Regulators are getting wise to the need for guidelines on cyber security in maintaining machine safety, finds Greg Pitcher.
The term machine safety may well evoke images of physical guards that stop people suffering workplace injuries, but regulators of industry standards are increasingly concerned with an environment way beyond the four walls of a process plant.
The need to consider cyber security and the threat from hackers came to the fore when IEC 61511, the technical standard for safety instrumented systems (SIS) in process engineering, was revised last year.
“One of the recent additions is the consideration of cyber security,” explains David Collier, sales manager at automation technology supplier Pilz.
“The [revised standard] urges those responsible for SIS to consider the likelihood of and consequences of malicious attempts to subvert them.”
Someone might want to get into an oil refinery and stop production, with the safety issues associated with that. You have to show what you’re doing to prevent it
David Collier, sales manager, Pilz
The possibilities are frightening. “Terrorists might want to take over a nuclear facility and override certain functions to cause a meltdown,” says Collier. “Someone might want to get into an oil refinery and stop production, with the safety issues associated with that. You have to show what you’re doing to prevent it.”
A good start is ensuring safety functions can’t be accessed remotely. “You don’t want free access via the internet to SIS and there are ways you can prevent that,” says Collier.
“Industry 4.0 is about being able to make small batches at the same cost as we used to have to do big batches, through effective use of information. But this comes with passing a lot of information through SCADA systems and IT networks that probably have SIS connected to them, and these need to be ringfenced. There are means by which this can be achieved.”
David Main-Reade, business development consultant for safety and sensing across Europe, Middle East and Africa at certification group TÜV Rheinland, says cyber security needs to be approached differently to functional safety.
Whereas machine safety guidelines generally encourage a permanent design solution with mitigation measures, IT threats rely on regular re-evaluation and action.
“You have to constantly patch, update and think about new threats,” he says.
Further cyber security measures are contained within two committee draft documents – IEC CD 63074 and ISO TR 22100-4 – that are in the process of development, says Main-Reade.
“By June 2018 these are likely to be in force,” he says. “They will create more of a driver for groups of people – suppliers, machine builders and users – to sit down and discuss cyber security.
“We need to make clear in our instructions the potential vulnerabilities in a system, and the end user needs to do an IT risk assessment to check them all. They have to have policies in place to implement firewalls and so on.”
Up close and personal
Interestingly, the drive to make the process industry think more about who can access its kit remotely has also led to a strengthening of physical gateways to sensitive buildings.
“To launch a cyber attack you need to be knowledgeable and get through an IT system and a firewall, get a machine code and understand what that machine is doing and what you want to do with it,” says Main-Reade. “It’s a lot easier to get into a remote water treatment plant and screw it up locally.”
Process plant owners are looking beyond traditional swipe-card entrances. “For access control, some companies want passwords that trigger a message to someone’s phone and also a call to their supervisor to authenticate them. We are seeing a real focus on access and authentication.”
Main-Reade advises those in the industry concerned about cyber security requirements to sit down and review policy in this area.
Questions to ask include: “Is our network secure? Do we have a proper firewall? What’s stopping somebody screwing around with our drives?”
In fact, do you even need to connect your machine to a network? “If you have a discreet piece of machinery and it doesn’t need to be connected, then there are no vulnerabilities. If you do need to connect it, then identify the vulnerabilities and the mitigations – if you’ve done nothing then you’re passing responsibility on to the end user to have some policy in place.”
The increasing connectivity of machines, and the push towards Industry 4.0, is increasing the risk of cyber vulnerability, Main- Reade warns.
“The Internet of Things has many benefits but there’s a challenge as it becomes vulnerable.
“We want to ensure we all approach it in the same way. A lot of it is common sense – change your password.”
Collier says that beyond cyber security, process engineers need to think about the differences between high and low demand safety functions, as they most likely have both on their sites.
Where safety functions are called upon once a year or less, these are termed low demand – for example a high-high level sensing system in place to prevent overfilling of a fuel storage tank.
“You do not expect a tank to be overfilled because there will be normal process controls. You are not continuously trying to overfill the tank, there are measures in place to stop that happening,” says Collier.
As it’s not used often, such a system needs regular testing. “To capture a dangerous failure of a safety instrumented system that’s in low demand you need to put in proof tests, with intervals between these tests defined by calculations to give a level of diagnostic coverage.”
The Internet of Things has many benefits but there’s a challenge as it becomes vulnerable
David Main-Reade, business development consultant, TÜV Rheinland
Even in heavily process-driven plants, there are likely to be machinery areas where the systems in place to protect people from moving parts constitute high-demand safety functions.
“The demand on these means you don’t need a proof test interval and to document the impact on safety. You can see they are working and they are designed in a way to stop the dangerous part of the machine working if there is a fault.”
That is not to say there are not strict requirements for those safety measures put in place to protect people from both machines and processes.
“There is scope within the process standard to do calculations for high demand safety functions. Conversely, you may identify a hazard on a machine where the level is so low you have to view it as low demand,” says Collier.
Thinking about how and where things might go wrong is another key way of keeping factories safe.
“If a high demand safety function gives someone a motivation to bypass it, that can be an issue. They might have the best of intentions of keeping a production line open while they clean a machine, but it’s up to the designer of the system to establish who might want to manipulate the interlock, then design it so it doesn’t inhibit what needs to be done or to make it more difficult to bypass.”
A different risk is apparent on low demand systems, where the motivation may be to skip certain tests to save time.
“This increases the risk of a fault going undetected,” warns Collier. “A proof test interval can be calculated based on the architecture of the components and the SIL required. A switch may need to be tested 100 times its normal demand rate.”
