Proactive Security Concepts instead of Reactive Defense Rethinking Safety and Security

Bild: iStock, Dmytro Aksonov
14.05.2018

The future of the process industry is digital. This trend creates many opportunities for plant operators to make their plants future-proof. However, there is also a down­side: threats to plant security arising from digitization. The process industry needs to switch from passive to
active defense mode for cybersecurity and at the same time ensure plant security in the digital era.

In late 2017 a safety controller (SIS) from a Hima competitor deployed in a process facility in the Middle East had been targeted by a new malware attack and successfully hacked. The SIS was compromised and initiated a system shutdown. This cyberattack represents a new dimension of cyberthreats to critical infrastructure. It was specifically planned and designed to target the SIS of the manufacturer concerned. The attacker benefited from a significant factor: at the time of the cyberattack the SIS had been put in programming mode by a key switch. In an orderly configuration with the controller in run mode, where program changes are not possible, the attackers would have faced a much more difficult challenge.

The concept of safety is changing

The incident should serve as a wake-up call to heighten awareness of cybersecurity in the industry. Although only a particular system was attacked, the incident marks a turning point for plant security. In the future the focus must be on the interaction of safety and security. The SIS mentioned above differs significantly from Hima safety systems with regard to design philosophy and technology, so it is unlikely that Hima's systems are also susceptible to the same cyberattack. However, it is clear that
no SIS manufacturer can now or in the future promise a solution that is absolutely safe with regard to all eventualities and risks.

That is primarily because work processes and organizational deficiencies are still by far the most common targets for successful cyberattacks. For example, system interfaces that remain open during normal operation and can be used to alter program code give attackers a potential access point. As a consequence of this cyberattack, plant operators are strongly advised to not rely solely on cybersecure components, but instead to define an integral security concept for their own systems and consistently implement it in cooperation with manufacturers. Safety-oriented automation solutions in industrial plants must now encompass more than just safe emergency shutdown (ESD); they must also provide effective protection against cyberattacks. Previously, automated systems only had to be designed for safety and then simply checked periodically to verify the initially defined risk reduction. In the future, safety solutions must be regularly adjusted and extended in the interest of security. This paradigm shift affects providers and operators of components for safety instrumented systems in equal measure. This totally alters the perception of safety solutions. A core aspect of modern safety solutions must be the ability to fend off cyberattacks in order to avoid costly shutdowns. This makes SIS an even more significant factor for plant profitability.

A welcome trend is that companies in the process industry are increasingly recognizing the importance of safety and security standards for their plants. However, there are still companies that are not using fully standards-compliant SIS. That means they run a significantly higher risk of lost production and harm to people and the environment. To achieve maximum safety and security, it is especially important for plant operators to implement the requirement of the standards for functional safety and automation security (IEC 61511 and IEC 62443) for physical separation between SIS and process control systems (BPCS). According to IEC 61511, SIS and BPCS can only be regarded as independent safety levels if they are based on different platforms, development bases and philosophies. This means that the system architecture must fundamentally be designed to prevent the simultaneous use of components of the BPCS level and the safety level without a detailed safety analysis. Without clear separation, patches implemented in the BPCS could, for example, influence functions of the integrated safety system. That can have fatal consequences. An equally problematic situation arises when a successful cyberattack on the BPCS via the office PC of an employee leads to compromising the integrated safety system, with the result that functional safety and basic cybersecurity are also compromised. As can be seen from many
of the above-mentioned examples of successful cyberattacks, the link between office IT and the production system always represents an extreme weakness. An attack on an integrated SIS/BPCS system is thus considerably easier than an attack on a stand-alone SIS.

Rapidly growing and increasingly professional cyber criminality compels both manufacturers of safety solutions and their users in the process industry to pursue proactive cybersecurity policies and establish integral safety concepts. As part of risk assessment, plant operators must weigh the financial expenditures for effective safety and security concepts against the costs of potential shutdowns, which can easily run into the millions. The money invested in cybersecurity, usually only a fraction of the cost of a shutdown, is not wasted – instead, it safeguards the productivity of the entire plant. However, for plant operators it is not enough to rely on standards-compliant hardware and software.

Cybersecurity is a never-ending task, and it must be developed jointly by plant operators and safety specialists in the conceptual design of new plants or prior to update measures. The minimum requirement for existing plants is an exact analysis of potential cybersecurity weaknesses. Along with technical measures, users must also implement organizational measures, because no existing technology can provide complete protection against new forms of attack. Consequently, there is a strong need for periodic checking of internal networks and communications systems, for example by penetration tests carried out by independent parties.

Good safety technology is not enough

The human factor is the most frequent source of cyber risks. That includes not only targeted cyberattacks aimed at disrupting production processes or stealing industrial secrets, but also disruptions that can arise from inattention. For safety-oriented systems, the usual cybersecurity rules are even more important because the SIS represents the last line of defense against a potential catastrophe. Protection against intentional and unintentional human penetration is therefore especially important. Consequently, a comprehensive security concept includes aspects such as specific access protection, physical safeguarding, or checking the plausibility of changes. Here technology should the basis for taking the pressure off people.

It is also important to constantly be aware of possible means of manipulation. In this regard, safety-critical applications are fundamentally different from other industrial PLC or office applications. Considerable expertise is necessary to ensure security in safety applications. Consequently, maintaining and constantly refining security often poses a nearly insurmountable hurdle for plant operators. It is therefore advisable – as with the previously mentioned threat tests – to draw on the services of experienced safety and security experts in order to jointly develop and implement effective concepts. Plant operators should as well never regard their employees as the weakest link in the cybersecurity chain. Instead, they should engage all employees and encourage them to become familiar with the issue of IT security and be part of an effective proactive cybersecurity strategy. Loss or damage that arises from the action of an employee should be considered a system issue. Such loss or damage should demonstrate the necessity to fill knowledge gaps and familiarize employees with threat scenarios. Extensive programs for security training and increasing employee awareness are essential for a proactive safety concept.

Bildergalerie

  • Both the safety standard and the cybersecurity standard prescribe separate protection levels.

    Both the safety standard and the cybersecurity standard prescribe separate protection levels.

    Bild: Hima

Firmen zu diesem Artikel
Verwandte Artikel