“If we’re going to talk about safety and security, we have to think about what they are in the industrial context,” says Bradford H. Hegrat, CISSP, critical infrastructure security consultant at Rockwell Automation. From the security professional’s perspective, security has two sides: enterprise and critical infrastructure, which includes industrial control systems, distributed control systems, and supervisory control and data acquisition (SCADA) systems. According to Hegrat, the big difference between the two is the safety element. From an enterprise security perspective, safety is not a concern; on the flip side, safety is a key concern for critical infrastructure. “In and of itself, safety has never been looked at from a truly holistic, top-down perspective,” says Hegrat.
Safety is typically concerned with machine-level safety. The goal is to prevent someone from getting his or her fingers caught in a machine or a vessel from being over pressurized. Therefore, the focus of safety systems has been particularized on small components or systems, and they rarely address the safety of a larger environment or overall control system.
“When you start talking about safety systems, you’re really talking about a number of smaller systems that communicate with one another—or may not communicate with one another,” explains Hegrat. And that can lead to a situation where unsafe conditions may occur without ever breaching the clipping levels for individual safety systems to engage.
Securing a New Perspective
Traditionally, when security is considered, it’s cyber security. Safety really hasn’t been a concern. “We knew there was a safety element behind it, but we never really tried to quantify or identify it,” says Hegrat. “With the formation of ISA99 Working Group 7, that has changed. That’s where the convergence is coming in.”
Working Group 7 (WG7) is a joint working group between the ISA99 committee and the ISA84 functional safety standards committee, as well as other international standards programs and related interest groups, to promote greater awareness of the impact of cyber security issues on the safe operation of industrial processes. The working group’s initial tasks include: - Completing a Security Assurance Level methodology for cyber security, similar to that of the current Safety Integrity Levels (SIL) defined in ISA84 - Defining and developing processes for identifying intentional and systematic threats that can expose process hazards
“Today’s plants are interconnected and software-driven,” says Hegrat. “By only considering the probability of hardware failures, you can miss significant sources of risk to process safety. Intentional threats such as viruses, hackers, and malware, and unintentional faults such as poor network performance or network failures also may put safety at risk.”
WG7 will help engineers solve the problem of cyber security in industrial process safety systems.
Hegrat cites two industries—oil and gas and minerals and mining—as prime examples of where the convergence of safety and security will benefit operations. These industries have very large safety concerns. The minerals and mining industry has a major concern about keeping people alive many thousands of feet underground, Oxygen supplies, temperature controls, and other environmental factors are crucial to keep within appropriate levels.
“From a cyber security perspective, if one were to attack, say, the exhaust fans that are venting the mine from any of the harmful gases that are present underground, we would want to be able to evacuate everyone underground in the mine within 15 minutes,” says Hegrat. “So you’re talking about the shutting-down processes, a change of environmental conditions that may put people at risk. That’s a safety concern.”
In the petrochemical industry, individual safety systems should be configured in a number of ways to communicate with one another to prevent, for example, a hydrocracker from running away with itself. “But you may run into situations where elements of that hydrocracker are pushed to unsafe conditions,” cautions Hegrat. “Because safety elements are focused on subsets of a system, it is possible, specifically with the hydrocracker example, to overdrive the system as a whole, yet have none of the individual safety systems kick off.”
“Security comes into play when you deploy security systems,” he continues. “Half of their function is to monitor events and conditions on the cyber assets; the HMIs, the historians, and so on. If you’re monitoring all that, you should be able to gain information from the security elements in place that you can correlate to known, unsafe operating conditions within the larger system. This is outside the aspects of the individual safety elements. It’s the security piece that helps identify a situation before it becomes a critical safety issue.”
In the industrial control space, a security event can almost always be correlated to the physical world. “So there is almost always the potential for a safety event,” says Hegrat. “The convergence of safety and security is inevitable.”
A Comprehensive Approach
Rockwell Automation takes an approach to safety and security that reflects this holistic perspective. From the classic safety perspective, the company has a safety consultancy that guides customers through what they need to do specifically around regulations impacting safety. From a security perspective, the company’s Network and Security Services consultancy provides equivalent services on security issues. “So it’s a blended operation where we use both safety and security consultants to provide a comprehensive, top-down approach to the system,” says Hegrat.
“Today, everyone understands safety,” concludes Hegrat. “As we move forward, cyber security will become as ingrained as safety is today. As this occurs—as it is occurring—the real winners are the asset owners. And that’s something everyone can converge on.”