Production and IT are becoming more and more inextricably linked as part of the Industry 4.0 future project. This is also presenting growing challenges in the security segment. Hackers often find a gateway into the corporate network at the interfaces between office IT and the production network.
A study by the software company Kaspersky conducted in 2017 revealed that around one in three cyber attacks are against computers for industrial control systems, and thus are targeted at manufacturing companies. Every year, the incidence of malware and the associated damage to industrial systems increases. The “Triton” malware, in combination with a cyber attack against a Safety Instrumented System (SIS), is a current case which demonstrates that this is a far from hypothetical scenario.
The worlds of safety and security meet when automated solutions for implementing functional safety become the target of hackers. A common strategy must therefore be developed for the future.
Industrial control systems are currently exposed to various threats, such as:
- Malware infections via the Internet and Intranet
- Introduction of malware via removable media and other external hardware
- Social engineering, i.e., influencing people in order to bring about certain types of behavior
- Human error and sabotage
- System intrusion via remote maintenance solutions
- Control components coupled via the Internet using IP protocol
- Technical errors and force majeure
- Hacked smartphones in the production environment, as well as Extranet and cloud components
How is cybersecurity differentiated from functional safety?
Functional safety represents the correct function of safety-related (control) systems and of other risk reduction measures. In this case, when a critical error occurs, the controller initiates the safe state. The requirements concerning the nature of safety-related control components are described in the type B standard EN ISO 13849 and the IEC 61508/IEC 61511/IEC 62061 series of standards. Depending on the degree of risk, corresponding risk reduction measures are classified into different safety levels: performance level (PL) or safety integrity level (SIL).
Cybersecurity, on the other hand, protects goods from attacks on the availability, integrity, and confidentiality of their data. This is achieved through preventive or reactive technical and/or organizational measures. If one neglects the security aspects in the safety application, this can have direct consequences for production facilities. It can also have an indirect impact on the production process and therefore the end product. Examples are pharmaceutical items or safety-relevant components for the automotive industry. Here, changes can have a significant negative impact on consumers. Standard IEC 61511-1 therefore requires an IT risk assessment to be carried out for safety equipment in the process industry. The operator must perform the IT risk assessment according to NAMUR’s NA procedure and implement the identified measures. This enables them to assess their PCE safety equipment according to the current state of the art and to fulfill their duty of care.
Active search for vulnerabilities
When considering the aspects of functional safety and access security, the potential risk must initially be considered based on a risk assessment or, more specifically, an IT threat analysis. This already shows a significant difference in the approach. Designers must be more aware of static risks, for example mechanical or electrical hazards, as part of the Machinery Directive risk assessment. The IT security expert, on the other hand, finds themself in a constantly changing environment. In the latter case, attackers are always actively looking for new ways to exploit vulnerabilities which would be considered systematic errors in the field of functional safety.
Another important aspect to consider is the human factor: The expression “foreseeable misuse” is used in the context of the safety of machinery, for example to describe situations where safety equipment, such as a door switch, is tampered with by operating personnel. In contrast, large-scale cyber attacks on industrial facilities are assumed to involve a high level of criminal energy.
Initial approach in a NAMUR worksheet
Manufacturers, system integrators, and operators must safeguard the product lifecycle of safety-related systems or components. To this end, they can apply needs-based quality management in accordance with IEC 61508 within a functional safety management system. A comparable solution for this exists in the security world in the form of information security management in accordance with ISO 27000.
The worksheet published by NAMUR entitled “IT risk assessment of PCE safety equipment” adopts an initial pragmatic approach which leads in this direction. It describes a procedure for IT risk assessment based on the IEC 62443 security standard. This procedure is the basis for increasing the resistance of the PCE security device to IT threats. For this purpose, the three steps of the first phase are carried out exemplarily for a system typically found in NAMUR member companies. This allows the user to check whether the procedure can be used for the PCE safety equipment being assessed. The second phase involves monitoring the implementation of the measures and documenting the IT security requirements and general conditions. The second phase must be run through individually for each piece of PCE safety equipment.
Risk assessment in accordance with NAMUR recommendation NA 163
No adverse effects on functional integrity
The hardware and software of the system under study is divided into two sections:
- The core PCE safety equipment in zone A comprises the PCE safety equipment as defined in IEC 61511-1. This includes the logic system, the input and output modules including remote I/O, and also the actuators and sensors. Connections and, if applicable, available network components (such as cables or switches) that are used to interface with devices located in zone A are also assigned to this zone.
- Components that are not strictly necessary for implementation of the safety function are assigned to the extended PCE safety equipment in zone B. Nevertheless, these components can influence the behavior of the core PCE safety equipment. They could include operator/control panels, visualization stations, the programming unit for the PCE safety equipment, and also devices for sensor/actuator configuration.
In the area of the environment there are components and systems that are neither directly nor indirectly assigned at the PCE safety equipment. However, they may be related to the safety function. These could be reset requirements or the visualization of the status of the safety function.
The common objective of the zones is to ensure that the functional integrity of the safety equipment is not compromised by feedback effects from the environment.
Comprehensive training of relevant personnel
Measures must be taken to reduce the effects of compromised PCE safety equipment or to counteract threats. The human factor also plays a significant role in this process. The blame for more than 50 percent of cybersecurity incidents ultimately lies with employees. It is therefore important that there is an IT security officer responsible for the security equipment. All persons involved in the specification and design of the safety equipment should be made aware and trained accordingly. Furthermore, it is advisable for the end user to conclude confidentiality agreements with their manufacturers, suppliers, and external operators to safeguard information and knowledge in relation to the safety system.