Secure Your Safety Instrumented Systems

Security System and Access Control of Private Data

On top of everything else, it’s crucial to protect the technology that mitigates process risks within your plant.

As plants become increasingly connected and more digital, operational threats are no longer contained within their walls, potentially exposing the safety system to malicious cyber threats from virtually anywhere. How can sites overcome this bleak fact of digital life? Steve Elliott of Schneider Electric, Foxboro, MA (schneider-electric.us) offered the following advice.

UNDERSTAND CYBERSECURITY RISKS

Many industrial operations rely on safety-instrumented systems (SIS) to prevent harm and damage to their people, production, and profits. These systems are increasingly connected to other equipment, including engineering workstations, distributed control systems (DCS), operator interfaces, and plant historians, for purposes of operating and protecting the manufacturing process.

More recently, safety systems are being connected to central domain name servers (DNS) and Windows server update services (WSUS) that enable password management, automated updates, and patch installations from remote locations. With the benefits of connectivity also come risks of cyberattacks. Such attacks are aimed at disrupting industrial activity for financial, competitive, political, or social gain, or even as the result of a personal grievance.

“Because of these risks,” Elliott advised, “every SIS must now be viewed within the context of a comprehensive cybersecurity program.”

COMPLY WITH STANDARDS

Like functional safety standards, those related to cybersecurity are evolving. They provide a consistent framework, encourage good engineering practices, and enable a systematic method for hardening safety systems and minimizing risk.

Fig. 1. The Lifecycle Approach to Cybersecurity

“Safety- and cybersecurity-protection methods must be addressed across the entire lifecycle,” Elliott said, “not simply added on when the system is delivered.” This approach is reinforced by Functional Safety Standard IEC61511-1:2016, which includes requirements for cybersecurity threats to be addressed during the various safety lifecycle stages and activities (Fig. 1).

ASSESS AND MITIGATE RISK

According to Elliott, a cybersecurity-risk assessment should be performed early in a new project or immediately after a modification to an existing project. As listed here, a five-step continuous approach should be taken:

1. Define the risk methodology.

2. Identify major items.

3. Identify and evaluate threats, impact, and likelihood.

4. Reduce risks by designing adequate countermeasures.

5. Document results in a risk register.

Based on this cybersecurity-risk analysis, the cybersecurity-risk-reduction and -protection methods that the system requires must be determined.

APPLY DEFENSE-IN-DEPTH

Next, a defense-in-depth strategy should be applied (Fig. 2), starting with establishment of a secure architecture.

Due to the rapidly changing nature of cyber threats, Elliott noted that it’s crucial for sites to stay up to date with respective manufacturers’ current recommendations and guidelines and the latest applicable standards and industry best practices—as well as with their own corporate practices, policies, and procedures. The first step is securing the SIS itself. “Always follow the manufacturer’s latest recommendations and guidelines,” he said, “and utilize the system’s inherent cybersecurity features and functions.”

It’s also crucial to consider the different modes of operation, i.e., making changes to the safety-system logic, remotely writing to the safety system, applying maintenance overrides for maintenance activities, and apply appropriate cybersecurity measures. Among them:

Block it and Lock it. Use physical means, such as a locked cabinet, to restrict access to the SIS. If there are any unused communications ports, use secure port plugs and lockable cables that can only be removed with a special key. Implement procedures to control access to the cable, port, and the cabinet or enclosures, and keep a log of who accessed the controller. Finally, regularly review who is accessing the systems and when. Refer to the sidebar below for some specific scenario guidelines.

Zones and conduits. A practical, easy, and cost-effective way to protect existing and new systems is to apply zones and conduits that segment and isolate the system (as recommended by the ISA99 and IEC62443 standards). This approach involves grouping logical or physical assets that share common security requirements based on factors, such as criticality and consequence, into zones. Communications between zones occur through defined conduits. Conduits control access to zones, resist denial-of-service (DoS) attacks and the transfer of malware, shield other network systems, and protect the integrity and confidentiality of network traffic.

Determining network information flow between zones is straightforward using traffic-flow or protocol analyzers.

Yet it’s important to look beyond the network to determine hidden traffic flow. It may be that files are occasionally moved by manual transport methods such as USB drive.

OPERATIONAL CONSIDERATIONS

While every effort must be made to protect the SIS technology against cyber threats, Elliott emphasized that people are often the biggest threat to safety systems. “Any cybersecurity schema is only as secure as the weakest link,” he cautioned. “Therefore it’s critical to consider operational aspects, including policies and procedures, skills, competencies, and performance of personnel.”

According to Elliott, security must be part of any operation lifecycle to plug every hole. That requires heightened personnel screening and employee training. Large and complex systems are susceptible to mistakes made by inexperienced or untrained personnel—not just activities of malicious inside actors. Clear, actionable policies are necessary to secure control and safety technologies and provide the governance for managing human factors. Procedures must be designed to state how personnel design, operate, maintain, and modify the safety systems, and provide a standard, repeatable means to accomplish a task in a secure manner.

“Everyone in industry has a role in developing this type of stronger cybersecurity culture,” Elliott stressed. “The key is educating the workforce and enabling people to identify cybersecurity threats and respond accordingly.” EP

Based in Worthing, UK, Steve J. Elliott is senior director, Offer Marketing, Process Automation, Schneider Electric. To learn more, visit the Schneider Electric Virtual Academy here.

Block It and Lock It: Guidelines for Specific Scenarios

An effective defense-in-depth strategy includes implementation of all applicable cybersecurity measures, including Block It and Lock It. Consider these guidelines for specific scenarios in your plant.

For peer-to-peer networks that require additional adherence:

Use a dedicated peer-to-peer communications network dedicated to safety systems only.

Configure network switches and routers in a manner that prevents the addition of unauthorized network nodes.

Use external firewalls to limit the network traffic to only safety peer-to-peer network traffic.

Disable unused network ports.

When non-safety networks connect engineering workstations, maintenance workstations, communications gateways, and third-party systems, such as human machine interface (HMI) or DCS systems, are involved, the same security measures should be used as with a closed network:

Configure network switches and routers in a manner that prevents the addition of unauthorized network nodes.

Only open ports that are necessary for network communication.

Close or disable unused ports to prevent unauthorized connection of network nodes, PCs, programmable logic controller (PLCs), or other devices.

Periodically inspect and monitor switches to ensure the configuration hasn’t changed, and that the switch status doesn’t indicate communication has occurred on unexpected ports.

When using a PC as the engineering or maintenance workstation, whether gaining access onsite or remotely:

Implement strong user-authentication practices, including password strength and periodic password-change requirements.

Regularly monitor Windows accounts available on the workstation to ensure only the necessary personnel can log on to the workstation, with the appropriate level of access. Inactive or unnecessary user accounts should be removed.

Review the Windows system-events log to monitor log-on and log-off activity on all workstations and detect attempted unauthorized activity.

Disable unused USB ports.

Use firewalls and other security devices or settings to limit access to the host network, based on your
security-risk assessment.

Install operating-system patches and anti-virus software updates as they are released.

When securing open networks to third-party devices and applications:

Secure the host PCs by keeping user authentication strong and anti-virus software and operating-system (OS) patches up to date.

Physically isolate (sometimes referred to as an air gap) the safety system and its networks from the rest of the networks in your plant or facility.

Limit network traffic by using external firewalls.

Use firewalls and other security devices or settings to limit access to the host network, based on your security-risk assessment.

When using a firewall:

Restrict communication to the expected ports, per your network configuration. Only open those ports that are necessary for network communication.

Periodically inspect/monitor the firewall to ensure the configuration hasn’t been changed, and that the firewall status doesn’t indicate communication has occurred on unexpected ports.

When using network switches:

Close or disable unused network ports to prevent unauthorized connection of network nodes or PLCs.

Periodically inspect/monitor the switch to ensure the configuration hasn’t been changed, and that the switch status doesn’t indicate communication has occurred on unexpected ports.