MENU
Back to Archive

Open to cyber attack

11 May 2010

Many process companies, even those with safety-critical operations, have switched from standalone, proprietary control and safety systems towards more integrated and open systems that can reduce the costs of configuration, training, and support, and improve operational efficiency. Adoption of these commercial off-the-shelf (COTS) technologies, however, has raised the potential for cyber security vulnerabilities to a critical level.

Current international safety standards, including IEC61508, IEC61511, and S84, provide a framework and specific requirements to address the integration of safety and basic process control systems with the following stated positions in three critical areas:

1 Operator interface: “Where the SIS operator interface is via the basic process control system operator interface, account shall be taken of credible failures that may occur in the basic process control operator interface.”

2 Engineering interface: “The design of a programmable electronic SIS maintenance / engineering interface shall ensure that any failure of this interface shall not adversely affect the ability of the SIS to bring the process to a safe state.”

3 Communication interface: “The design of the SIS communication interface shall ensure that any failure of the communication interface shall not adversely affect the ability of the SIS to bring the process to a safe state.”

Security implications

Such standards do not currently specifically address security implications. It is likely that the forthcoming modifications to the IEC61508 standard will not attempt to address security directly, but will reference best practice from other security standards.

Heightened concerns about the security of safety systems and cyber attacks are not unfounded. For instance, in a live demo at the Applied Control Systems Security Conference in 2008, a company showed that it was able to ’hack’ into a TUV-approved safety controller, putting it into an unsafe state.

Viruses and worms originating from the internet have also directly impacted the operation of safety systems. Back in 2003 the SQL Slammer worm infected the plant network of a nuclear power plant, resulting in the disabling of the Safety Parameter Display System (HMI) and the plant process computer for several hours. In addition, the Sasser worm affected several oil platforms in the Gulf of Mexico, disabling a panel used to monitor key safety indicators and causing the plant’s process computer to fail.

There are many potential business benefits that can be achieved through integration of safety and process control systems. In the past couple of years several suppliers have introduced safety systems that share a common set of hardware and software (engineering tools) with an associated process control system. The use of common technology opens up potential cost savings in a number of areas, by:

  • Removing the need to implement and support multiple networks;
  • Easier integration of components and systems;
  • Minimising the quantity of spare parts that need to be kept on the shelf;
  • Easier engineering and maintenance for one system;
  • Reducing training requirements;
  • Improving accessibility and remote support;
  • Common HMI to allow the operator to more effectively monitor the process.

The purpose of any safety system is to mitigate the risk of serious incidents that could lead to personnel injury, damage to equipment or the environment, and disruption of production. When safety systems are designed, the safety engineer evaluates the likelihood of the SIS being able to bring the process to a safe state in the event of a demand and considers the effect that will be caused by random hardware faults.

Cyber security vulnerabilities introduce a new variable into these calculations: incidents could unleash additional systematic software faults that compromise the SIL capability of the safety system and other layers of protection. Any vulnerability that could cause a basic process control system controller to fail must not compromise the associated safety system.

Three aspects are of greatest concern:

  • The ability to make unauthorised configuration changes from the engineering station;
  • The ability to manipulate safety system inputs and outputs;
  • The ability to interfere with the HMI’s ability to accurately represent the status of the SIS - such as the loss of alarms, “spoofing” the operator, or total loss of visibility.

Some people advocate that the only way to ensure the security of a safety system is to keep it isolated from other networks and systems by implementing an ’air-gap’. This approach, however, eliminates the potential benefits from improved process visibility and results in a higher lifecycle cost. Security can’t be taken for granted, even in this case. In fact by thinking their SIS is secure because it is isolated, users may ’let their guard down’ and take actions that compromise the air-gap.

Security incidents

There are several common scenarios where an isolated system can become compromised. These are consistent with documented cases of actual cyber security incidents.

There is no safety without security. Cyber security vulnerabilities can reduce the level of safety protection provided by a SIS and security breaches can impact on the operation of a safety system by causing nuisance trips, or worse. Because of this, security should be considered hand-in-hand with safety during control system selection and design, especially when considering connectivity between the two systems.

Companies should look to maximise the overall safety and security of a plant’s automation infrastructure and be aware of, and take into account, security considerations that ultimately may lead to the selection of a different architecture than if only safety is considered.

Total separation of a plant’s safety system and process control system is today becoming less and less practical. Connectivity between safety systems and process control systems has many potential benefits depending upon the level of integration.

Each architecture has a unique set of pros and cons, as well as corresponding challenges. Air-gap architectures are only effective if the air-gap is never compromised. In practice this is difficult because it is commonplace to transfer files via memory stick. Interfaced systems use gateways to connect safety and process control systems from different suppliers that were often selected because they were felt to be “best in class”. Unfortunately, the connection of these systems via OPC or Modbus TCP makes them vulnerable to cyber security breaches, which can compromise their “best-in-class” performance.

Common technology for safety and process control opens up new possibilities for maximising both safety and security. The use of control systems which take advantage of certified safety communication provides a safe and secure method for connectivity that enables owner/operators to reduce costs and improve overall operational efficiency.

Ian Curtis is process safety consultant at Siemens Industry Automation In the past couple of years several suppliers have introduced safety systems that share a common set of hardware and software (engineering tools) with an associated process control system
In fact by thinking their SIS is secure because it is isolated, users may ’let their guard down’ and take actions that compromise
the air-gap

Three types of integration

When it comes to connectivity of process control and safety systems there are differing degrees of integration: interfaced, integrated and common. Each approach has its advantages and disadvantages from a safety point of view, and each presents challenges from a security protection standpoint.

Interfaced - This is where the process control system and the safety system use different control & I/O hardware, and are connected together by a gateway for exchange of data. The two systems use separate engineering tools and dedicated operator interfaces. One purported advantage of this approach is the reduction in common cause failure modes, but it comes with higher costs for hardware and installation, plus higher engineering and maintenance costs.

Integrated - Here the process control system and safety system utilise separate, dedicated control & I/O hardware, but share a common network, engineering tools and operator interface. Despite the advantages of reduced costs for hardware and installation, reduced engineering and maintenance costs, less required training, no gateway issues and fewer spare parts, integration potentially reduces system access control. And the reduced use of diverse technology may impact on the system’s resistance to common cause failures.

Common - The process control system and safety system are on a common platform and are combined into a single system. They use common control and I/O hardware, as well as the same engineering tools and operator interface. Standard and safety-related programs are executed in parallel and independent of each other. This approach offers lower hardware costs and the need for fewer spare parts. However, a higher false trip rate can be experienced, together with increased potential for common-cause failure.

Return to Process Engineering home page

AI’s got your back
The top ten questions to help understand food safety
Covid’s long tail costing UK productivity billions, claims research
Boldly inspiring: National Engineering Day 2024
RVRC seeks to shift net zero focus to industry emissions
AI’s got your back
The top ten questions to help understand food safety
Covid’s long tail costing UK productivity billions, claims research
Boldly inspiring: National Engineering Day 2024
RVRC seeks to shift net zero focus to industry emissions
 
Create FREE Membership
© Process Engineering 2024 About Us Terms & Conditions Privacy Policy Contact Us Subscribe to Process Engineering Advertise with Process Engineering
Website by Evoluted