BASF undertakes inventory of safety instrumented functions

“Some of this information is only on the back sides of the backplanes. We’re sending an army of engineers into the field to build a database.” BASF’s Martin Roser on the non-trivial task of compiling an enterprise-wide inventory of safety system components.

Industrial IoT-style digitalization offers functional advantages for safety systems, such as easier modifications, the ability to assess the health status of safety PLCs (SPLCs) and field devices such as HART transmitters, as well as integration with an asset management system (AMS) to streamline work order generation.

“But connectivity comes with cybersecurity risks,” said Dr. Martin Roser, senior automation manager, Automation Technology, Regulated Automation Solutions, BASF SE. For example, if a hacker modifies a controller function block, the system might not trip on a hazardous situation. Or a field device might be modified—for example, the span of a thermocouple transmitter could be changed so the control thinks the process is in range when it’s overheated.

Roser described how BASF is using a standards-based approach to set the stage for digitalization while ensuring cybersecurity of its safety instrumented systems (SIS) and the safety instrumented functions (SIFs) they support during the session, “Automation Security and the SIF Lifecycle” this week at the EcoStuxure Triconex User Group conference this week in Galveston, Texas.

How to allow IT

The IEC standard 61511:2016 Functional Safety – Safety Instrumented Systems for the Process Industry offers essential advice on cybersecurity, Roser began. Security should be designed in using standardized risk assessments, standard solutions, secure architecture, design rules and security checklists. Cyber security should be considered at design review, factory acceptance test and site acceptance test. In operation, ongoing risk assessment should be performed at periodic reviews, on modifications, and in the event of an incident.

“IEC 61511 2016 advises users to perform a risk assessment, but doesn’t advise how,” Roser said. “Furthermore, IEC 62443 Industrial Network and System Security stipulates that it should be possible for a non-security expert to perform a risk assessment. But how?”

For guidance, BASF references NAMUR NA 163, Security Risk Assessment for Safety Instrumented Systems. Among other things, NA 163 “defines the minimum security requirements for systems to communicate,” Roser said. NAMUR is an international association of automation users. It currently numbers 158 member companies in Europe, China and the United States.

NA 163 defines Zone A, containing the core SIS (logic solver, sensors, final elements); Zone B, the extended SIS (including the engineering station, HMI, and interfaces with asset management tools), and the peripheral zone outside A and B, where you find the DCS, process information management system (PIMS), IT architecture, etc. It makes recommendations based on the type of connection (within or between zones), the type of communication (analog or digital without HART vs. protocol-based vs IP) and the physical security of the asset.
NA 163 recommends that components be used in accordance with the manufacturers’ standards, the network be classified according to NA 163 zones, and an assessment be made of the possible connections.

In one example, an SPLC and DCS are to be time-synchronized, share alarms and provide incident assessment for authorities. The SPLC is in Zone A, the DCS is in the peripheral zone, and none of the devices are in Zone B. The manufacturer recommends an OPC server between the SPLC and DCS, with a proprietary protocol between the SPLC and OPC server, OPC A&E between the OPC server and DCS, and NTP through the OPC server for time synchronization.

Review according to NA 163 would change that to a dedicated radio clock for the SPLC (to reduce the number of protocols and hence the surface for a network attack). It would also add a stateful firewall at the border between zones A and B restricted to data traffic (no reengineering).

SPLC asset inventory at BASF

Cyber vulnerabilities are becoming increasingly apparent, with incidents occurring due to vulnerabilities of many vendors’ systems. When the details of an incident are made public, the first question is whether you have one of those components or systems. So, to defend your facilities, “You need an SPLC asset inventory,” Roser said. “Do you know your systems?
“Do you have CPU MP 3008, firmware 10.0-10.4 (Trisis incident, August 2017)? HIMA X-CPU 01, serial 985213001…6001 (March, 2018)? Siemens SIMATIC S7-400 (May 2018)? Yokogawa STARDOM controllers (June 2018)?”

BASF has 353 production sites in 80 countries. “Just one site at Verbund site has 39,000 employees, 2,000 buildings and 200 production lines,” Roser said. “I don’t know.”
So, BASF is in the process of making a detailed safety system asset inventory “for safety, security and lifecycle issues,” Roser said. Their first step was to identify their Schneider SPLCS and know the details of each system, host, module and network interface. Step 2 is to similarly identify the other system vendors’ components. Step 3 is to compile that information into a high-level inventory list.

Step 4 is a detailed information assessment. “Some of this information is only on the back sides of the backplanes,” Rosen said. “We’re sending an army of engineers into the field to build a database. It’s a lot of work.”

Step 5 will be to keep the inventory up to date. “We want to define internal workflows and have automated retrieval and export of asset inventories,” Rosen said. “Vendor support is going to be essential for a sustainable solution.”