Do I really need my SIS to be cyber secure?

In the good old days, most Industrial Automation and Control System (IACS) networks were air-gapped from the business network and the Internet. Broadly speaking, they ‘operated independently’ from non-process plant operational systems. 

In recent years and with rapid developments in technology, however, this situation has steadily changed. 

Demand for greater business insight, requirements for remote network access, and the adoption of hardware and software from traditional IT (e.g. TCP/ IP networking, Windows-based platforms) to meet emerging client requirements, have led many process industry companies to seek the benefits and integrate their control systems and enterprise IT systems.  In some cases, operating companies have even allowed access to automation networks from the ‘cloud’ environment.

In this change in ‘intelligent approach’, even the key aspects of Industry 4.0 are challenging the norms for safety system ‘well proven concepts’.

Opening the door to hackers

Imagine what would happen if a cybercriminal uploaded a malicious program that dynamically changed the oil stock and control information of an oil and gas company to show high stock availability when stocks were really at critical levels. Once the target company ran out of oil, it clearly wouldn’t be able to deliver to its customers in time. Failure to satisfy its obligations could lead to changes in oil prices, as well as huge losses to the company.

History shows there is often a disconnect between a hacker’s intentions and the actual outcome of their actions. In process industry facilities especially, systems are usually so complex and unique that a hacker’s attack could easily result in unintended damage, including potential destruction of plant and / or worker injuries or fatalities.

Even where the IACS is non-programmable, or is physically separated from other networks, threats to security should still be considered. Maintenance activities, software upgrades or unauthorized access all have the potential to enable attacks. Worryingly, current statistics indicate that some 60 percent of all attackers in such cases are insiders, often disgruntled or dismissed employees.

SIS engineers and operators should be aware of the challenges which come with new IACS technology. The IEC, ISA and HSE organisations have all acknowledged the importance of cyber security and have provided the required standards and guidelines. The most significant to be considered are the IEC 62443 series of standards that consist of 13 parts. The ISA developed TR84.00.09, the National Cyber Security Centre provided “Security for Industrial Control Systems” and NIST published its Special Publication 800-82 Revision 2 “Guide to Industrial Control Systems (ICS) Security”, much of which continues to be a ‘work in progress’.

The safety standards IEC 61508 from 2010, and the recently issued IEC 61511 edition 2, have requirements to address cyber security in safety instrumented systems (SIS). So from a functional safety point of view, the cyber secure SIS is now a must. This is because in today’s world, neither functional safety nor information technology are independent of one another.

The question to ask is 'How to make the SIS cyber secure?’ This is not a single task assignment and properly aimed and controlled activities shall be provided at all stages of the security life cycle. 

Safety and Cyber have similar and co-dependent thought processes. There are specific roles and responsibilities required from manufacturers, certifying bodies and system operators. This forms a lifecycle process for cyber security akin to the safety lifecycle process for functional safety (refer to Figure 1 below).

Figure 1: Cyber security life cycle and functional safety life cycle (Source ISA TR84.00.09)

The most effective and efficient means to achieve cyber security is to adopt a lifecycle approach which is fully integrated with process safety work processes.

It seems that there is no turning back as Industry 4.0 is realised in full. We cannot air gap the SIS, or ban the use of smart devices which all simplify and benefit our processes; however, we should be aware of the highly critical nature of IACS cyber security and how seriously it should be taken.

It therefore follows that industry should be immediately implementing an ‘integrated’ control and cyber security lifecycle management approach to ensure consistency, repeatability, robustness and systematic capability across the conceptual, design, engineering, installation, operation and maintenance of control and safety systems.

So where next?

‘Essentially the Process Industries need to ensure that cyber security of the safety system shall be taken at the same level of rigour and detail as the functional safety requirements detailed in the IEC 61508 standards and by association, the SIL of a safety function also depends on how cyber secure the SIS really is’.