Are Integrated Safety/Security Systems Secure?

Oct. 30, 2008
Process Plant Safety Used to Be Relatively Simple
By Dan Hebert, Senior Technical Editor

A regulatory control system was in charge of the process. A completely separate safety system controlled all safety-related process areas, and a security system controlled plant access.   Things are a bit more complicated now because process plant safety must encompass cybersecurity.

Integrated systems that can simultaneously address process control, safety and security complicates things more. These complex integrated systems simplify plant operations and reduce on-going system maintenance costs. But is the cost and complexity worth it?

“Combining safety and security into an integrated system allows proactive response to alarms and events and a single real-time view to any potential threat,” says Erik deGroot, global manager for safety systems at Honeywell Process Solutions. “Industrial plants have procedures and safety systems that are designed to bring operations to a safe state in the event of equipment malfunctions and other operational problems. In the event of a significant security incident, an integrated system can activate these same procedures and systems. An integrated system also leads to less expensive implementation and maintenance because all the pieces work together.”

Noted security expert Bryan Singer, Chair of the ISA99 committee that covers Security for Industrial Automation and Control Systems, agrees that is possible to closely integrate safety and security. “It may indeed be possible to integrate systems to any level so desired, but should we do so just because the technology supports it? The answer is an unambiguous and very clear maybe,” observes Singer. 

“As soon as we integrate systems that were previously disconnected, problems can arise. There is the possibility of cross-pollinating systematic faults from failing devices or excessive network traffic, or introducing network accessible system vulnerabilities,” warns Singer.

Jan de Breet, safety-instrumented systems consultant for Yokogawa Corporation of America, has a different perspective. “I am a proponent of the layers-of-protection model found in IEC 61511,” he says. “Each layer in the model must be independent, which means that a failure in one cannot influence the proper working of any other layer. One could advocate that security should be an extra layer added to the model, but I believe that safety and security should be completely separated.”

He adds, “Process operations are busy with production and safety. Security guards, whether at the gate or in the IT department, need to be focused on cybersecurity alone. Given the difference in nature of their functions, combining safety and security in any form could very well make either one more vulnerable.”

Tom Phinney, the chairman of the IEC process automation security group, also argues for separate systems. “The fundamental problem with merging safety and security is that the timing of remediation when a fault is found is different for the two systems. Security issues must be corrected as rapidly as possible, while safety system correction must await potentially long safety reviews that ensure the correction does not introduce new safety flaws.”

Finally, some advocate evaluation of each plant on a case-by-case basis. “A risk assessment can determine whether a single platform can provide both flexibility and security,” says Mike Bush, security product manager at Rockwell Software.

“Advances in technology now allow companies to keep control system functionality separate while still using a common infrastructure for databases, networks, software, development tools and alarms and events. This allows users to achieve the operational benefits of a common platform while helping meet functional safety and security requirements through separation,” concludes Bush.

For a feature based on this column, go to