Cybersecurity in the SIS world

Find and slay the dragons lurking in the typical safety instrumented system.

By William L. Mostia, Jr., P.E.

1 of 2 < 1 | 2 View on one page

Cybersecurity is a growing concern in the process industries, and a number of good articles have been written about it for industrial control systems (ICS)—many full of doom and gloom. Here, we will divide the ICS into two parts: safety instrumented systems (SIS) and all other ICS components, which we lump into the basic process control system (BPCS). There are distinct differences between the SIS and BPCS in function, design and cybersecurity.

The SIS and BPCS differ in regard to cybersecurity from a process safety perspective, how traditional SIS design practices can help provide cybersecurity, and how cybersecurity concerns can affect the design of the SIS.

This article examines some of the differences between the BPCS and the SIS, SIS vulnerabilities to cyberattack and other security concerns unique to the SIS. It also covers how traditional SIS design can help with cybersecurity, and how traditional design practices of the SIS are affected by cybersecurity. Due to its size limits, one article can’t cover all aspects of designing or securing a SIS in the presence of cybersecurity threats, but it’s instead intended to provide food for thought on this topic.

When a cyberattack gets physical

It’s important to note that operating a chemical plant or refinery is complex, with many checks and balances as well as human beings to provide 24/7 oversight and some level of resilience. A cyberattack is really a cyber-physical attack because it involves a system with direct connections to the real world, as opposed to attacking a computer and data. A process plant is also a system designed to work in the presence of failures (even multiple ones) and uncertainty, even if the failure mode is unknown, whether it be a cyberattack, control valve failure, pump failure, etc.

For example, if a tower is over-pressurized, chances are you’ll have an independent, high-pressure alarm, possibly a high pressure override of the tower reboiler, an SIS and a relief valve protecting it, plus operator observations. This illustrates how defense-in-depth achieves process safety, which also provides protection against a cyberattack as an initiating cause. This is not to say that cybersecurity is not important for process safety, but rather that it must be considered in the mix of potential failures and safeguarding against those failures.

Figure 1 illustrates the overall cyber-domain including the SIS. Generally speaking, only digital systems are a concern for a direct cyberattack, however, even analog or mechanical systems aren’t as completely immune as one might think. For example, the safe operating limit database (alarm and trip setpoints), asset management (changes in device parameters), SIS field instrument calibration databases (incorrect calibrations), and even the relief valve database (incorrect trip setpoints and test intervals) can potentially be corrupted by a cyberattack, leading to failure in the SIS or other process safety systems under the right circumstances.

The role of the SIS in safety

It’s important to understand how process safety is achieved through functional safety, and how the SIS fits into the overall picture. Achieving process safety using functional safety typically involves a defense-in-depth protective scheme consisting of independent protection layers (IPLs).

In Figure 2, we can see the SIS is not the only IPL in the layer of protection scheme. Some IPLs are subject to direct cyberattack and some are not. Modern design of functional safety protection systems (FSPS) for hazardous processes is all about preventing a hazardous condition, even in the presence of failures of some of the IPLs. The cyberattack threat does not change that paradigm, but rather adds additional potential failure modes of the BPCS and process equipment that may lead to potential safety demands of unknown frequency (an important risk consideration).

A fundamental SIS design principle is that failure of the BPCS to control the process for any reason should not cause a simultaneous failure of the SIS protecting the process. This does not change with the introduction of the cyberattack threat; if a cyberattack has compromised the BPCS, it should be substantially more difficult for the same attack to compromise the SIS either synchronously or asynchronously.

Defense-in-depth and the related principle of requiring multiple failures or difficulties—a “tortuous path” before you have a successful cyberattack—are important protective concepts. This also applies to the BPCS, where safety controls, alarms and interlocks (SCAI) and other protective safeguards should present a difficult path to defeat them all to cause a loss of process safety protection and situational awareness of the operator.

How a SIS differs from a BPCS

Her are some the primary differences between the SIS and BPCS. The primary purpose of the BPCS is as an active, continuous system that controls level, pressure, temperature and other process variables designed to keep the hazardous materials in the process under control within the safe operating envelope, while efficiently and cost-effectively making on-spec product. The vast majority of SISs, on the other hand, operate as passive systems that sit there doing nothing until a safety demand occurs. When the process exceeds its safe operating limits, the SIS acts to maintain or bring the process to a safe state. This passiveness also makes it difficult for an intruder to analyze the system and its relationship to the BPCS by observation alone.

Download: 2016 State of Technology Report: The rise of configurable I/O

Failure of the BPCS can be an initiating cause for a hazardous scenario, whereas a properly designed, low-demand SIS can’t typically be the initiating cause of a hazard—even during a cyberattack.

The BPCS will have tens of thousands of data points (reads and writes) and other parameters transferred digitally between BPCS boxes via multiple paths, where the SIS may have a few hundred data points, mostly reads with a limited number of writes. The BPCS will typically talk to the SIS through only one communication path per SIS. The SIS will also have its own internal communication structure.

In most cases, the SIS is implemented on different hardware, in some cases by a different manufacturer than the BPCS equipment.

The SIS is periodically proof-tested, while the BPCS is many times operated to failure. This provides a mechanism for detecting unauthorized changes.

Cybersecurity standards for SIS

There are several standards pertinent to cybersecurity and the SIS. The second edition of IEC 61511-1 will require that a security risk assessment be carried out to identify the security vulnerabilities of the SIS, including both physical and cybersecurity vulnerabilities. The standard also will require that the design of the SIS provide the necessary resilience against the identified security threats. This is a new, substantial requirement.

The ISA 99 committee has generated a series of pertinent standards, one of which is IEC 61511-1, ANSI/ISA/IEC-62443-1-1, “Security for Industrial Automation and Control Systems Part 1-1: Terminology, Concepts and Models.” The ISA 84 committee also has a subcommittee looking at cybersecurity for technical reports (TR). They’re in the draft stages of dTR84.00.09, “Cyber Security Related to the Functional Safety Lifecycle,” which is attempting to bring the principles of ANSI/ISA/IEC-62443-1-1 to functional safety and the safety lifecycle. Hopefully, they will do this in a practical manner without too much computer-speak.

Protecting SIS assets

Protecting the SIS against cyberattacks is a simple matter of preventing unauthorized changes that can compromise its safety functionality. Easy as pie, right?

To get a high-level view of your SIS and its potential vulnerabilities, draw a boundary around all the SIS assets (typically your SIS zone). Then, identify all of the communications paths and any other data, remote or physical access paths that cross that boundary. This is illustrated in Figure 3 for a generic SIS, but your system may have more or different vulnerabilities. This conceptual boundary can help you visualize your potential cyberattack vulnerabilities and systematically address them.

To evaluate your cybersecurity vulnerabilities and current protections, one of the first things to do is an inventory of all SIS equipment, software (with version numbers), and critical operating parameters. This should be followed by a security assessment of the SIS as required by the IEC 61511-1 2nd Ed. This inventory will provide a baseline for monitoring changes in your system.

1 of 2 < 1 | 2 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments