Friday, 30 March 2018

Cybersecurity for Safety Related Systems

Cyber security issues are becoming more common in the modern world due to the fact more and more devices are designed with high levels of technology. Devices, systems and networks are becoming increasingly more open and integrated and therefore accessible providing an ever increasing attack surface for cyber security threats. Many safety-related systems were designed and developed at a time when the issue of cyber security was not envisaged. That leaves many of today’s current systems potentially vulnerable to new and emerging threats. Whilst the IT industry is further ahead in relation to cyber security the priorities for Information Technology (IT) are different from those of Operational Technology (OT) and the solutions and mechanisms used are not necessarily applicable to industry and industrial control systems. There are many threat vectors and it is important to bear in mind that not all cyber security incidents are the result of deliberate actions. Many cyber security incidents are triggered accidently or by inadvertent actions. The security threat landscape is constantly changing, however there are some general classifications as described in IEC 62443 of potential threats that an organization should consider:
 – Malicious hackers – an individual whose objective is to penetrate the security defences of a third party computer system or network. [ISO/IEC 27002]
 – Professional Hackers – an organization funded by a government or other organization specifically aimed at penetrating security defences.
– Disgruntled Employee - an individual who works for the organization who may be inclined to do harm resulting from their state of mind regards the organization.
– Well-meaning employee – an individual who works for the organization, who, during the course of their work, circumvents a security countermeasure in order to “get the job done”.
– Third-party contractor – an individual or organization that may have privileged access to the Basic Process Control System (BPCS), Safety Instrumented System (SIS) and/or other control-related systems through an agreement to operate or maintain those systems.
– Automated systems (device-to-device) – automated portions of the BPCS, SIS and/or other control-related systems that have privileged access.
As cyber security is a relatively modern discipline some organisations currently produce guidance and / or standards, most of which are still to be fully developed. Some of this guidance is for the IT industry, some is specifically for industrial control systems and some addresses, at least in part, the requirements for safety-related systems. The most recent versions of the functional safety standards for the Process Industries (IEC 61508 and IEC 61511) have added a mandatory requirement to consider cyber security threats and, if any are identified, take the necessary steps to protect against them. It should also be considered good practice to apply this mandatory cyber security requirement to functional safety in all other industries, for example machinery (IEC 62061 / ISO 13849).

3 comments:

What is the difference between IEC 61511 and IEC 61508

A lot of engineers and functional safety practitioners struggle to understand the difference between the two most popular standards for func...