As organizations implement connected, information-enabled architectures to improve productivity, efficiency and safety that means industrial security cannot be too far behind.
Whether it’s remote access to production machinery, wireless access to pumping stations, or connecting plant-floor equipment to the IT infrastructure, greater connectivity can provide significant improvements in productivity and safety. But it also increases risks—not only to intellectual property, profits and mission-critical production assets, but also to people and the environment.
Safety systems are designed to detect faults, alert operators and automatically intervene. By altering or attacking safety systems, security breaches can force a standard control system to operate beyond its safety parameters, damage equipment and the environment, or even place workers and the public in unsafe situations.
The connected enterprise unites people, processes and things. It brings together enterprise-level IT and plant-level operations technology (OT) systems into a common network infrastructure. And it harnesses the power of enabling technologies, from data and analytics software to smart devices that make up the Internet of Things (IoT).
What does this mean for manufacturers and industrial operators? It means production intelligence for measuring and improving nearly every aspect of their operations, including quality, productivity, uptime and overall equipment effectiveness (OEE). It means enterprise-wide connectivity for instantaneous information sharing and seamless collaboration across an organization. It means remote monitoring of critical production assets and systems dispersed across remote locations.
For all the opportunities, however, there are also risks. More connection points can create more entrance points for security threats. These threats can be physical or digital, internal or external, and malicious or unintentional. And they can pose a danger in many ways, including intellectual property loss, disrupted operations and compromised product quality.
Safety is perhaps the least discussed implication of security threats.
Safety as attack vector
Breached machine- and process-safety systems can create cascading safety consequences
.For starters, compromised safety systems that don’t stop machines when they reach a dangerous state or when a safety device ends up triggered can expose workers to the very threat they should receive protection from. Additionally, safety systems that aren’t able to stop production beyond certain operating conditions can expose other employees or an entire plant to risks, such as fires, chemical leaks or explosions.
The risks can be especially high in industries where employees work with hazardous or volatile materials, such as in chemical manufacturing. And the risks will only grow as collaborative robotics become more prevalent, with employees and robots working side-by-side on production lines.
Compromised safety systems also could put consumers at risk. Consider the potential impact of a cyberattack that alters processes in a food or pharmaceutical manufacturing operation. It could result in harmful or even deadly contaminations. And even if an attack ends up discovered before affected product leaves the facility, it could delay the delivery of urgently needed products like life-saving medications.
Likewise, tampered or disrupted processes in critical-infrastructure facilities could impact the critical water and energy supplies on which populations depend.
Security breaches and vulnerabilities resulting in safety risks aren’t just theoretical. They’re a reality:
Security risks that can result in safety implications can take many forms. Some key risk types include:
Secure environment means safety
Governments concerned about disruptive and dangerous cybersecurity attacks on plants and critical-infrastructure operations are already working with manufacturers and industrial operators.
For example, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 295 cybersecurity incidents in 2015 across 16 critical-infrastructure sectors. The three sectors that garnered the most responses were:
Still, much work remains. Organizations need to be more proactive in addressing safety through security. They should incorporate four key elements into their approach:
Some requirements do exist within safety standards to help manufacturers and industrial operators address safety through security:
Section 7.4 of IEC 61508 (“Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems”) directs companies to conduct a security threat analysis if their hazard analysis identifies a reasonably foreseeable “malevolent or unauthorized action” that constitutes a security threat. The problem is, however, it is rare any company follows the rule.
The second edition of IEC 61511 (“Functional Safety: Safety Instrumented Systems for the Process Industry Sector”), which released late last year, will require security risk assessments to end up conducted for safety instrumented systems (SIS). The SIS design also must deliver the necessary resilience against the identified security risks.
These requirements may not be elaborate, but they do provide formal compliance guidelines for addressing security-based safety risks. They should be followed. Meanwhile, standards bodies are also exploring additional updates that could go further in detailing how industry must identify and address safety through security.
Integrating safety and security
Safety and security have traditionally been viewed as separate entities, but there is a commonality between them in the approaches used to analyze and mitigate risks.
For example, the concept of “access control” is common between safety and security. In both cases, policies and procedures emanate from business practices, risk-management approaches, application requirements and industry standards. Both also seek to help protect an organization’s assets, including its people, processes, equipment and intellectual property.
Manufacturers and industrial operators that want to reduce the likelihood of security-based safety incidents will need to rethink safety in this way. Specifically, they need to start thinking of safety and security in relation to each other.
To understand how this can happen, organizations should first consider the “three Cs of safety,” which is a set of practices that best-in-class manufacturers share:
Next, organizations should consider how security can integrate into each of these core safety pillars.
Companies should implement a companywide risk-management strategy to manage security threats and vulnerabilities, as well as their potential implications on safety. Two assessments are essential to this strategy:
Companies that use a third-party vendor to conduct these assessments should seek out a vendor with expertise in safety and security. This can help confirm consistency and alignment between the two assessments.
Risk mitigation measures
The specific mitigation measures an organization implements will depend on its unique set of security risks and their potential impacts on safety. However, there are some key mitigation measures that most manufacturers and industrial operators should implement as a best practice:
Segmentation into zones: This is a core security best practice. Every plant should do it as part of a holistic defense-in-depth security approach to help limit access to safety systems. An industrial demilitarized zone (IDMZ) with firewalls and data brokers can securely segment the plantwide network from the enterprise network. Also, using virtual LANs (VLAN) and a layer-2 or layer-3 switch hierarchy can create functional sub-zones to establish smaller domains of trust and simplify security policy enforcement.
Physical access: Quite a few organizations use RFID cards to manage facility access control. But physical-access security should go further than that to protect safety systems. Lock-in, block-out devices should end up used to prevent the unauthorized removal of cables and to close unused or unnecessary ports. And users should lock control cabinets to restrict walk-up and plug-in access to the industrial automation and control system devices. More advanced physical-access security also is emerging, such as IP video surveillance systems that can use analytics for facial recognition.
Network-integrated safety and security: CIP Safety and CIP Security are extensions to the common industrial protocol (CIP), which is the application-layer protocol for EtherNet/IP. CIP Safety allows safety devices to coexist on the same EtherNet/IP network as standard devices, and enables a safe shut down in the event of a denial-of-service attack. CIP Security incorporates data integrity and confidentiality into EtherNet/IP communications. Working together, devices that incorporate CIP Safety and CIP Security can help protect against data corruption and malicious attacks on safety systems.
Safety products with built-in security: Safety systems and other hardware should include built-in security features. For example, a safety controller that uses keyed software can ensure firmware only downloads from a trusted source, while an access door can restrict physical access to the controller. An industrial managed switch with access control lists (ACL) also can be sure only authorized devices, users and traffic are accessing a network.
Authentication and authorization: Security software features can restrict wired and wireless access to the network infrastructure. For example, authentication and authorization security is a key element in human-machine interface software and can limit safety-system access to only authorized individuals. This can help protect against malicious and accidental internal threats. Security personnel can define who can access the software, what specific actions they can perform and on which specific hardware, and from where they can perform those actions.
Asset and change management: Asset-management software can automate the discovery of new assets and centrally track and manage configuration changes across an entire facility, including within safety systems. It can detect malicious changes in real time, log those activities and report them to key personnel. If unwanted changes occur, the software can access archived copies of a device program for fast recovery.
Vulnerability management: Processes and procedures should make sure fast action occurs after safety and security advisories release. This includes having processes in place to immediately review advisories and determine their potential impact. It also includes implementing patch-management procedures for affected products.
Security isn’t only about protecting data and uptime. It’s about protecting people and the environment, as well as the critical infrastructures and supplies on which populations depend. Organizations that want to stay ahead of these risks will need to achieve compliance with the latest standards, holistically integrate safety and security, conduct a comprehensive risk analysis, and implement risk mitigation measures using the latest technologies.
See related stories from ISSSourced linked below.