How to create comprehensive automation safety for process industries
Proper industrial control system (ICS) safety requires attention to functional safety and cybersecurity. Know the definitions and industries standards to help.
- Understand definitions for functional safety and cybersecurity and what they mean in industrial control system (ICS) environments.
- Learn the points of hardware failure and types of cyber threats for an ICS.
- Review three processes of safety and security lifecycles and examine general and specific industry standards that can help with cybersecurity implementations and safety integrity level (SIL) determinations.
Functional safety, cybersecurity insights
- Process safety requires attention to industrial control system (ICS) functional safety and cybersecurity.
- Definitions and standards for functional safety and cybersecurity can help, along with knowing the points of hardware failure and types of cyber threats for an ICS.
- Knowing three processes of safety and security lifecycles and implementing guidance available in standards can help with cybersecurity implementations and safety integrity level (SIL) determinations.
ISA (International Society of Automation) defines automation as the creation and application of technology to monitor and control the production and delivery of products and services.
For the process industries another useful though general term is IACS (Industrial Automation Control System); according to IEC 62443-1-1, an Industrial Automation and Control System (IACS) is a collection of processes, personnel, hardware and software that can affect or influence the safe, secure and reliable operation of an industrial process. Though the word IACS is gaining momentum, ICS (industrial control system) is still widely used when referring to the IACS system. ICS is generally acceptable and widely used.
ICS safety can be comprehensively categorized as functional safety and cybersecurity. Looking into each separately can help with understanding how they overlap.
IEC61508 (International safety standards for the design of safe systems for hardware and software) has a definition for safety, and IEC62443 (International series of standards that address cybersecurity for operational technology in automation and control systems) defines security. I believe, the primary purpose of any security is safety, especially in the process industry, as public and personnel health may get compromised. Below, security and safety are comprehensively referred to as ICS safety.
Functional safety definition
What is functional safety? It is a part of the overall safety of a system or piece of equipment that depends on automatic protection and operates correctly in response to its input feedback or failure in a predictable manner (fail-safe).
Cybersecurity definition differs in ICS environments
What is cybersecurity? Cybersecurity is broadly categorized as cyber safety and physical security. Though the word cybersecurity implies that the intention is to look at only the “Internet” connection, this is not true regarding ICS environments.
Until a few years back, functional and cyber safety were considered separate and treated separately. That cannot be the case anymore, as process industry safety standards require cyber assessment. Cyber risk assessment is required per ANSI/ISA 61511/IEC 61511 to meet the standard.
Before further understanding ICS safety, failures and threats need to be understood.
The ICS should be designed to address functional safety adequately, and the failures may come from hardware failures, human errors, systematic errors and operational and environmental stress.
ICS points of hardware failure
Hardware failure comes from field equipment, sensors and instruments in the ICS. Hardware failures, also known as random failures, are common. These failures happen for various reasons, and they can be due to the failure of a subset of components in the equipment, operational, environmental stress or improper maintenance.
Systematic errors are design faults that also could arise from documentation errors. Hardware failures also can be said to be systematic errors. However, they should be separate and not treated as one.
Operational or environmental stress happens depending upon where ICS is located, in a controlled environment or classified area.
Types of cyber threats
Cyber threats can be external or internal and categorized as deliberate or accidental. Typical external threats are hackers (professional, amateur or so-called script kiddies), rival business competitors and rival organizations or nation states. Typical internal threats are erroneous actions, inappropriate behavior and insider threats. (Environmental threats are excluded in this discussion.)
The figure shows that proper ICS safety means both functional safety and cybersecurity must be met and must be integrated. Proper ICS safety can be achieved when both areas are adequately addressed.
It is a misconception that having a safety instrumented system (SIS) is enough, and cyber safety is optional. Attacks can happen on the SIS itself, compromising safety. Concurrently, not having an SIS system does not mean that cyber safety is not required as BPCS independent protection layers can get compromised and thus compromise safety.
Three processes of safety and security lifecycles, standards to help
Both safety and security life cycles depend on three processes: Analysis, implementation and maintenance.
Governments and industry organizations are developing safety and security guidelines and recommendations to support this.
IEC 61508/ANSI/ISA 61511/IEC 61511 for functional safety. IEC 61508 is considered a primary or “umbrella” standard. ANSI/ISA 61511/IEC 61511, the sector-specific standard for the process industries. In the process industries, IEC61508 is primarily applicable to vendor-specific components. Therefore, the ICS safety and reliability analysis should be performed within the framework of these two standards.
ANSI/ISA 61511/IEC 61511 has three parts:
Part 1: Framework, definitions, system, hardware, and application programming requirements.
Part 2: Guidelines for the application of Part 1
Part 3: Guidance for the determination of safety integrity levels (SIL).
Meeting the 61511 standards may result in a SIS or not, in some cases, based on the inherent design of the process and available instrumentation and controls implementation. Also, it is not mandatory to use a safety PLC, as an SIS system also can be achieved through hardware wiring design. Hardwire wiring design usually brings complex wiring and maintenance issues. The standards do not necessarily recommend safety PLC, but a safety PLC has many advantages, such as simplifying complex wiring, ease of configurable options and availability of field diagnostics.
Using smart instruments and safety PLC gives advantages like predictive and preventive maintenance using data collection methods and increases plant reliability.
Cybersecurity help for process industries, general and specific
For cybersecurity, the ISA/IEC62443 series of standards are available and are divided into four parts: part 1 for general, part 2 for policies and procedures, part 3 for system, and part 4 for component level.
Guidance also is available through some industry and sector-specific guidance and standards also available, including:
API 1164 Standard by American Petroleum Institute
ChemITC – Chemical Sector Cyber Security Program from the American Chemistry Council
Water & Wastewater Sector G430-09 Standards
NERC Critical Infrastructure Protection (CIP) 002-009.
Standards and guidelines are only as good as implemented. Standards typically are not prescriptive as addressing every process plant design is impossible. Although standards are not necessarily laws, they carry a certain level of certainty; hence, the responsibility of meeting the standards with proper design falls on the users.
End users are responsible for meeting the standards and have higher stakes than vendors.
Functional safety can be achieved by meeting and maintaining SIL target levels 1-4. SIL measures system performance regarding the probability of failure in demand (PFD). In the process industries, PFDAvg is widely used. PFH (probability of failure per hour) is rarely used in process industries.
ANSI/ISA 61511/IEC 61511 requires vendors to have their functional safety management (FSM) plan if any vendor claims functional safety for their equipment. The end-user organization should have its own FSM.
Per ANSI/ISA 61511/IEC 61511, FSM personnel working on SIS design must be competent. The competence can be achieved either by external or internal training.
Three SIL target parameters
Three parameters are crucial to achieving any SIL target: architectural constraints, systematic capability, and probability of failure.
For SIL 3 targets, partial stroke testing can be an option, but this will result in complex design changes, like new bypass lines during the testing and complex partial stroke testing equipment. Hence, it is better to address other protection layers before considering this option.
For cybersecurity, standards set best practices and provide a way to assess security performance. IEC62443 assigns security assurance level (SAL) 0-4, much like the SIL target levels. SAL depends on seven factors, which are called foundational requirements. Seven factors for SAL are: Access control, use control, data integrity, data confidentiality, restricted data flow, timely response to an event and resource availability.
SIL is quantifiable, but SAL is not (yet). It is possible to quantify SAL when enough data is available across different industries and together agree on proper modeling methods. However, cyber threats and intentions keep changing constantly, and quantifying them anytime soon may not be possible.
For the SAL qualitative approach, a risk graph is a good tool. Companies can use any existing process safety risk graph or develop a new one for cyber.
Timely response to an event: It is advised to develop and keep an emergency response plan in the control room to that operator personnel may have immediate access.
Resource availability: This is much like mean time to repair (MTTR) in functional safety and needs to be adequately maintained. Keep system backups and equipment inventory as part of the incident response plan.
Recovery plan: Having a proper recovery plan is advised. Operation technology (OT) personnel should play a critical role in developing recovery plans as information technology (IT) personnel typically do not have functional knowledge of ICS installations. An SME (subject matter expert) in OT can play this role.
Owners must maintain proper test records and maintenance procedures as ICS safety is a life cycle until the project’s decommissioning.
It is impossible to achieve 100% safety and security, but we can try.
Sunil Doddi, a senior principal process controls engineer at Air Products, is a Certified Automation Professional, Certified Functional Safety Expert and Cybersecurity Fundamental Specialist. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media and Technology, email@example.com.
Functional safety, ICS cybersecurity for process industries
Have you referenced process safety and cybersecurity standards and the appropriate expertise to lower risks?