Security Safeguard: Defend and Protect Your Crown Jewels Against Cyber Threats
Safety Instrumented Systems (SIS) are considered a plants last layer of defense and assures a process is maintained within safe operating limits with fail-safe protection. To assure fail-safe conditions, SIS’s were originally designed using hardwired analog systems and physical processes such as spring-loaded safety valves and mechanical over-speed trips. With the advancement in networking and sensor technologies, combined with the continued convergence of control system platforms, many SISs are no longer isolated and are using standard networking technologies. As a consequence, the cyber risks and vulnerabilities associated with ‘connected’ systems are a real world concern.To date, there have already been numerous actual cases where SISs have been affected by cyber conditions (both intentionally and unintentionally) leading to equipment damage and unfortunately fatalities.
Security is generally provided via the utilization of firewalls and network segmentation within the system design
However SISs are also using technologies utilized in a Basic Process Control System (BPCS) including controllers, process sensing, and I/O from the BPCS LAN. The interface to the BPCS HMI is generally via gateways accessible to the process control network (PCN) using terminal servers, OPC servers on the Process Control Network (PCN) or a direct connection using a Modbus TCP interface. Smart field devices often have no inherent security and generally utilize digital bus technologies such as Fieldbus or Profibus for diagnostics and system configuration, which are also not inherently secure. These smart field devices are generally also connected to asset management systems. From the above description it should be evident that the once isolated SIS is no longer isolated and with multiple potential cyber threat paths, despite the use of firewalls and network segmentation.
There are still on-going efforts to find a balance between safety and security. This is a trend set to continue as the industry understanding of this often-misunderstood area matures.
As an example of finding a balance, one plant has utilized hardwired certified trip amplifiers to connect the smart sensors to the safeguarding final elements. A second plant has utilized a certified programmable electronic logic solver that employs a broadly used computing operating system (e.g., Windows) to connect the same smart sensors to the final safeguard elements. From a traditional safety perspective, both plants would have “equally safe” SISs. However, the first plant would not be nearly as vulnerable to a cyber-attack as the second and consequently the risk and actual safety would be different.
The lack of segmentation of the SIS introduces effectively a “back-door” into the SIS from the BPCS. The concerns raised are:
- - Some of the vulnerabilities have been demonstrated in field device protocols that can compromise asset management systems.
- - Threat actors such as Black Energy/Havex have targeted OPC servers.
- - Sophisticated attacks (e.g. Stuxnet) compromised the automatic safety systems.
- Some vendors and consultants are leaving it to the end-user to decide when to interconnect versus isolating the SIS from the BPCS. As an example, a published article in a 2014 oil and gas magazine stated:
- "Safety and control can be on the same network. The decision is mostly based on personal preference or corporate philosophy. Most installations have them separated. The biggest reason given for avoiding the use of the same network is to avoid common mode failures. When safety is on the same network, protocols are used to keep them separate. Most of the integrated safety systems can share the network."
There are many facets of security related to SISs that every organization should address during the complete system lifecycle. The most important part is having senior management support behind the philosophy of securing SISs in an appropriate manner. An organization should fully consider the risks and implications before deciding to use the same networks and equipment for SIS and BPCS.Any analysis must consider the numerous security risks associated with workstation, controller and communication protocol vulnerabilities. Other areas to consider are continuous security assessments and providing the appropriate control system security training to control system and IT security staff.