Safety & Security – The last line of defence is restored
14 November 2018
Safety in process plants extends to mitigating the effect of any plant failure. Considerable efforts are made to protect people, the environment and plant assets from damage caused by the plant. Safety is a balance between the residual risk of damage and the effort being taken to reduce such risk. In this article, Dr. Alexander Horch of HIMA explains why designing the security environment around the safety automation system is essential.
It is well-understood that 100% safety is not feasible. Therefore, our society has established very clear regulations that describe the tolerable level of risk that we find acceptable. For automation systems in the process industry, two main standards (IEC 61508 and IEC 61511) describe in detail how to assess plant risk, and measures to reduce the safety risk down to a tolerable level.
Yet when it comes to the same plants’ cyber security, no matching or conceptually equivalent industry standards exist. The IEC 62443 standard describes a similar procedure to assess and reduce the risk of security incidents in plants. However, due to the nature of security attacks, no common approach to determine risk and balance it against economically intensive measures has yet been established.
Even though safety and security are two sides of the same coin, they cannot be handled in the same way. While it is obvious that a plant that is insecure also exhibits a potential safety problem, measures for safety and security are different and may even preclude one another.
When assessing the plant security risk, one must take into account the possible nature of the attack - see Figure 1 below.
Furthermore, safety and security are interrelated; this means that security patches must not influence plant safety. Therefore, security and safety life-cycles must be decoupled from each other very clearly. This can be achieved by a dedicated security environment for functional safety, as will be shown below.
If security measures are already in place, yet the remaining security risk is still too high to be tolerable, one may have to choose another safety and security strategy. Fifty years after the invention of programmable controllers, there is still a considerable installed base of solid state controllers, especially in the oil and gas industry. Hard-wired controllers are often chosen because of their extreme safety level (SIL 4) and their well-proven availability.
It is important to note that cyber risks are non-existent in such safety systems, because they are based on solid state logic rather than programmable software. Even though these systems have a communication interface, there is no physical connection between this interface and the hard-wired safety logic. It is therefore fair to claim that a 100% secure safety system is actually available.
Solid-state programmable controllers still have and will continue to have a stable application base in the industry. In many cases, however, plant operators seek the flexibility, documentation, engineering efficiency and many other advantages of programmable systems.
Considerable effort is necessary to secure these programmable systems. Such effort needs to be comprehensive. It is almost impossible to secure an existing system if security has not been thought of and designed in from the outset. To summarise, security cannot be bolted onto a system but must be designed right into its DNA.
Properly designed safety systems can improve cyber security. One HIMA systems example is the definite physical separation of the CPU and communication interface (COM). For hard-wired controllers like Planar 4 (see Figure 2), this is self-evident because there is no other option. HIMA has also followed this principle consistently for programmable systems. The CPU is always in full control over the gateway between the CPU and COM. Even if the COM were compromised, there would be no means of attacking the CPU.
To better understand how a safety system can ensure maximum security (as we saw above, 100% security is not feasible with programmable systems), it is useful to consider a system with different zones.
Here, the aforementioned hard-wired system would be completely contained within Zone A. Accordingly, Zone A would be completely sealed and 100% secure. With programmable systems, however, the Core SIS in Zone A inevitably needs some interfaces: a programming interface to program the logic solver and a field entry panel to allow a user interface for operation and/or monitoring. The asset management system that connects to the safety field devices is an often-overlooked interface that introduces additional security vulnerabilities.
Finally, interfacing with the plant control system and information database must be established. Clearly, programmable systems create a broad set of potential vulnerabilities. In general, techniques for building automation networks that implement accepted security principles are well-known.
Figure 2 - HIMA’s SIL 4 safety controller - Planar 4 System
The HIMA Security Environment philosophy
If we look at the safety automation system, we realise that it is the last line of defence in a process plant. Automation security will endeavour to ensure that the safety system is almost never attacked. However, if such an attack does become feasible, it is important that it can be fought as well as possible. HIMA’s approach to restoring this last line of defence is known as the HIMA Safety Environment for Functional Safety – see Figure 3 below.
The systematic protection of a safety system mainly involves five different areas:
1. The automation hardware and firmware (real-time operating system)
2. The engineering system (PADT)
3. The PC infrastructure running the engineering system
4. The communication infrastructure
5. The automation life-cycle
Each of these areas will be briefly described in the following section. Some concrete aspects are highlighted to explain the HIMA Security Environment philosophy.
Automation Hardware and Firmware
One major advantage is that all the software is written by HIMA; this guarantees an extremely low error rate (0,025 errors per 1000 LoC). The core principle is that the CPU always controls activities within the security environment; these include supervision of the field devices’ HART configuration, control of the COM gateway and control of the program code during execution.
No backdoors exist, and no superfluous code is included. All unused Ethernet ports are securely locked. Due to the SIS’s and BPCS’s mutual independence, any common cause errors are excluded, as required by both safety and security standards.
Engineering Tool (PADT)
Again, the PADT contains entirely HIMA-developed software, and is a single-purpose tool. The programming tool is the most vulnerable part of a programmable safety system because it accesses the SIS core with the right to change program code. Therefore, it must not be used for programming the BPCS or any other tasks at the same time.
Among other features the PADT offers a facility to prohibit RELOAD, FORCE and READ. The system variables connected to these could be used for arbitrary protection schemes involving key switches, operator acknowledge and alarms, and more. If implemented correctly, this offers extreme protection against remote attacks.
HIMA’s PADT (SILworX) runs on a Windows PC / laptop with minimal interaction. This means that any standard PC protection scheme applies. This includes BIOS protection, port locking, firewalls, application whitelisting, user and password management and many others.
For the rest of the automation network, the key for secure communication is the strict separation of networks. The same applies to the SIS. The main protection is the strict separation of CPU and COM in the firmware. All HIMA controllers communicate via safeethernet, a protocol that offers superior safety and reliability; every third bit can be recovered. Safeethernet offers tap-proof controller communication and carries Wurldtech’s Achilles-certificate. This certificate not only tests communications, but also certifies the development processes.
From the suppliers’ perspective two further aspects are important: Firstly, security must be ensured at company level. This is achieved by a set of certifications; for products, for development procedures (Wurldtech Achilles, TÜV, ISA, IEC) and for the company – using ISO 27001 for example.
A second aspect concerns the provision of security services: a supplier offering safety and security critical products has to offer services to:
• ensure proper installation of each product (have the recommendations been followed?)
• identify (new) vulnerabilities in established installations.
It is important to note that the last aspect especially must be reviewed on a frequent, regular basis.
Safety and security are highly inter-related but must be treated separately. Security in automation systems must be handled comprehensively from the outset; it cannot be added easily in hindsight. For 100% security, hard-wired controllers can still be used – and are still being used - in applications with specific requirements, but they lack the benefits of programmable systems. Where programming is required, designing the security environment around the safety automation system properly becomes essential.
This discussion has included examples to show how HIMA’s security environment minimises the risk of cyber security incidents in modern SISs.
About the author
Dr. Alexander Horch has been Vice President Research, Development & Product Management at safety specialist HIMA Paul Hildebrandt GmbH since 2016. Prior to then he held various management positions in the areas of process control technology and automation of electrical networks, smart grids, and industrial and manufacturing plants for ABB Germany and ABB Switzerland.
Contact Details and Archive...