Should networked safety systems be connected to control systems in critical applications

Safety systems are used in chemical plants, refineries, pipelines, water treatment, railroads, manufacturing, power plants, nuclear plants, etc. They are used as a “last line of defense” to protect critical processes whose failure can have a serious effect on the system/facility, facility personnel, the general public, and/or the environment. The types of safety systems being addressed include Safety Integrated Systems (SIS), nuclear plant safety systems, and other process safety systems. Previously, control systems and safety systems were separated with safety systems often being hard-wired analog rather than IP-networked control systems. The interconnected networking of control and safety systems is making these processes much more productive, but more cyber vulnerable, and potentially less safe.

Many cyber threats have not been modelled to the same degree as physical safety-related threats including the potential consequences from varying types of cyber attacks. Additionally, there is little data available on control system cyber event frequency. Risk is frequency times consequence meaning control system (including safety system) cyber risk is difficult to quantify. As safety systems become more complex and interconnected, they have been subjected to malicious and unintentional cyber threats. Given the success of sophisticated cyber attackers, there is a need to better understand the potential cyber-related ramifications of having control and safety systems on the same network.

Malicious cyber threats can impact networked safety systems from the following perspectives:

 -        Attackers think differently than defenders and facility operators. Sophisticated attackers have developed ways (not just USBs) to compromise safety systems that ostensibly are air-gapped. Root kits are being developed that can compromise the PLCs without any indication to the operator. Connecting control and safety systems increases the attack space.

-        Stuxnet demonstrates a number of reasons why networked safety can be a high risk. From Kim Zetter’s book Countdown to Zero Day, Stuxnet bypassed the safety systems and prevented the operators from manually initiating safety systems. Stuxnet (intentionally) and the 2003 Northeast outage (unintentionally) demonstrated that operator displays can be compromised making the operator part of the “exploit”. This has not been adequately addressed in safety analyses or training.

-        New control system cyber vulnerabilities are continuously being found. Some, like Black Energy, were in “in the wild” for more than a year. Many of these vulnerabilities are of minimal consequence to safety systems. But others, like Black Energy, can affect networked safety systems.

-        Kim Zetter’s book, as well as my experience, demonstrate that nation-states can identify significant control/safety system cyber vulnerabilities that haven’t been passed onto industry allowing the cyber attackers to keep these vulnerabilities in their repertoire. While these vulnerabilities are kept from the vendors and end-users, other nation-states or attackers may find and use them against essentially defenseless end-users. Countries such as Russia, China, and Iran are well-versed in safety systems and have active cyber attack programs.

-        Finally, as with the recent North Korean situation, nuclear plant control systems and other critical infrastructure are becoming political targets (http://www.nytimes.com/reuters/2014/12/30/technology/30reuters-nuclear-southkorea-cybersecurity.html?partner=rss&emc=rss&smid=tw-nytimes&_r=3).

Additionally, there have been numerous cases where the safety systems were not able to prevent system failures from unintentional incidents. Some of these cases resulted in significant equipment damage and even deaths. An example where the separation of control and safety was critical was a power plant that suffered a complete loss of control and view while at power because a broadcast storm temporarily resulted in the loss of the control logic from EVERY plant distributed control system (DCS) processor. The hard-wired analog safety systems were able to safely shut the plant down. A networked safety system on a common, non-segmented network would have been subject to the same broadcast storm resulting in a lack of protection from this event and potentially significantly damaging a multi-unit power plant.

However, in the July 2014 issue of Design News, Mark Sen Gupta, a senior analyst at ARC Advisory Group stated: “Yes, you can run safety on the same network as control, and in many cases, that is the solution that makes the most sense. It can be done without compromising safety. Safety and control can be on the same network. The decision is based on personal preference or corporate policy… The biggest reason given for avoiding the use of the same network is to avoid common mode failures”.  If the safety system is interconnected with the control system, they risk a common point of failure. For many critical safety applications including nuclear safety, having a common point of failure is unacceptable.

Given the rationale above, there is a need to reopen the discussions about having safety systems connected to control systems. There is a more detailed paper being prepared on this subject.

Joe Weiss

 

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p>Joe - You might want to look at / reference the Project LOGIIC report, <a href="https://logiic.automationfederation.org/public/Shared%20Documents/LOGIIC%20SIS%20AW11%20Final%20PPT.pdf">https://logiic.automationfederation.org/public/Shared%20Documents/LOGIIC%20SIS%20AW11%20Final%20PPT.pdf</a></p> <p>They took a very wishy-washy stance on control system / SIS integration, most likely based on who pays for LOGIIC. The control system / SIS boundary is an ideal place for a unidirectional gateway. Pass the SIS info to the control system, but don't allow any communication the other way.</p> <p>Dale Peterson Digital Bond, @digitalbond</p>

    Reply

  • <p>Hints of redux on Project LOGIIC SIS architectures A, B and C? </p> <p>Positions in the Design News article seem to dismiss LOGIIC conclusions because too much has changed in 10 years. </p> <p>A more direct link to the article <a href="http://www.designnews.com/document.asp?doc_id=273860&amp;print=yes">http://www.designnews.com/document.asp?doc_id=273860&amp;print=yes</a> </p>

    Reply

  • <p>For security, isn't the issue more than just having a 'common point of failure', but extends to having a 'common point of attack' which takes into account the engineering environment (e.g. support tools) as well as the supply chain?</p>

    Reply

RSS feed for comments on this page | RSS feed for all comments