Securing safety systems from cyber attack

June 20, 2017
Second edition of ISA TR84.00.09 addresses cyber attacks on safety instrumented systems

Thirty years ago, safety didn’t carry quite the same weight it does in process manufacturing plants today. “Communication was really slow in a refinery,” admitted Dave Bennett, ICS safety and security lead at Phillips 66, “but we knew, when an ambulance came to the refinery, that meant someone had died. We also had a fire about once a month. I thought that was normal. As I matured as an engineer, I realized it shouldn’t be.”

Bennett gave an in-depth presentation on the intersection of cybersecurity and the functional safety lifecycle, at the Honeywell Users Group Americas 2017 conference this week in San Antonio, Texas. His talk focused on the new edition of ISA TR84.00.09 and explained the IEC 61511 requirements for integrating cybersecurity in the functional safety lifecycle of a safety instrumented system (SIS), as they appear in the technical report. “This standard overlaps a number of other standards,” he explained. For example, IEC 61511, Part 1, Clause 8.2.4, indicates that a security risk assessment shall be carried out to identify the security vulnerabilities of the safety instrumented system.

“The technical report is guidance on how to integrate cybersecurity into the functional safety lifecycle,” explained Bennett. “The technical report maps on top of IEC 61511, which says the security risk assessment can range in focus from a single safety instrumented function to all the safety instrumented systems in a company.”

ISA TR84.00.09 addresses the integration of cybersecurity against internal threats and external threats in all phases of the functional-safety lifecycle. Section 4 of the technical report specifically addresses management of safety, controls, alarms and interlocks (SCAIs). It contains guidelines to manage the cybersecurity lifecycle for the organization, personnel competency, risk management, security planning, cybersecurity assessments, cybersecurity audits, cybersecurity configuration and change management, physical security and cybersecurity management maturity. “Part of planning is to make access to all ICS cybersecurity on a need-to-know basis, even in your own company,” explained Bennett. The fewer people with cybersecurity access, the safer the system.

Section dissection

Sections 5 and 6 address cybersecurity risk assessment/hazard and risk analysis. These sections build on traditional process hazard scenario reviews to identify cybersecurity hazards that should be considered. “One way to assess risk would be to review system architecture drawings to determine any major risks,” said Bennett. When designing firewall protections for the safety instrumented system, for example, assume that any firewall at the enterprise-network level can be compromised, and set up cybersecurity at the deeper SIS level accordingly.

Security levels are described in Section 7. Each level corresponds to the required effectiveness of countermeasures and inherent security properties of devices and systems for a zone or conduit based on assessment of risk.

Level 1 protects against casual or coincidental violation. Security should be capable of delaying or denying an attack for a period of four to eight hours. Level 2 protects against intentional violations using simple means with low resources, generic skills and low motivation, such as a disgruntled employee. “These first two levels are trying to protect against our own problems,” explained Bennett.

Level 3 is intended to protect against intentional violations using sophisticated means with moderate resources, IACS-specific skills and moderate motivation. Security should be capable of delaying or denying an attack for a period of days to weeks.

Sections 9, 10 and 11 provide guidance on cybersecurity design, engineering and implementation. “Using risk-assessment results, zone and conduit drawings, a cybersecurity requirements specification (CSRS) provides a detailed design of cybersecurity concept, procedures for cybersecurity factory and site acceptance tests (CFATs, CSATs), countermeasure design, engineering and security level verification,” explained Bennett. “For the CSRS, quantifying something that moves daily is impossible. It’s very fluid. You can’t do quantitative. Your SRS will be qualitative.”

The operation, maintenance, modification and decommissioning phases are described in sections 12, 13 and 14. Cybersecurity activities after startup include security monitoring and metrics, dealing with immediate threats, maintaining countermeasures, periodic assessments, management of change and decommissioning activities.

Get your funding

When you’re looking for cybersecurity-initiative funding, Annex A and Annex B of the technical report are good sources to take to management, recommended Bennett.

Annex A includes example SCAI interfaces, representing a series of network architectures, comparing SCAI architectures to typical cybersecurity threats and helping the owner/operator to understand the typical cybersecurity risk related to the architecture. “This can help to justify a cybersecurity project related to functional safety,” explained Bennett.

Annex B provides owner/operator examples of a high-level cyber risk assessment to understand the financial and health/safety/environmental risks, as well as a detailed cyber risk assessment to rigorously evaluate the capability of instrument and control systems.

“I really get upset about the people who would do harm and disrespect my comrades who died getting safety systems to the level they’re at,” said Bennett. “This is how we maintain the reliability of our safety systems. Now the onus is on us.”