Only by looking at a wider solution, through a combination of functional safety and IT security, can oil and gas businesses truly ensure their overall safety. HIMA’s Peter Sieber explains.
Cyber security as we all know is an increasing threat and in Asia, if reports are to be believed, the current threat is at a greater level – due to ill preparedness – than in any other region on earth. The cyber security threat has expanded from its origins in the home and office PC environment to the oil and gas industry and more specifically into industrial control systems.
According to a 2015 survey by IBM, manufacturing sites are more likely to experience a cyber-attack than the financial services sector, which is a surprising and sobering revelation. The Internet of Things (IOT) revolution is highlighting the need for engineers to have more IT knowledge and visa-versa for their IT colleagues. They need to be concerned with, and to communicate, about the same issues and therefore they need to understand each other’s world.
Rather neatly, in the German language, ‘Sicherheit’ is the word which means both safety and security and, therefore, it is no surprise that HIMA, with its German antecedents, should view the safety and security of a facility – be that upstream, mid-stream or downstream – as something that should not be addressed separately.
Safety-related automation solutions must not only provide functional safety, they also need to ensure cyber security. In terms of differentiation, the objective of functional safety is protecting people, machinery and the environment, in that the environment must be protected from the plant.
Cyber security, on the other hand, focuses on data availability, integrity and confidentiality. With cyber security, the plant must be protected from the environment. Only the combination of functional safety and information security ensures the overall safety of the plant.
Large scale oil and gas projects involve many different companies, all with different security objectives. Manufacturers wish to ensure protection of their operating systems, integrators want to safeguard their engineering know-how and users are responsible for the protection of system operations. So there is no easy way to ensure cyber security as all these perspectives have to be considered and vendors, integrators and end users have to bundle their knowledge.
International standards for plant safety
IEC 61508 is the international standard of rules for the functional safety of electrical, electronic, and programmable electronic safety-related systems. According to IEC 61508, functional safety is part of the overall safety that depends on functional and physical units operating correctly in response to their inputs. The objective of IT security must be to protect operations from any possible negative influences, thereby eliminating, or at least minimizing, potential hazards to people, environment, and assets.
Even ruling out malicious threats, the fact remains that IT security vulnerabilities can be found in almost any kind of automation system. This includes the safety-related system itself and the distributed control system (DCS), of which the safety system may be a part. This is one reason why many safety experts call not only for the physical separation of safety instrumented system (SIS) and DCS components, but also for different engineering staffs and/or vendors to be responsible for each.
Let’s take a look at two other standards. Firstly, there is international standard IEC 61511 for the SIS. Whether independent or integrated into an overall basic process control system (BPCS), the SIS is a fundamental component of every industrial process facility. Figure one shows what IEC 61511 looks like in practice:
In this model, the industrial process is surrounded by risk reduction layers. These collectively reduce the risk to an acceptable level. The required risk reduction factor for the different layers is set by the safety integrity level (SIL).
The first line of protection for any plant is the control and monitoring layer, which includes the BPCS. The BPCS reduces the risk of the occurrence of an unwanted event. The prevention layer includes the SIS. The hardware and software at this level perform individual safety instrumented functions (SIFs).
To reduce the overall risk to an acceptable level, the majority of critical industrial processes require an SIS that fulfils the requirements of SIL 3. This equates to a risk reduction factor of at least 1000.At the mitigation layer, technical systems are required to reduce damage should the inner protection layers fail.
Mitigation systems are not usually encountered as part of the safety system. This is because they are only activated after the occurrence of an event. Mechanical equipment or structural features are often used in mitigation systems. Examples include retention basins or automatic fire suppression systems.
Now let’s consider the IEC standard for cybersecurity. IEC 62443, which is currently in draft form, covers the necessary security techniques to prevent cyber-attacks on facility networks and systems.
IEC 62443 contains seven foundational requirements. These consider the various security objectives, such as protecting a system against unauthorized access. IEC 62443 also covers the protection of networks within automation systems. As indicated by figure 2, it requires the separation of the overall system.
It also introduces the concept of security zones, defined conduits, and additional firewalls at every conduit that connects one security zone to another one with different requirements. This structure creates a tiered system of different defense mechanisms. The firewalls have different technical requirements depending on which security level each zone requires.
Standards and structures require protection
So what needs to be protected? According to the most recent version of IEC 61511, the answer is that both organizational demands and physical structures need to be given equal consideration. The standard calls for the following: carry out a security risk assessment of the SIS; make the SIS sufficiently resilient against the identified security risks; safeguard the performance of the SIS, error detection and correction, protection against unwanted program alterations, protection of data for troubleshooting the SIF, and protection against bypassing restrictions to prevent the deactivation of alarms and manual shutdown; enable/disable read/write access via a sufficiently secure method
In terms of structural requirements, IEC 61511 instructs plant operators to conduct an assessment of their SIS. They should: ensure independence between protection layers; establish diversity between protection layers; physical separate protection layers; identify and avoid common-cause failures between protection layers
Another IEC 61511 note, and one that has particular bearing on the correlation between cyber security and plant safety says: “Wherever feasible, the Safety Instrumented Functions should be physically separated from non-safety-related functions.” The IEC 61511 and IEC 62443 standards both demand independent protection layers. Indeed, both standards stipulate:
- Independence of control and safety
- Measures to reduce systematic errors
- Separation of technical and management responsibilities
- Reduction of common-cause failures
Both standards also reinforce that the entire system is only as strong as its weakest link. When using integrated safety systems (where the safety system and standard automation system are on the same platform), all hardware and software that could impair the safety function should be treated as part of the safety function. This means that the standard automation system must be subjected to the same management process as the safety system.
In addition to technical measures, the user must also take organizational measures that are of crucial importance for cyber security. No available technology can develop protection against new attack possibilities. For this reason, there is a great demand to test internal networks on a regular basis, e.g., by manually performing penetration and fuzzing tests. It is also critical to be aware of and continuously consider the possibilities of manipulation.
For instance, if an operator can shut down the plant via an industrial protocol, it might not be a problem for a hacker to do this as well. Additionally, we must also make a call to reason to all persons responsible. If, for example, a staff member hands out his password, hackers will have a cakewalk. Also, the DCS system should not be used for surfing the Internet or playing video games.
There are a multitude of ways of achieving cyber security in industrial facilities. In addition to technical security measures we have covered, organizational measures derived from the experience of the IT world are necessary.
Furthermore, all security-relevant information should be meticulously documented in every step of project planning over the entire life of the plant. Manufacturers, integrators and users must always incorporate the latest security insights and ensure strenuous quality assurance procedures. If all these measures are taken into account the oil and gas sector can be operated securely today and into the future.
Peter Sieber is vice president global sales and regional development of HIMA. He has worked in process automation since 1985 and is a member of steering committees working on functional safety (IEC 61508) and IT security (IEC 62443). More recently Sieber has been involved in IEC TC 65 WG 20.1 which considers the application of IEC 61508 and IEC 62443 in parallel.