Could a cyberattack injure or even take someone’s life in your operations?
It’s a question that needs to be asked today, given the greater connectivity of operations and the potential for systems – including safety devices – to be compromised.
After an August 2017 cyberattack on a petrochemical facility in Saudi Arabia, security firms identified the first known malware to target industrial safety systems. As reported by The New York Times in March, the attack, while not successful, was likely intended to cause an explosion that could have taken lives.
Cyberattacks resulting in physical damages or changes have also occurred at a German steel mill, a Turkish oil pipeline and a U.S. water treatment facility. Such attacks can threaten the safety of workers at these sites – and even the populations and environments near them.
To put it simply: Safety and security are no longer separate issues. If you’re not secure, you’re not safe. That’s why safety and security must be addressed together, as part of a comprehensive risk-management program that encompasses both the production and IT sides of your operations.
Industrial security is already top of mind for many companies. The greater use of commercial technologies in control systems and the move to more connected, information-enabled operations has created great opportunities to improve operations and productivity. It has also created more entrance points and opportunities for security threats.
Yet the focus of security programs is often on protecting intellectual property, productivity, and quality. Too little attention is given to the physical consequences that can result from security incidents.
Imagine that a perpetrator breaches your network and gains access to a safety device. The very device designed to prevent unsafe conditions could be modified so it doesn’t perform as specified. This could lead to a machine continuing to run after it reaches an unsafe state, or safety devices such as E-stops and light curtains not working when they’re activated. Your workers’ personal safety or their lives could be put in jeopardy, and their trust that safety systems will protect them could be damaged.
It’s not only malicious cyberattacks that can threaten safety. More commonly, human errors such as downloading the wrong firmware in a safety controller or assigning the wrong IP address to a safety device happen. These threats can also affect a safety system’s performance and put people in danger.
Rethinking risk management
Safety and security have historically been managed independent of each other. But to reduce the potential for security-based safety incidents, they need to be addressed together, in relation to each other.
The best way to do that is to ingrain security into the three pillars of safety: compliance, culture and technology.
Compliance: Safety standards address security
Safety standards now provide formal compliance guidelines for addressing safety through security.
The functional safety standard IEC 61508 provides this specific direction: “If the hazard analysis identifies malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, then a security threat analysis should be carried out.” The second edition of IEC 61511, released in 2016, also requires that you conduct security risk assessments for safety instrumented systems (SIS) in process industries. These standards do not contain a thorough description on how to manage security risks but instead recommend that organizations leverage IEC62443.
In addition, developers of machine safety standards such as ANSI B11.19 and ISO 13849-1 are also considering the addition of language to address security.
Perhaps the most meaningful thing you can do to address safety through security in your company is to add this question to your risk assessments: If an unauthorized activity is performed, will it increase risk?
This simple change can help bring you into compliance with standards that require you to consider security today and prepare you to comply with the standards that will require it tomorrow. And, most important, it can help you begin the process of identifying and addressing the potential safety risks that could result from the security threats facing your company.
Culture: Improve collaboration
If you determine that an unauthorized activity will indeed increase risk, then what should be done about it?
If you’re unsure you could answer that question, you’re not alone. Understanding and addressing security-based safety risks requires a combination of safety, IT, and operations expertise.
This is why better collaboration is needed among EHS, IT and operations. These teams must work together to co-develop safety and security objectives, identify vulnerable assets and critical safety data requirements, and conduct risk assessments that address both safety and security risks.
Close collaboration with third parties is also important. Timely vendor disclosures of vulnerabilities in their products can allow you to patch security risks soon after they’re discovered.
Technology: Good security hygiene
There are good security practices that every company should use to achieve a fundamental level of security.
One of those practices is segmentation, which uses managed switches to allocate devices into subnets and VLANs. This can help prevent unauthorized access to safety systems. An industrial DMZ should also be used to create a barrier between industrial and business zones.
Access control is also a good practice, but it should incorporate multiple elements. For example, physical security could require that managed industrial switches be kept in locked enclosures. Lock-in devices could also be used to prevent unauthorized tampering with cables and networking equipment, and block-out devices should be used to close off unused ports.
For software and end points, user authentication and authorization is another good security practice. It can reduce the risk of malicious and accidental threats by limiting safety-system access to only authorized individuals. Security administrators can define who can access the software, what actions they can take and where they can perform those actions.
In addition, system owners need to actively manage their assets by creating a list and monitoring for lifecycle status and patch availability. This allows system owners to understand security support for assets and address known vulnerabilities when possible. Owners should also maintain backups for configurations and important electronic assets to facilitate a quick recovery should an incident occur.
Tony Baker is ICS cybersecurity portfolio manager and Pat Barry is safety regional manager at Rockwell Automation.
Finally, an effective security program requires a balance of technical and nontechnical controls. Owners should have policies and procedures for how to effectively use technical controls during incident response.
Don’t fall behind
The industrial security requirements in standards including IEC 61508, IEC 61511 and largely IEC 62443 may only be the start. Standards bodies are actively exploring more updates that could go further in detailing how you must identify and address safety through security, such as through access control.
Security threats are also growing and evolving. It’s now not a matter of if but when they may take aim at your industrial-safety systems.
When that day comes, will your company be prepared, and will your workers be protected from this new risk?