Safety and Security Meet

In the industry world, where production and IT become more and more inextricably linked, security challenges are constantly evolving. Phoenix Contact, which supports companies in the flexible combination of safety and security technology, tells us about it

The importance of the safety technology installed in machines and systems steadily increases over the entire life cycle of the application. However, as networking of automation systems with the IT world is becoming more and more commonplace, scenarios are likely to arise where a different approach is required, especially for safety applications. As production and IT become more and more inextricably linked in the Internet of Things within the framework of the future project Industrie 4.0, the security challenges are also growing.

The various steps in the risk assessment process in accordance with NAMUR NA 163.
The various steps in the risk assessment process in accordance with NAMUR NA 163.

Functional and security safety: indirect effects on the end product

The aspect of functional safety refers to the safety component of a system, that relies on the correct function of the safety-related (control) system and other risk-reducing measures. In this case, the controller performs the task of initiating the safe state when a critical error occurs.
The requirements for the quality of safety-relevant control components are described in the B-standard EN ISO 13849 and the IEC series 61508/61511/62061.
Depending on the degree of risk, corresponding risk-reducing measures are classified into to different safety levels – Performance Level (PL) or Safety Integrity Level (SIL). In contrast to functional safety, security protects goods from detrimental impairment as a result of intentional or inadvertent attacks on the availability, integrity and confidentiality of their data. This involves the use of preventative or reactive technical and/or organizational measures.
If security aspects in the area of safety are disregarded, this can not only have direct effects on production facilities, it can also indirectly affect the production process and therefore the end product. In the context of pharmaceutical products and safety-relevant components for the automotive industry, it is easy to see how the effects on consumers could be significant. The IEC 61511-1 therefore requires an IT risk assessment to be carried out for safety equipment in the process industry. If operators of PCE (process control engineering) safety equipment perform the IT risk assessment as specified in the attached NAMUR NA worksheets and implement the measures identified, it is likely they will have assessed their PCE safety equipment in accordance with the latest technical standards and will therefore have fulfilled their duty-of-care obligations.

Subdivision of PCE safety equipment into various zones.
Subdivision of PCE safety equipment into various zones.

Attackers’ methods of finding vulnerabilities are constantly evolving

When considering functional safety and access security, the potential risk must initially be considered based on a risk assessment or IT threat analysis. Here, a considerable difference in approaches is already evident. While the risks that design engineers need to consider within the scope of the risk assessment in accordance with the Machinery Directive – mechanical or electrical hazards for example – tend to remain the same, the environment in which IT security experts find themselves is constantly changing. In the latter case, attackers are always actively looking for ways to exploit vulnerabilities which would be considered systematic errors in the area of functional safety. Another important aspect to consider is the “human factor”. The expression “foreseeable misuse” is used in the field of machine safety, for example, to describe situations where safety equipment – such as door switches – are tampered with by operating personnel. With large-scale cyber attacks on industrial systems, on the other hand, it must be assumed that a high degree of criminal energy is exerted in these cases.

The system operator can access the safety system data in real time via the Proficloud.
The system operator can access the safety system data in real time via the Proficloud.

A worksheet for IT risk assessment

To safeguard the product life cycle of safety-oriented systems or components, manufacturers, system integrators and operators are required within the scope of “Functional Safety Management”, to adopt an approach to quality management that reflects the requirements of the situation in accordance with IEC 61508. A comparable solution for this exists in the security world in the form of “Information Security Management” in accordance with ISO 27000. The worksheet published by NAMUR entitled “IT risk assessment of PCE safety equipment” adopts an initial pragmatic approach which leads in this direction. It describes an IT risk assessment method which uses the IEC 62443 security standard as its starting point, to provide a basis for increasing the capability of the PCE safety equipment of averting IT threats. To this end, the three steps in phase 1 were performed once as an example for one system, which reflects the systems typically found in the NAMUR member companies. This allows the user to gauge the usefulness of the method for the PCE safety equipment to be assessed. The fourth step – monitoring implementation of the measures and documenting the IT security requirements and general conditions – must be carried out individually for all items of PCE safety equipment to be evaluated and constitutes phase II (Figure 1).

Subdividing the system into three zones to avoid environmental repercussions

From the hardware and software perspective, the system being examined can therefore be subdivided into three zones. The core PCE safety equipment in zone A comprises the PCE safety equipment as defined in the IEC 61511-1. This includes the logic system, the input and output modules including remote I/O, and also the actuators and sensors. Components that are not necessary for implementation of the safety function but could nonetheless influence the behavior of the core PCE safety equipment are allocated to the extended PCE safety equipment in zone B. Components and systems that do not belong either directly or indirectly in the same category as the PCE safety equipment, but could be linked to the safety function belong in the zone referred to as “environment”. This could be reset requirements or the visualization of the status of the safety function (Figure 2). The common objective of the zones is to ensure that the functional integrity of the safety equipment is not compromised by feedback effects from the environment.