taken to achieve ALARP safety. With cybersecurity threats constantly evolving, risk assessment is a challenging area, as it is difficult to use historical data to indicate the likelihood of future security breaches.
IACS suppliers employ specialists who can carry out cybersecurity risk assessments on a regular, ongoing basis, to help operators with this challenge. Typical threats to consider include worms and viruses, transportable media such as USB sticks and temporary connections such as vendor laptops; software errors, for example in the system firmware; unauthorised local or remote access; unauthorised actions by employees or vendors; unauthorised data transfer; unintended employee actions; denial of service; system sabotage; and theft. An asset’s vulnerability to each of these threats should be assessed and the results stored securely, with limited access.
Following an initial risk assessment phase, various cybersecurity solutions should be considered, and periodic follow-up audits performed (see diagram below).
Layers of Protection
Integrated control and safety systems (ICSS) have been successfully deployed for many years in thousands of process industry applications. There are many benefits to integrating the safety and control systems, which could account for the ever-growing market preference for ICSS, but with integration comes the potential concern raised by some that a cyberattack on the IACS might somehow infiltrate the SIS, leading to process incidents. That is why industrial automation suppliers such as Emerson go to great lengths to ensure that integration does not compromise security of the SIS, and separation is maintained between SIS and BPCS (DCS) layers in compliance with the IEC61511 standard.
To protect a SIS from a cyberattack, some argue for complete separation. Others suggest separate SIS systems loosely interfaced to the DCS via an open protocol connection. However, it is important to note that the HSE guidance does not stipulate any particular architecture and there is no reason why the SIS cannot be secure within the ICSS, if properly designed security features are part of the system design.
Simplified explanation of a proxy server’s role.
Safety systems practitioners are familiar with the concept that multiple layers of protection are used to reduce the risk of process accident hazards. So it comes as no surprise that we also look for multiple protection layers to provide SIS security.
The first layer of protection is to make it as difficult as possible to gain unauthorised access to the control system. Plants should have a user privilege management system giving access to only the parts of the system and network users need to perform their job. Remote sites should be as secure as the main production site. Other security measures include the use of managed switches which limit access to parts of the communications network, workstation hardening that reduces system attack surface by disabling unused Windows services and external media (USBs, etc.), patch management to ensure timely application of software fixes, endpoint protection, firewalls, demilitarised zones and secure architecture design following best practice.
Should a hacker still gain access to the outer control system, a well-designed ICSS will contain multiple additional levels of protection for the SIS within, to prevent malicious actions creating unsafe conditions.
Keeping the SIS secure
Network isolation is an important way to keep the SIS secure within the ICSS. Use of proxy servers is a recognised method to limit and control flow of data between separate networks, whilst allowing approved communication. This technique can prevent a compromise at the BPCS network level from directly spreading to the SIS Logic Solvers on the separate safety network.
A proprietary protocol between the BPCS and the SIS, with validity checks within the logic solver on any data change requests, further reduces the risk of any unauthorised change to the SIS. Whether the SIS is fully integrated, or a third-party SIS interfaced via open protocols, maintenance bypasses are typically set from the BPCS. A solid bypass management functionality within the logic solver is key. This includes preventing multiple bypasses, allowing for automatic removal of active bypasses after a specified time, and requiring additional authorisation of bypasses via physical key or electronic signature. Tight integration between BPCS and SIS enables prompt notification when bypasses or forces are present in the SIS.
Requiring physical presence at the logic solver location before configuration changes can be downloaded is another effective way to reduce cybersecurity risks. Most industrial process plants have effective access control systems, so even if IACS security has somehow been compromised from outside the plant, the hackers don’t have physical access to secure areas and cannot change the SIS configuration.
The IEC61511 standard has strong requirements for control of modifications to the SIS. Configuration audit trail management systems can also help with the detection and prevention of unauthorised change, particularly if electronic signatures from multiple users are required to authorise changes before they can be implemented. Additional measures at logon such as smart cards for 2-factor authentication can further enhance electronic signature security.
Security monitoring can also be an important mechanism to detect threats, while also helping with forensics and preventing similar future attacks. A centralised Security Information and Event Management (SIEM) can take IACS workstations, servers and network equipment system events and logs and put them into a meaningful dashboard for prompt response. A SIEM can also monitor network traffic data through Network Security Monitor appliances using a one-way only communication flow as an added security monitoring feature.
As your last resort for either a complete system restoration or files recovery, a comprehensive solution for backing up systems needs to be in place. A backup and recovery solution should include backup data storage in different geographical locations in the event of a disaster that would affect local servers in the processing facility. Backup data should be checked periodically to make sure it is valid and readily available when it is needed.
Implementing technology alone is not enough. It is important for companies to have management-backed cybersecurity policies and procedures in place, and for all safety system users to be properly trained. All employees should be fully aware of the risks to system integrity and of the potential consequences of a security breach. Incident handling capability must be implemented covering preparation, detection, analysis, containment, removal and recovery. Finally, cybersecurity audits should be conducted at planned intervals. Threats are continually evolving and both preventative techniques and how the company responds to an attack must do the same.
 – Cyber Security Breaches Survey 2016 (HM Government, Ipsos MORI Social Research Institute and University of Portsmouth).
 - http://cybersecurity.bsa.org/countries.html
 – Cyber Security for Industrial Automation and Control Systems (Health and Safety Executive).
About the authors
Rob Sharrock has over 30 years’ experience in Automation engineering, the last 15 years being engaged in the field of safety engineering. Rob has an in-depth knowledge of Safety Directives and Standards covering both the Machinery/Manufacturing and Process Sectors as well as practical experience in the deployment of Safety Systems in a variety of industries. Rob joined Emerson four years ago as Business Development Manager for Safety Instrumented Systems across the UK and Ireland.
Andy Crosland has worked for almost 30 years in process automation and safety systems, qualifying some years back as a TÜV FSEng. Andy has worked for Emerson for almost 10 years, focused entirely on Emerson’s SIS offering. As European Business Development Manager for SIS, Andy meets with a variety of customers to discuss their safety needs, and promote recognised good practice in safety engineering.
Ben Worthy is Information Networks Consultant (Cyber Security) at Emerson Automation Solutions. He has around twenty years of experience in the design and implementation of Industrial Control and Safety Systems. More recently he has specialised in the IT side of ICSS Operations primarily around Cyber Security but also in domains including Virtualisation, Wireless Networks and Remote Access. Ben has been with Emerson Automation Solutions since 2007, and recently qualified as a Global Industrial Cyber Security Professional (www.giac.org).
Contact Details and Archive...