Develop safety through security

Safety implications of security often end up overlooked and companies need to learn how to assess, manage and mitigate risks for industrial security.

04/29/2017


As organizations implement connected, information-enabled architectures to improve productivity, efficiency and safety that means industrial security cannot be too far behind.

Whether it's remote access to production machinery, wireless access to pumping stations, or connecting plant-floor equipment to the IT infrastructure, greater connectivity can provide significant improvements in productivity and safety. But it also increases risks—not only to intellectual property, profits and mission-critical production assets, but also to people and the environment.

Safety systems are designed to detect faults, alert operators and automatically intervene. By altering or attacking safety systems, security breaches can force a standard control system to operate beyond its safety parameters, damage equipment and the environment, or even place workers and the public in unsafe situations.

The connected enterprise unites people, processes and things. It brings together enterprise-level IT and plant-level operations technology (OT) systems into a common network infrastructure. And it harnesses the power of enabling technologies, from data and analytics software to smart devices that make up the Internet of Things (IoT).

What does this mean for manufacturers and industrial operators? It means production intelligence for measuring and improving nearly every aspect of their operations, including quality, productivity, uptime and overall equipment effectiveness (OEE). It means enterprise-wide connectivity for instantaneous information sharing and seamless collaboration across an organization. It means remote monitoring of critical production assets and systems dispersed across remote locations.

For all the opportunities, however, there are also risks. More connection points can create more entrance points for security threats. These threats can be physical or digital, internal or external, and malicious or unintentional. And they can pose a danger in many ways, including intellectual property loss, disrupted operations and compromised product quality.

Safety is perhaps the least discussed implication of security threats.

Safety as attack vector

Breached machine- and process-safety systems can create cascading safety consequences

.For starters, compromised safety systems that don't stop machines when they reach a dangerous state or when a safety device ends up triggered can expose workers to the very threat they should receive protection from. Additionally, safety systems that aren't able to stop production beyond certain operating conditions can expose other employees or an entire plant to risks, such as fires, chemical leaks or explosions.

The risks can be especially high in industries where employees work with hazardous or volatile materials, such as in chemical manufacturing. And the risks will only grow as collaborative robotics become more prevalent, with employees and robots working side-by-side on production lines.

Compromised safety systems also could put consumers at risk. Consider the potential impact of a cyberattack that alters processes in a food or pharmaceutical manufacturing operation. It could result in harmful or even deadly contaminations. And even if an attack ends up discovered before affected product leaves the facility, it could delay the delivery of urgently needed products like life-saving medications.

Likewise, tampered or disrupted processes in critical-infrastructure facilities could impact the critical water and energy supplies on which populations depend.

Documented attacks

Security breaches and vulnerabilities resulting in safety risks aren't just theoretical. They're a reality:

  • A cyberattack on a German steel mill resulted in parts of the plant failing and a blast furnace workers could not shut down through normal methods. The plant suffered "massive damage." The incident illustrated the destructive—and potentially harmful—effects that security threats can create in industrial operations.
  • The FDA put out an alert to medical device manufacturers and health care facilities about certain medical devices vulnerable to security breaches. One of the vulnerabilities cited was the potential for malware to infect or disable the devices.
  • Verizon reported a likely cybersecurity breach at a facility responsible for supplying and metering water usage. The report showed unexplained valve and duct movements, including manipulation of programmable logic controllers (PLCs) that "managed the amount of chemicals used to treat the water to make it safe to drink."
  • An oil pipeline explosion in Turkey was publicly blamed on a malfunction, but news reports revealed it was the work of hackers. The explosion resulted in 30,000 barrels of spilled oil. As Bloomberg reported, "Hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line."

Security risks that can result in safety implications can take many forms. Some key risk types include:

  • Employee errors: Security risks don't always originate from malicious intent. In fact, one of the most common security risks comes from innocent mistakes. This could include employees or contractors who unwittingly make a network misconnection, download the wrong program to a controller, or plug an infected device into the system. Such seemingly simple mistakes could in fact have major consequences if they lead to systems operating beyond safe parameters.
  • Disgruntled employees: Current or former employees familiar with an organization's control system and industrial network can present security and safety threats. A prime example of this involved a worker in Australia who broke into a sewage-equipment control system installed by his former employer and caused 800,000 liters of raw sewage to spill into local parks and rivers.
  • Hackers seeking political or financial gain: A manufacturer's intellectual property can be a lucrative target for hackers. At the same time, hackers also may seek to disrupt a manufacturing or industrial operation for financial, competitive or political reasons.
  • Corporate espionage: State-sponsored espionage targeting high-value infrastructure and production assets is a constant threat. U.S. Department of Justice officials have said thousands of companies have been targeted and that such activities represent a "serious threat" to national security.
  • Cyberterrorism: Malicious acts could seek to disrupt, infect or cripple critical infrastructure. Potential targets could include nuclear plants, water supplies and oil refineries. One such attack involved hackers attempting to seize control of a small dam in New York. The attack failed because the dam was offline for maintenance.

Secure environment means safety

Governments concerned about disruptive and dangerous cybersecurity attacks on plants and critical-infrastructure operations are already working with manufacturers and industrial operators.

For example, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 295 cybersecurity incidents in 2015 across 16 critical-infrastructure sectors. The three sectors that garnered the most responses were:

  1. Critical manufacturing (97 incidents)
  2. Energy (46 incidents)
  3. Water and wastewater (25 incidents)

Still, much work remains. Organizations need to be more proactive in addressing safety through security. They should incorporate four key elements into their approach:

  • Standards compliance
  • Safety and security integration
  • Risk analysis
  • Risk mitigation measures.

Some requirements do exist within safety standards to help manufacturers and industrial operators address safety through security:

Section 7.4 of IEC 61508 ("Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems") directs companies to conduct a security threat analysis if their hazard analysis identifies a reasonably foreseeable "malevolent or unauthorized action" that constitutes a security threat. The problem is, however, it is rare any company follows the rule.

The second edition of IEC 61511 ("Functional Safety: Safety Instrumented Systems for the Process Industry Sector"), which released late last year, will require security risk assessments to end up conducted for safety instrumented systems (SIS). The SIS design also must deliver the necessary resilience against the identified security risks.

These requirements may not be elaborate, but they do provide formal compliance guidelines for addressing security-based safety risks. They should be followed. Meanwhile, standards bodies are also exploring additional updates that could go further in detailing how industry must identify and address safety through security.


<< First < Previous Page 1 Page 2 Next > Last >>

The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me