By Dan Hebert, PE
Process plant safety used to be relatively simple. A regulatory control system was in charge of the process. A completely separate safety system controlled all safety-related process areas, and, finally, a security system controlled plant access.
Things are a bit more complicated now because process plant safety must encompass cybersecurity. Another complicating factor is the availability of integrated systems that can simultaneously address process control, safety and security. Once installed, these complex integrated systems can provide value by simplifying plant operations and reducing on-going system maintenance costs. But is the cost and complexity of an integrated safety and security system worth it?
Combining safety and security into an integrated system allows proactive response to alarms and events, and it provides everyone a single real-time view to any potential threat, says Erik deGroot, global manager for safety systems at Honeywell Process Solutions.
Industrial plants have procedures and safety systems that are designed to bring operations to a safe state in the event of equipment malfunctions and other operational problems. In the event of a significant security incident, an integrated system can activate these same procedures and systems. Additionally, an integrated system leads to less expensive implementation and maintenance because all the pieces work together, even as technology continues to evolve, adds deGroot.
But combining safety and security requires careful planning. Integrated systems allow smooth and safe plant operation, but separation must still be maintained. The challenge is knowing when to integrate and when to keep systems separate. Dedicated safety-related functions, such as the actual safety application, must stay segregated and must be subject to high safety integrity, concludes deGroot.
David Kleidermacher, the CTO of Green Hills Software, an operating system vendor specializing in highly secure systems, agrees with deGroot. It is possible to mix multiple levels of safety and security in control systems, in fact this technique is already being used in aircraft, he says. Aircraft and other applications are being driven by requirements for enhanced security while simultaneously improving the cost, power and usability of computer systems. So instead of having two pieces, one that provides control- system management and one that provides corporate network access, we can consolidate systems and also make them more secure, claims Kleidermacher.
A Clear, Unambiguous Maybe
Noted security expert Bryan Singer, chairman of the ISA99 committee that covers security for industrial automation and control systems, agrees that is possible to tightly integrate safety and security. It may indeed be possible to integrate systems to any level so desired, but should we do so just because the technology supports it? The answer is an unambiguous and very clear maybe, observes Singer.
As soon as we integrate systems that were previously disconnected, problems can arise. There is the possibility of cross-pollinating systematic faults from failing devices or excessive network traffic or introducing network accessible system vulnerabilities. Both scenarios make it very likely that a safety system can fall victim to threats, warns Singer.
There is no reason why integrating these systems must be more insecure; but deployment requires careful planning, design and testing. To make an integrated system safe, we must do several things very well, he says. These include:
- Where physical isolation on separate networks is not possible, logical separation through VLANs, access control lists, etc., is a must.
- Redundancy and capacity on the network is critical. We must be sure that a fault in one area cannot cascade to a system-wide fault that affects safety systems.
- Device testing is very important, as we need to accurately know the failure modes and tolerances of given components to understand whether or not we will create an unsafe condition.
- Tried and tested security principles, such as no single points of failure, must be adhered to.
Singer thinks separate systems are better from a cybersecurity standpoint, but he realizes that many plants will implement integrated systems to save money and simplify plant operations. Others are more adamant and believe separation is a requirement.
Equal, but Separate
Each layer in the model must be independent, which means that a failure in one cannot influence the proper working of any other layer. One could advocate that security should be an extra layer added to the model, but I believe that safety and security should be completely separated, adds de Breet.
Process operations are busy with production and safety. Security guards, whether at the gate or in the IT department, need to be focused on cybersecurity alone. Given the difference in nature of their functions, that is internal versus external protection, combining safety and security in any form could very well make either one more vulnerable, cautions de Breet.
Others share de Breets opinion. Personal safety, cyber and physical plant security systems must operate in almost total isolation of each other, says Ernie Rakaczky, principal security consultant for enterprise architecture and integration at Invensys Process Systems.