By Tony Baker, ICS cybersecurity portfolio manager, and Pat Barry, safety regional manager, Rockwell Automation
Industrial-security efforts often are focused on protecting information, equipment and uptime. But what about people?
The fact is, security incidents might begin as digital actions, but they can have physical outcomes. And those outcomes — such as a machine that keeps running even after a worker pushes an e-stop button or a process that reaches an unsafe state but doesn’t alert workers — can be dangerous or even deadly.
In recent years, cybersecurity incidents have occurred in industrial operations and created safety risks. New malware also has started targeting the very safety systems that workers need — and expect — to keep them safe.
Reducing security-related safety risks in your organization doesn’t require a massive overhaul of safety and security efforts. But it does require rethinking and revising how you manage risk in connected operations.
How Security Impacts Safety
Imagine a scenario in which a hacker gains access to your network and tampers with a safety device.
This tampering could lead to e-stops and light curtains not working as specified. Or a machine could continue to run even after it reaches a dangerous state, all while workers go about their jobs without knowing anything has changed or that their safety has been compromised.
Of course, as always is the case with industrial security, malicious cyberattacks aren’t the only threat. Unintentional worker mistakes, such as downloading a wrong firmware or assigning a wrong IP address, also could impact a safety system’s performance and put workers in harm’s way.
If you think these risks are just hypothetical, they’re not. Cyber incidents have taken place in operations around the world that resulted in — or were intended to cause — physical changes and damage. For example:
- A cyberattack is suspected to have caused a 2008 Turkish oil pipeline blast. Hackers allegedly exploited vulnerabilities in the line’s surveillance cameras, gained access to operational controls, and super-pressurized oil in the line. The blast resulted in 30,000 barrels of spilled oil.
- A new breed of malware known as Trisis or Triton is believed to be the first to target safety instrumented systems (SISs) in industrial operations. The malware was used in a cyberattack on a petrochemical plant that, while unsuccessful, could have been deadly.
- At a water-treatment plant, unauthorized individuals manipulated valve and flow-control applications. At least twice, they changed the amount of chemicals put into the water supply. Fortunately, workers were able to reverse the changes and minimize impact on customers.
These real-world events demonstrate how cyber incidents can endanger not only plant workers, but also nearby populations. They also beg the question: How do you reduce the risk of such attacks in your operations?
Three Areas of Focus
Safety and security traditionally have been thought of and managed as separate entities. But as the attacks on the pipeline and water-treatment plant show, safety and security are intertwined in connected operations.
Your risk management program should aim to address safety and security together in three key areas of your organization: culture, technology and compliance.
Culture. Connected operations perform at their best when there’s cross-functional collaboration. For example, connecting IT and plant floor technologies to seamlessly collect, contextualize and share production data requires close collaboration between plant floor engineers and IT personnel.
The same holds true for managing security-based safety risks. You need a combination of safety, security and operations expertise.
For this reason, Environmental, Health & Safety (EHS), IT and operations teams need to work together. Key tasks for them to tackle together include conducting risk assessments for safety and security risks, identifying vulnerable systems and critical safety data requirements and creating co-managed safety and security objectives.
You also should be striving for close collaboration with vendors. For example, will your automation vendors proactively disclose to you any security vulnerabilities found in their products? Those that are open and transparent about vulnerabilities can help make sure you quickly patch security risks soon after they’re found.
Finally, don’t shy away from questioning vendors to make sure they have your best safety and security interests at heart. Ask them what steps they take to secure their products, such as by using a secure-by-design approach. Also ask about any relevant certifications they may have, such as a security development life cycle that has been certified to the IEC 62443 standard.
Technology. Just like good personal hygiene can help protect your health, good security hygiene can help protect your data, operations and people.
What are some examples of good security hygiene? For starters, authentication and authorization security in your software and end points can help make sure only authorized individuals can access safety systems. These critical features give security personnel the power to define who can access the software, what actions they can take and where they can take those actions.
Asset-management software also can help you keep track of assets and their potential risks. The software can automate new-asset discovery, as well as track and manage configuration changes, such as those made within safety systems.
Segmentation is another security best practice that can help you limit access to safety systems. An industrial demilitarized zone (DMZ) can securely segment your plant network from your enterprise network. And virtual LANs (VLANs) allow you to create smaller domains of trust and simplify security policy enforcement.
Resources such as the Converged Plantwide Ethernet (CPwE) design guides, developed by Rockwell Automation and its Strategic Alliance Partner Cisco, can help you incorporate these and other good security practices into operations.
Compliance. Requirements now exist within safety standards for addressing safety through security.
The functional-safety standard IEC 61508 directs you to conduct a security threat analysis if a hazard analysis identifies a reasonably foreseeable “malevolent or unauthorized action” that constitutes a security threat. The latest edition of the safety standard IEC 61511 for process industries also requires that you conduct a security risk assessment for SIS.
These requirements may not be elaborate, but they do provide formal compliance guidelines for security-based safety risks.
Meanwhile, standards bodies are continuing to explore updates for detailing how industry must identify and address safety through security. For example, the machine-safety standards ANSI B11.19 and ISO 13849-1 also may be revised to include new language that addresses security.
One Step You Can Take Today
Revising your risk-management program in the areas of culture, technology and compliance can help you protect workers from the safety risks that are unique to connected operations.
You might consider starting by adding the following question to your risk assessments: If an unauthorized activity occurs, will it increase the risk of injury or fatality? This one change can help bring you into compliance with security aspects of safety standards. If the answer to the question ever is “yes,” it can start a conversation among your EHS, IT and operations personnel about how to mitigate a risk. And it can help you identify instances in which technology can be used to help address both security and safety risks.
