Cybersecurity Guidance for Industrial Safety Systems

June 19, 2017
With targeted attacks on industrial automation and control systems, which are increasingly connected to other business systems, cyber vulnerabilities represent a significant potential for common mode failure.

Information systems employed in operations (including industrial control systems) are often subject to very stringent requirements related to information integrity and performance. Functional needs such as these can lead to the identification of secondary requirements and constraints in areas such as cybersecurity.

The challenges associated with securing industrial control and related systems have in turn been topics of considerable discussion, debate and analysis for the past several years. The ISA99 committee and IEC Technical Committee 65 Working Group 10 have developed the 62443 series of standards that provide requirements and guidance on all aspects of the subject. This information is deliberately expressed in broad terms, allowing it to be applied across a wide range of industries and situations.

The content of cybersecurity-related standards and practices can be quite technical—even arcane—requiring further interpretation within a specific context before it can be effectively applied. Interpretation of “security speak” in the context of a related discipline is essential in understanding the full implications of security requirements. This is particularly true in areas of specialization that have their own established terminology and concepts.

One such related discipline is the development, operation and support of process safety systems. There is a growing realization that functional safety and information technology are related. It is important for both functional areas to understand the differences and overlaps, as well as the typical differences in how IT professionals view their requirements vs. how process control engineers view theirs.

In the process industries, safety instrumented systems (SIS) represent one layer of protection that could be implemented to reduce risk. Other layers might consist of instrumented systems performing alarms, interlocks, permissive functions or controls using devices within the basic process control system (BPCS), as well as non-instrumented systems such as relief devices, check valves, etc.

Traditional process hazard analysis (PHA) has, in the past, generally excluded the potential for cyber-related attacks to cause process safety incidents. Given that targeted attacks on industrial automation and control systems—including the systems executing safety controls, alarms and interlocks (SCAI)—have occurred and these systems are increasingly being connected to other business systems, cyber vulnerabilities represent a significant potential for common mode failure. As a result, it is necessary in today’s world to include cyber risk in the overall PHA.

The ISA84 committee developed a technical report (ISA-TR84.00.09) for this purpose. It describes how functional safety and cybersecurity should be integrated, starting with a new process plant at the initial scope stage and continuing throughout all phases of the lifecycle. The report defines performance criteria to guard against internal and external security threats to the safety instrumented system, and includes specific guidance on how to implement, operate and maintain system security without compromising the performance of safety controls, alarms and interlocks within the control system.

The second edition of this report has recently been approved by the committee and will soon be available for use in the process safety community. Throughout its development, there has been a liaison relationship between the ISA84 and ISA99 committees, ensuring that the guidance included in the report is consistent with the general concepts and requirements in the 62443 series.

Process safety engineers and others involved in this discipline are encouraged to use this report as a valuable reference in helping them to apply cybersecurity to their safety systems.

>>Eric Cosman is co-chair of the MESA Cybersecurity working group. He provides consulting and advisory services in the management of IT solutions in operations and engineering, and has contributed to various standards committees, industry focus groups and advisory panels. He is a past vice president of standards and practices at ISA, a member of the ISA Executive Board and co-chair of the ISA99 committee on industrial control systems security.

Companies in this Article