This presentation discusses why cybersecurity is an issue for safety instrumented systems and will examine example architectures when communicating with the SIS.

1. Safety & Security in Industrial
Control Systems
Ben Murphy
Safety Engineering Consultant

2. • Open standards
• PC-based systems
• COTS equipment
• Horizontal and
vertical integration
• IT & OT more connected
Other SIS challenges
• Integration of Control and Safety
• Most systems programmable
• Safety Systems are low demand mode
• Aging installed base
Information technologies are
used in industrial automation Increased security threats demand action
• Sabotage of the Process Plant Safety Systems
• Manipulation of data or application software
• Loss of Operator Interface
• Loss of Safety Function
• Spurious trips
• Failure of BPCS maybe initiating event
• Common mode failures BPCS and SIS
• Compliance with standards and regulations is required
Why Cyber security is an issue for SIS
The drivers for Industrial Automation also apply for Safety Instrumented Systems

3. Introduction of malware via
removable media and external
hardware
Human error and sabotage
Intrusion via remote access
Control components
connected to the Internet
Compromising of smartphones
in the production environment
Compromising of extranet
and cloud components
Malware infection via the
Internet and Intranet
(Distributed) denial-of-
service ((D)DOS) attacks
Technical malfunctions
Source © BSI analysis on cyber security 2016, German Federal Office for Information Security
Social engineering and phishing
ICS Attack surface is growing Challenges:
Challenges: Increasing vulnerability, high connectivity

4. Similarities
• Defense in Depth
• Lifecycle approach
• Stakeholders
• Requirement for FSM / SM
• Ongoing monitoring needed
• Terminology of SIL and SL
Differences
• Focus (internal v. external)
• Maturity of standards
• Level of adoption
• Willingness to share learning
• Assessment of risk
“Freedom from unacceptable risk of physical
injury or of damage to the health of people,
either directly or indirectly as a result of
damage to property or to the environment.”
IEC 61508-4
“Prevention of illegal or unwanted penetration of or
interference with the proper and intended operation of an
industrial automation and control system”
IEC 62443-1-1
Safety Security
Comparison of Safety and Security

5. References to Security from Safety standards
IEC 61508-1 Edition 2
7.4.2.3 The hazards, hazardous events and hazardous situations of the EUC and the EUC control system shall be determined
under all reasonably foreseeable circumstances (including fault conditions, reasonably foreseeable misuse and malevolent or
unauthorised action). This shall include all relevant human factor issues, and shall give particular attention to abnormal or
infrequent modes of operation of the EUC. If the hazard analysis identifies that malevolent or unauthorized action,
constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried
out.
IEC 61511-1 Edition 2
8.2.4 A security risk assessment shall be carried out to identify the security vulnerabilities of the SIS.
NOTE 1:
Guidance related to SIS security is provided in ISA TR84.00.09, ISO/IEC 27001:2013, and IEC 62443-2-1:2010.
11.2.12 The design of the SIS shall be such that it provides the necessary resilience against the identified security risks
(see 8.2.4).

6. IEC62443 Framework

7. The parties involved in an IACS

8. IEC 62443 Assessment
Phased project approach based on
IEC 62443-3-3 tool with following
Foundational Requirements
• FR 1 Identification and Access Control
• FR 2 Use Control
• FR 3 System Integrity
• FR 4 Data Confidentiality
• FR 5 Restrict Data Flow
• FR 6 Timely Response to Events
• FR 7 Resource Availability
Questionnaire
Result spider
diagram
Result chart bar
ASSESS IMPLEMENT MANAGE

9. Assessing ICS against IEC62443 - FR 5 Restrict Data Flow
Each FR contains several SRs (System Requirements) with harder control measures as the target SL increase SL1-SL4.
Level 1
SR 5.1 Network segmentation
The automation solution or IT infrastructure shall realize the capability and the operating organization shall use the capability to logically segment automation solution
or IT infrastructure networks from non-automation solution or IT infrastructure networks and to logically segment critical automation solution or IT infrastructure networks
from other automation solution or IT infrastructure networks.
Level 2
SR 5.1 RE 1 Physically network segmentation
The automation solution or IT infrastructure shall realize the capability and the operating organization shall use the capability to physically segment automation solution
or IT infrastructure networks from non-automation solution or IT infrastructure networks and to physically segment critical automation solution or IT infrastructure networks
from non-critical automation solution or IT infrastructure networks.
Level 3
SR 5.1 RE 2 Independence from non-control system networks
The automation solution or IT infrastructure shall have the capability to provide network services to automation solution or IT infrastructure networks, critical or
otherwise, without a connection to non-automation solution or IT infrastructure networks.
Level 4
SR 5.1 RE 3 Logical and physical isolation of critical networks
The automation solution or IT infrastructure shall realize the capability and the operating organization shall use the capability to logically and physically isolate critical
automation solution or IT infrastructure networks from non-critical automation solution or IT infrastructure networks.

10. ISA TR84.00.09 Example SIS architectures I  Air-gapped
• Common Hardware
and Engineering
platform
• No communication
between SIS and
BPCS
• No common
database for HMI
Air-gapped
In this design, the SIS
is both logically and
physically isolated
from communicating
with the rest of the
zones.

11. ISA TR84.00.09 Example SIS architectures I  Interfaced
• Common Hardware
and Engineering
platform
• Communication
between SIS and
BPCS on AS level
• No common
database for HMI
• Visualization on
BPCS HMI with extra
engineering possible
Interfaced
SIS and BPCS are
still connected using
discrete wiring, but
they now include a
direct point-to-point
communication
connection.

12. ISA TR84.00.09 Example SIS architectures I  Integrated 2 zone
• Common Hardware
and Engineering
platform
• Communication
between SIS and
BPCS over plant
bus
• No common
database for HMI
• Visualization on
BPCS HMI with
extra engineering
possible
Integrated 2 zone
the BPCS and SIS
systems are fully
integrated and
provide direct, real-
time communication
between the systems.

13. • Common Hardware
and Engineering
platform
• Communication
between SIS and
BPCS over plant bus
• Common database
for HMI
Integrated 1 zone
The SIS and BPCS
systems are
integrated
providing greater
communication
between those
systems and higher-
level systems.
ISA TR84.00.09 Example SIS architectures I  Integrated 1 zone

14. HSE Operational guide (OG86)
• Covers risk identification, and its management including design, maintenance, operation, management systems and
competency of staff.
• Forms part of the HSE’s EC&I operational delivery guide consistent with other similar operational guides.
The following guiding principles were used in producing the guidance:
• Protect, detect and respond. It is important to be able to detect possible attacks and respond in an appropriate and timely
manner in order to minimize the impacts.
• Defence in depth. No single security countermeasure provides absolute protection as new threats and vulnerabilities can be
identified at any time. To reduce these risks, implementing multiple protection measures in series avoids single point failures.
• Technical, procedural and managerial protection measures. Technology is insufficient on its own to provide robust levels of
protection.
HSE Operational Guide

15. Physical access
protection to the plant
and critical systems
+
Components with
integrated security
functions.
+Endpoint security:
e.g Whitelisting, patching,
FW updates,
authentication.
+
Security management
for processes and
technical measures
+
Protection of the
plant/machine network
through segmentation
+
* based on IEC 62443
Secure remote access
via Internet or mobile
networks to the plant
+
The defense in depth concept*

16. Siemens UK
Ben Murphy
Safety Engineering Consultant
E-Mail: ben.murphy@siemens.com
siemens.com/plant-security-services
Contact

17. Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and
networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a
holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept.
Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should
only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of
firewalls and network segmentation) in place.
Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more information about industrial security,
please visit http://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product
updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to
apply latest updates may increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.siemens.com/industrialsecurity.
Security Information