Process plants must operate securely as well as safely. Two international standards — International Electrotechnical Commission (IEC) 61508, which relates to functional safety, and IEC 62443, which addresses security challenges in automation systems — can help. An alignment project at the IEC describes how to apply the two standards simultaneously and defines three guiding principles. However, before examining these, let’s look at how security issues can impact functional safety in process plants to give context to the principles and clarify their role in implementing the new standard.
Some fundamental questions about the relationship between cybersecurity and plant safety arise. Can the vulnerability of integrated control systems influence a plant’s functional safety and, if so, what needs to be protected? More specifically, can we apply the principles developed for functional safety to information technology (IT) security?
Before we can decide if a control system could pose a functional safety threat, we must define functional safety. For this, IEC 61508 provides valuable insight. According to that standard, functional safety is “part of the overall safety that depends on functional and physical units operating correctly in response to their inputs.”
This definition reveals the relationship between vulnerability and functional safety; incidents caused by malicious attack, design or operator faults that compromised functional safety attest to this relationship. The objective of IT security must be to protect operations from any possible negative influences, thereby eliminating, or at least minimizing, potential hazards to people, the environment and assets.
In terms of what needs to be protected, we must understand that, even without malicious threats, IT security vulnerabilities afflict almost every automation application. This includes the safety-related system itself and the distributed control system (DCS). Accordingly, many safety experts call not only for the physical separation of safety instrumented system (SIS) and DCS components but also for different engineering staffs or vendors to handle each. As we shall see, both safety and security standards encourage independence of control and safety functions.
Systems designers endeavoring to align security and safety also must decide which aspect has the highest priority. There’s no definitive answer to this question; safety and security experts alike tend to favor their own perspective. This is why experts in an IEC working group (TC 65 20.1) currently are developing a strategy that allows IEC 61508 safety concepts and IEC 62443 security concepts to be applied in harmony.
When designing integrated strategies, it’s essential to consider several aspects. First, a dedicated functional safety management system must serve as the baseline of all activities. Other aspects include avoidance of failures and maintenance of control if they do occur, reliability evaluations, and security. It’s also important to remember that safety and security focus on entirely distinct aspects; there’s no automatic correlation between functional safety and security.
The IEC working group is seeking to clarify a suitable strategic approach; its recommendations are being written up as IEC TS 63069, and comprise three working principles:
Principle 1: Protection of safety functions. The SIS should be protected from the consequences of security-related influences so the safety integrity of the SIS isn’t compromised.
This recommendation calls for adequate attention to security-related aspects to ensure they don’t negatively impact the SIS’s safety performance.
In practice, this means the residual risk borne by the security-related aspects mustn’t lead to a higher rate of dangerous failures than acceptable for the specific safety integrity level, e.g., one dangerous fault per 1,000 years of operation for SIL 3. This can be achieved by establishing and maintaining safety and security zones and conduits as described in IEC 62443-3-2.
Principle 2: Compatibility of implementations. During testing, any modification or change should undergo a safety impact analysis to determine all SIS components impacted and the necessary re-verification activities.
This recommendation means that every modification to a safety system must receive an impact review in combination with the necessary re-verification. A verification is a process during which the reality is checked against the design documents. Safety system verification usually can’t take place while the safety system is in operation.
So, if you implement a safety system needing regular patches (e.g., once a month/week), each of these patches requires the execution of the re-verification process. This testing conflicts with a requirement to operate a safety system for one year without interruption, for example.
Principle 3: Protection of security countermeasures. Design and development of safety functions should adhere to security coding and protection standards to minimize the introduction of vulnerabilities.