Principle 3: Protection of security countermeasures. Design and development of safety functions should adhere to security coding and protection standards to minimize the introduction of vulnerabilities.
Exceptional situations such as emergency operation and proof-testing activities shouldn’t compromise security countermeasures by, for example, bringing in additional information systems such as notebook computers or portable memory devices that haven’t been through comprehensive measures and procedures to maintain the security settings applied.
Developing A Balanced Strategy
You first must perform an overall hazard and risk analysis. While human protection is the highest priority, safeguarding the environment, assets, information and business continuation also may impact the overall risk to be mitigated.
As Figure 1 highlights, risk analysis results should go simultaneously to the team responsible for safety and the one handling security. Once set, the safety risk-mitigation concept passes to the security team. This triggers an interactive process to define all related security aspects required to protect the safety system.
The security risk mitigation process results in the definition of a security environment for functional safety agreed upon by both teams. The definitions of the security environment cover features to be implemented inside the components of the functional safety system (SIS) and other measures to comply with the security recommendations (e.g., added firewalls, etc.). Both the safety measures implemented and the related security measures get crosschecked for their compatibility as well as their maintainability throughout the entire safety lifecycle. This ensures the target risk reduction is maintained and that safety and security measures don’t negatively impact one another.
Any conflicts arising must be resolved; if resolution isn’t possible, external risk reduction measures must be defined.
The already mentioned concept of zones and conduits (Figure 2) introduced by IEC 62443-3-2 can ensure a sufficient level of separation between the SIS and the basic process control system (BPCS).
A zone in this context is a dedicated part of an overall application where identical security recommendations apply. Each zone has clearly defined perimeters and dedicated interfaces to other zones or the Web.
The level of protection measures required for each zone must be specified to cover the individual recommendations defined by IEC 62443-3-3’s “Foundational Requirements,” namely:
1. Identification and authentication control;
2. Use control;
3. System integrity;
4. Data confidentiality;
5. Restricted data flow;
6. Timely response to events; and
7. Resource availability.
IEC 62433-3-3 focuses particularly on the so-called essential functions, those required to maintain health, safety, the environment and availability for the equipment under control.
In considering whether functional safety principles can be applied to IT security, it’s worth noting that both the IEC 61511 (safety) and IEC 62443 (security) standards demand independent protection layers. Each stipulates:
• Independence of control and safety;
• Measures to reduce systematic errors;
• Separation of technical and management responsibilities; and
• Reduction of common-cause failures.
The standards also highlight that the entire system is only as strong as its weakest link. When using integrated safety systems — that is, where the safety system and standard automation system are on the same platform — you should treat all hardware and software that could impair the safety function as part of the safety function. This means you must subject the standard automation system to the same management process as the safety system.
In addition, an implementation lacking independence between the BPCS and the SIS protection layer requires review for its risk reduction capabilities; these must be able to cover the overall risk reduction of the BPCS plus the SIS. Achieving SIL 2 (for safety) or higher might pose economic challenges because the common components of both, BPCS as well as SIS, need to comply with SIL 3 (in case of SIL 2 for safety).