Do Safety and Security Mix?

Oct. 30, 2008
Combining Safety and Security Simplifies Plant Operation, But Are Integrated Systems Secure?

By Dan Hebert, PE

Process plant safety used to be relatively simple. A regulatory control system was in charge of the process. A completely separate safety system controlled all safety-related process areas, and, finally, a security system controlled plant access.

Things are a bit more complicated now because process plant safety must encompass cybersecurity. Another complicating factor is the availability of integrated systems that can simultaneously address process control, safety and security. Once installed, these complex integrated systems can provide value by simplifying plant operations and reducing on-going system maintenance costs. But is the cost and complexity of an integrated safety and security system worth it?

“Combining safety and security into an integrated system allows proactive response to alarms and events, and it provides everyone a single real-time view to any potential threat,” says Erik deGroot, global manager for safety systems at Honeywell Process Solutions.

“Industrial plants have procedures and safety systems that are designed to bring operations to a safe state in the event of equipment malfunctions and other operational problems. In the event of a significant security incident, an integrated system can activate these same procedures and systems. Additionally, an integrated system leads to less expensive implementation and maintenance because all the pieces work together, even as technology continues to evolve,” adds deGroot.

But combining safety and security requires careful planning. “Integrated systems allow smooth and safe plant operation, but separation must still be maintained. The challenge is knowing when to integrate and when to keep systems separate. Dedicated safety-related functions, such as the actual safety application, must stay segregated and must be subject to high safety integrity,” concludes deGroot.

David Kleidermacher, the CTO of Green Hills Software, an operating system vendor specializing in highly secure systems, agrees with deGroot. “It is possible to mix multiple levels of safety and security in control systems, in fact this technique is already being used in aircraft,” he says. “Aircraft and other applications are being driven by requirements for enhanced security while simultaneously improving the cost, power and usability of computer systems. So instead of having two pieces, one that provides control- system management and one that provides corporate network access, we can consolidate systems and also make them more secure,” claims Kleidermacher.

A Clear, Unambiguous Maybe

Noted security expert Bryan Singer, chairman of the ISA99 committee that covers security for industrial automation and control systems, agrees that is possible to tightly integrate safety and security. “It may indeed be possible to integrate systems to any level so desired, but should we do so just because the technology supports it? The answer is an unambiguous and very clear maybe,” observes Singer.

“As soon as we integrate systems that were previously disconnected, problems can arise. There is the possibility of cross-pollinating systematic faults from failing devices or excessive network traffic or introducing network accessible system vulnerabilities. Both scenarios make it very likely that a safety system can fall victim to threats,” warns Singer.

“There is no reason why integrating these systems must be more insecure; but deployment requires careful planning, design and testing. To make an integrated system safe, we must do several things very well,” he says. These include:

  1. Where physical isolation on separate networks is not possible, logical separation through VLANs, access control lists, etc., is a must.
  2. Redundancy and capacity on the network is critical. We must be sure that a fault in one area cannot cascade to a system-wide fault that affects safety systems.
  3. Device testing is very important, as we need to accurately know the failure modes and tolerances of given components to understand whether or not we will create an unsafe condition.
  4. Tried and tested security principles, such as no single points of failure, must be adhered to.

Singer thinks separate systems are better from a cybersecurity standpoint, but he realizes that many plants will implement integrated systems to save money and simplify plant operations. Others are more adamant and believe separation is a requirement.

Equal, but Separate

“I am a proponent of the layers-of-protection model found in IEC 61511,” explains Jan de Breet, safety instrumented systems consultant for Yokogawa Corporation of America  (See Figure 1).

“Each layer in the model must be independent, which means that a failure in one cannot influence the proper working of any other layer. One could advocate that security should be an extra layer added to the model, but I believe that safety and security should be completely separated,” adds de Breet.

“Process operations are busy with production and safety. Security guards, whether at the gate or in the IT department, need to be focused on cybersecurity alone. Given the difference in nature of their functions, that is internal versus external protection, combining safety and security in any form could very well make either one more vulnerable,” cautions de Breet. 

Others share de Breet’s opinion. “Personal safety, cyber and physical plant security systems must operate in almost total isolation of each other,” says Ernie Rakaczky, principal security consultant for enterprise architecture and integration at Invensys Process Systems.

“This is critical not only to fulfill their basic operating requirements, but also to ensure that their successful operation is not dependent on the performance of any other system. This provides multiple levels of protection, eliminating a single point of failure, while at the same time enabling continuous and independent validation of each system’s performance,” he adds.

Jeff Myatt, product manager for L-com Connectivity Products, gives another reason for separate systems. “System engineers and integrators are often enticed by the promise of one platform that can simplify both software and hardware integration. However, realties often don’t meet expectations because separate sub-systems are often more reliable, even though they can potentially be more expensive and more difficult to integrate,” he says. “The most reliable systems are engineered to include more than one manufacturer, with each chosen for their strengths or core competencies. Scalability is the key attribute of any system, and an integrated system can lead to scalability limitations and catastrophic failures that are costly to diagnose and fix.”

Fundamental differences between safety and security systems argue for separate platforms. “Security should be handled as a separate subsystem because it is far more difficult to bypass, especially during an emergency,” observes Keith Jones, Wonderware marketing program manager for HMI, supervisory, SCADA and platforms.
“Safety systems are not designed to be updated frequently as are security systems, and models for security systems may change and evolve relatively quickly. Safety systems are generally designed to be unique to a particular site, installation or integration, and need to be changed only when processes change or laws change,” adds Jones.

Tom Phinney, the chairman of the IEC process automation security group, seconds Jones’ point. “The fundamental problem with merging safety and security is that the timing of remediation when a fault is found is different for the two systems. Security issues must be corrected as rapidly as possible, while safety system correction must await potentially long safety reviews that ensure the correction does not introduce new safety flaws.  In the worst case, safety corrections to a TÜV-approved technology may need to wait a year or more for TÜV approval, whereas security needs immediate fixes to avoid increasingly common zero-day exploits.”

Finally, some advocate evaluation of each plant of a case-by-case basis to see if an integrated safety and security system makes sense for the particular application. “A risk assessment can determine whether a single platform can provide both flexibility and security,” says Mike Bush, security product manager at Rockwell Software.

“Advances in technology now allow companies to keep control system functionality separate while still using a common infrastructure for data bases, networks, software, development tools, and alarms and events. This allows users to achieve the operational benefits of a common platform while helping meet functional safety and security requirements through separation,” concludes Bush.

Dan Hebert, PE, is Control’s senior technical editor.