Know the risks of securing safety systems

Even if a safety system is isolated and separate from a network, the potential for a cyber attack remains and companies and users need to be vigilant and take necessary precautions.

By Gregory Hale, ISSSource September 20, 2016

One assumption about safety systems is they need to remain isolated from the control system, ensuring nothing will hinder their mission to keep the plant and workers safe.

If we have learned anything in this cyber-aware world, isolation is not security. That means no matter if safety is separate, integrated or interfaced, there is always a path in.

In these days of working in open, connected manufacturing enterprises, security threats hover over a facility like a looming blizzard, potentially undercutting the vast ability connected plants have to reduce cost and increase productivity and profitability. Control systems, and just as importantly, the safety system, need to stay secure.

That means the manufacturer needs to treat its safety systems like any other in a facility and conduct a risk assessment to understand any and all strengths and weaknesses.

"The risk-assessment process is the same as with a control system in that you have to identify the system and how it interfaces with the rest of the system, which is pretty critical," said John Cusimano, director of industrial cybersecurity at aeSolutions. "Generally speaking, it is always best practice to treat the safety systems as its own zone and then you perform a risk assessment on that safety zone."

While the process control system and the safety system have similarities, there is one major distinction.

"The biggest difference with a safety system is the consequences," Cusimano said. "When you do the risk assessment in the safety system zone it comes out at a higher risk, it will change your protection and your decisions on how you are going to secure that zone. It will be a higher level of security and require stronger mitigations. Generally, you are trying to minimize the communications and reduce the attack surface."

Safety systems remain a vital cog not just in keeping the plant and people safe, but also enabling successful business performance.

"We have to remember something that is very important-something security professionals don’t always remember: The existence of our group is to enable business performance," said Jay Abdallah, director of cybersecurity, EMEA, Schneider Electric. "That needs to be our number one objective. Safety falls directly in line with those business objectives in keeping people safe, keeping the plant safe, keeping reputations safe, and keeping equipment safe which tends to help the bottom line."

Knowing which direction a safety system attack could come from is a top priority.

"The biggest thing users are coming to realize is the attack will most likely come from inside the network than outside," said Sven Grone, industrial automation turbomachinery control business development at Schneider Electric. "Things like inadvertent viruses on flash drives, contractors coming in with their machines and hooking up to the network to work on gear. These are people you invited into your systems to work on it and you are not controlling their machines and not controlling what they are putting on the network. There is definitely an element of social engineering and having to deal with people’s behavior and operational behavior in the cybersecurity process that is often not nearly as prevalent than doing functional safety."

Security whether separate or integrated

When it comes to securing a safety system, the age-old question of integrated or separate systems continues to rear its ugly head.

"I am a personal believer in a separate system. The little amount of money you save making it integrated is just the engineering portion of it," said Nasir Mundh, global director of safety services at Schneider Electric. "To me a project is two years or three years where you design it, install it, and run it. After that, the plant is running for 25 to 30 years. So you are adding additional risk to the process for 30 years just to save some money in this two-year project. To me that never makes sense. A distributed control system (DCS) or a control system is a workhorse, it is doing something every single moment. It is controlling the plant. That whole line has commands going up and down and now you have a safety system sitting on that same network. It is opening yourself up to risk."

"Integrated systems have some advantages with operations and the communications between the safety systems and the DCS. However, if you have an integrated system and you somehow are breached, there is a very high chance you lose both layers of protection," said Farshad Hendi, safety service practice lead, Americas and EURA at Schneider Electric. "That means someone is in your house and the halls are somehow connected together. If the systems are separated, it is not impossible to do that, it is more difficult."

Maintain vigilance

No matter the type of system, vigilance remains the key priority.

"Integrated, interfaced, or separate. There is no right, no wrong, only choice," said Steve Elliott, senior director offer marketing for process automation at Schneider Electric.

"An upstream operating company had integrated control and safety," Elliott said. "There was a master clock on the network that had a fault develop that was broadcasting a time across the network to all the controllers. Eventually it bombarded the controllers to the point they stopped and they had to do a shutdown on the platform and had to black start. All the power on the platform had to be dropped and they had to vacate it. They had integrated control and safety and a failure mode that actually caused them to shut the platform down. When you look at it, they didn’t do a failure mode effect analysis.

"We integrate safety and now security becomes an issue—we are seeing a movement back to maintaining as much distance between the control system and safety as possible," Elliott said. "Thinking about moving toward open standards and connecting everything together, next security is a consideration—solving one problem, creates another."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on Edited by Chris Vavra, production editor, CFE Media, Control

ONLINE extra

See additional stories from ISSSource about the IIoT linked below.

Original content can be found at