"Swiss Army Knife" for safety systems - is it a feature or a vulnerability

On Tuesday, a major control and safety system vendor held a webinar on cyber security of safety systems - "The rocky relationship between safety and security". The vendor talked about the network issues that needed to be considered, limitations on read/write, etc. However, the diagram that was shown on the webinar had the control and safety systems on the same Ethernet LAN. I talked to the vendor about it. His response was their design was like a "Swiss Army Knife" (a feature). That is, they were giving their users flexibility on how they wanted to implement their safety and control systems. As a nuclear engineer, the concept of mixing safety and control on the same network is not acceptable - period. Moreover, at the recent ICS Cyber Security Conference, a utility discussed their major control system cyber incident where they lost all logic in every DCS processor with the plants at power. The hard-wired analog safety systems prevented significant plant damage as they were independent of the affected plant control systems. I find the vendor doing a disservice to their customers to even imply that mixing safety and control would be acceptable. I was very surprised no one brought up the concern of mixing control and safety during the presentation or subsequent question-answer session. When vendors know there are potential cyber vulnerabilities in their "features", I feel they owe their customers some form of notification.

Joe Weiss

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • Even though many people are still not comfortable with the approach (their choice), the fact remains that there are precedents for designs that integrated safety and BPCS functions that have been reviewed in detailed and granted certification. This approach is not inherently evil, as long as it is used with full consideration of the risks and accommodations that have to be made. These risks of course include but are no means limited to security.

    Reply

  • As a TUV certified Functional Safety Engineer and having somevsignificant field time in many industries, you cannot criticize vendors for providing their customers with a wide and diverse portfolio to meet their unique needs.

     Upon completion of a typical safety assessment including HAZIP and LOPA, some industries may choose to separate the networks, but since all leading vendors offer certified systems that support integrated physical networks (Honeywell, Emerson, ABB, Siemens, and Invensys to name a few leaders) you cant just assume because they are on the same network that they are insecure.

     It is very interesting that all these researchers, led of course by Digital Bond, have yet to prove that these network connections can be compromised!

     Read up on IEC 61508 and you will see that these systems must use many of the features that traditional BPCS components lack! 

     In closing, the end user can choose to separate the networks based on their risk tolerance. Again, you must balance cost of security with cost of operations considering that these networks can be secured with other more advanced controls.  Today, there are large amounts of tight integration between SIS and BPCS in order to maintain safe and reliable plant operations considering ALL potential risk and not just those of security.

    Stat secure .., 

    Reply

  • For safety and security reasons, control and safety should be isolated from each other to preclude a single point of failure. The reason for the blog was the concern that the isolation of safety and control did not appear to include the logical networks (LANs, switches, etc.).

    Joe Weiss

    Reply

RSS feed for comments on this page | RSS feed for all comments