Institute of Measurement and Control. Functional Safety 2016
Page 13
Conclusion
Cyber security vulnerabilities can open the door to attacks which compromise the effective
operation of a SIS, either causing nuisance trips or potentially impacting on the ability to respond
when there is a real demand.
Functional Safety standards now explicitly require security to be addressed for Safety Instrumented
Systems.
Implementation of cyber security is similar in many ways to implementation of functional safety and
both should be considered in parallel during risk assessment, design, implementation and operation.
Recent high profile industrial accidents highlight the need for continuing improvement in safety
culture and process safety management is increasingly a focus for senior management in successful
high-hazard companies. The same approach needs to be taken with cyber security management to
bring it up to the same level of maturity as a discipline.
There is SIS specific guidance is out there (e.g. ISA TR84.00.09:2013 and IEC 62443-2-4
)
As with Safety the use of Certified Products is only part of the answer.
Implementing a secure Industrial automation and control system is just the start. Keeping such a
system secure requires awareness of security issues, a security culture and implementation of a
security management system to assist in establishing and maintaining security over time.
Relying on an air-gap as a defence against cyber threats is not sufficient. Today’s world grows ever
more connected and this expectation in terms of connectivity will inevitably mean that any air-gap
will be breached at some point. To rely on the air gap as the most effective form of defence is
misguided.
By following best practice and “Defence-in-Depth” guidance it is possible to implement Safety
Instrumented Systems which are both integrated and secure.
By following vendor security concepts it is possible to still be integrated and still effectively address
security
To meet your safety goals you have to address security.
References
IEC61508-1 Ed 2.0, 2010
IEC61511-1 Ed 2.0, Feb 2016
IEC 62443, 2010; Network and system security for industrial-process measurement and control
ISA TR84.00.09:2013