When asked where safety and security is going in respect to standards, the first thing Bryan Singer wants to do is to look back. “Let’s rewind to the industrial safety arena,” says Singer, principal consultant for Kenexis Consulting Corporation and the co-chairman of the ISA99 standards committee on industrial automation and control systems security. “Originally, standards bodies looked for ways to improve safety on the shop floor,” he continues. “Then the government got involved as OSHA emerged. A problem was recognized—risk to operations, risk to health and human safety—so the standards bodies and government lined up. The ultimate result was that OSHA formally recognized the ISA84 standard as extensible practice on safety.”
Fast forward into the security arena.
Singer says that industrial cyber security was looked at as far back as 1999, but it really started gaining focus in 2001. According to him, the initial discussion coalesced around existing field level standards: “A lot of people said the field levels exist; why don’t we just handle security like the field levels, because everything is a safety issue on the shop floor. Eventually, we realized that wasn’t exactly true. Other things could happen from a security standpoint, not to mention that we really didn’t understand all the things that were happening from a security perspective.”
One of the differences between safety and security that was quickly recognized was that safety deals with something very measurable: hardware failure rates. Devices could be tested over time and predicted failure rates calculated. From those rates, decisions could be made on what is an acceptable risk on the shop floor. “That’s how we came up with the idea of the safety integrity levels (SIL) and how to certify environments to be able to achieve a certain level of SIL protection,” notes Singer.
“The first thing that the safety contingent said was ‘let’s just get the vendors to make better components,’” he continues. It was quickly realized that with a 12-20 year replacement cycle on much of the hardware, and with limited buying power at hand, companies couldn’t expect the vendors to just go in and fix the safety issue. “They weren’t happy,” says Singer.
Then they realized that companies had to develop internal practices to ensure that correct levels were established, equipment was incorporated correctly and tested, and performance met the level demand. Singer says this spawned a series of disciplines. “Process hazards analysis emerged,” he says, “along with SIL selection: determining what safety level is needed. Once components were designed, tested, and implemented, their ability to achieve the specified SIL had to be validated, along with the process by which the work was done.”
Today this extends further to factory acceptance, pre-start up, and site acceptance testing. “This analysis is a very regimented process to make sure that the level of desired performance has been achieved, and that all the safety and process control functions work the way they’re supposed to,” he says.
Uptime and Reliability: The Real Gushers
To underscore the idea that safety and security are not simply a cost, but also a significant benefit, Singer points to the oil and gas industry. “If you look at what happens in oil and gas plants—platforms, refineries, everything else—their whole existence is basically uptime,” he says. “We’re not building new refineries. We’re not building new processes. We’re reengineering or extending them, in many cases. The bottom line is that companies need to get the absolute most out of what is currently deployed.”
One of the critical byproducts of safety and security has been better measurements of device reliability, which has led to better, more reliable components. “As a result, most oil and gas concerns have been keen to jump on the SIL bandwagon, because it was an opportunity to implement a regimented, disciplined process that they could align with their capital budgets and processes,” notes Singer. “As they built or reengineered new plants and processes, they were validating that they would have a higher level of reliability than they did before.”
Another benefit of this is smaller personnel demands. “Go out to a refinery today and you’ll see about ten people running the entire place,” says Singer. “There’s not a lot of hands-on in the process, because there’s a lot of competence in the architecture.”
As large as these oil and gas projects tend to be, and the more regimented, well-defined, and understood the process is, the easier it is for companies to work with their integrators and vendors. They now have one common level of understanding.
According to Singer, the developments in security mirror those in safety. At the outset, the same thing that happened with safety happened with security: people said, “just have the vendors fix all the problems.” “But that’s just not going to work,” says Singer. “It’s what I call ‘the Y2K dilemma.’ We did a lot of Y2K assessments, and the plants we did this for said, ‘This is great. You did great work. You told us all our problems. Thank you so much. When do you want to fix them?’ We weren’t going to fix them—we couldn’t afford to fix them. But we needed to at least know what the risks were.”
Vendors said that they dedicated equipment a decade or more ago, and that companies would have to upgrade; the plants said that wasn’t acceptable. Déjà vu. “So we need to have other means of compensating security controls, very similar to what we have in safety,” says Singer. “This means defined regimented processes. This means companies and vendors having a common understanding of problems and a clear means of communicating problems.”
This is where ISA99 is heading. ISA99 Working Group 7 (WG7) is looking specifically at the cross-functionality of safety and security, in particular how to align safety and security practices. “It’s really more than just safety and security,” concludes Singer. “It’s aligning engineering disciplines along with the design, build, and commissioning process so that, from the beginning, we are specifying, selecting, and implementing controls that are appropriate for equipment, as well as validating and verifying configurations from the beginning through the end.”