Comment: Cyber risk threatens process safety

Enterprises in the process industry are becoming increasingly aware of the importance of relevant standards for the safety and profitability of their functional systems

Dr Alexander Horch of HIMA Paul Hildebrandt GmbH.
Dr Alexander Horch of HIMA Paul Hildebrandt GmbH.
COMMENT, Industry Trends
COMMENT, Industry Trends
Reducing risks to an acceptable level is the task of functional safety.
Reducing risks to an acceptable level is the task of functional safety.

Every production process has inherent risks, and cyber criminality is now one that needs to be given precedence. It is extremely important for enterprises in the process industry to implement effective separation of their process control and safety systems, as required by standards for functional safety and cyber security. After all, a lot is at stake: the health of employees, the assets of the company, and the environment.

To better understand the interaction of safety and security, it is helpful to clarify several terms. There are numerous definitions of safety, but a general definition is that safety is the absence of danger. However, it is frequently not possible to eliminate all possible risks, especially in complex systems, so people in the industry often say that safety means the absence of unacceptable risks.

Reducing risks to an acceptable level is the task of functional safety. This means that the safety of an application depends on the function of a corresponding technical system, such as a safety controller. If this system fulfils its protective function, the application is regarded as functionally safe.

This can be clarified with the following example: If oil is flowing out of a pipeline and endangering people in the vicinity that is a safety issue. If a system cannot prevent icing in a pipeline – even though that is its task – and a critical situation subsequently arises, that is a functional safety issue.

Functional safety systems protect people, facilities and the environment. For example, they start up or shut down systems when hazardous situations arise suddenly and people do not – or are not able to – respond, or when other safety precautions are not adequate. Functional safety systems are intended to prevent accidents and avoid costly downtime of equipment or systems.

Separate safety layers reduce risks

Enterprises in the process industry are becoming increasingly aware of the importance of relevant standards for the safety and profitability of their systems. The IEC 61511 standard for functional safety prescribes separate safety layers for control and monitoring, prevention and containment, as well as emergency measures. Each of these three layers provides specific functions for risk reduction, and collectively they mitigate the hazards arising from the entire production process.

IEC 61511 also prescribes independence, diversity, and physical separation for each protection level. To fulfill these requirements, the functions of the different layers must be sufficiently independent of each other. To be regarded as autonomous protection layers in accordance with IEC 61511, safety systems and process control systems must be based on different platforms, development foundations, and philosophies. In concrete terms, this means that the system architecture must fundamentally be designed so that no component in the process control system level or the safety level can be used simultaneously.

Rising risk of cyber attacks

In the last five to 10 years, the risk of cyber attacks on industrial systems has risen significantly due to increasing digitalisation. In addition to endangering information security, these attacks increasingly pose a direct threat to system safety.

(article continues on next page...)

System operators must be aware of these risks and actively address them by the use of various systems and measures to increase cyber security. Unlike functional safety systems, which are mainly intended to protect people, these systems and measures protect technical information systems against intentional or unintentional manipulation and attacks intended to disrupt production processes or steal industrial secrets.

These conditions mean safety and security have become closely meshed. Cyber security plays a key role, particularly for safety-oriented systems such as those in the process industry, because it forms the last line of defence against catastrophe.

Standards define the framework

Compliance with important international standards is necessary in the design, operation, and specification of safety controllers. The first of these is IEC 61508, the basic standard for safety systems, which applies to all safety-oriented systems (electrical, electronic, and programmable electronic devices) in all industry sectors. The previously mentioned IEC 61511 standard, which is derived from the basic standard, is the fundamental standard for the process industry and defines the criteria for the selection of safety function components.

The IEC 62443 series of standards for IT security in networks and systems, which effectively forms the standard for cyber security, must also be considered. Among other things, it specifies a management system for IT security, separate protection layers with mutually independent operating and protection facilities, and measures to ensure IT security over the full lifecycle of a system. It also requires separate zones for the enterprise network, control room, safety instrumented system (SIS), and basic process control system (BPCS), each of which must be protected by a firewall to prevent unauthorised access.

Cyber security by design

Standardised hardware and software in process control systems require regular updates to remedy weaknesses in the software and the operating system. However, the complexity of the software architecture makes it difficult to analytically assess the risks that could arise from a system update, potentially affecting the functions of the safety system integrated into the control system.

To avoid critical errors with unforeseeable consequences in safety-relevant processes as a result of control system updates, the process control system must be technologically separate from the safety system. This is the only way to ensure that control system updates do not impair functional safety.

For effective cyber security, it is not sufficient to upgrade an existing product by retrofitting additional software functionality. Every solution for functional safety must be conceived and developed with cyber security in mind from the start. This applies equally to the firmware and the application software.

In summary, systems that are independent of the process technology and that, thanks to the principles of independent open integration, can easily be integrated into process control systems despite physical separation, offer the highest degree of safety and security in safety-critical applications. Practical experience shows that they are the best way to increase the operational reliability and availability of process systems, and thereby to improve the profitability of production processes.

Newsletter

Most Popular

Digital Edition

Oil & Gas Middle East - March 2019

Subscribe Now