Functional Safety and Industrial Cybersecurity- what’s the connection?
In this short explanatory white paper, we will discuss how a bad Industrial cybersecurity posture can degrade Functional Safety to be almost ineffective, in protecting assets, people and the environment. Thus having proper Industrial Cybersecurity is a pre-requisite to having proper Functional Safety.
What is Functional Safety all about?
Functional Safety is a specialized domain within the Safety world, which deals with using active systems for achieving safety. An active system is one which depends on sensors to sense conditions, takes action based on a predefined logic (logic solving) and acts via final elements such as actuated valves to ensure that the equipment or process remains in the safe state. As you can guess, functional safety deals with using automated systems for ensuring safety.
Note: If you are new to Functional Safety then please read this white paper on “What is Functional Safety“.
Also you may refer to the earlier guide on What is a Safety Function and What is a Safety Instrumented System here.
Core principles of Functional Safety
Functional Safety gets ensured when the reliability of the automated safety function/ safety instrumented system, is ensured. Every time there is a demand on the system, the safety system should work correctly.
What do we mean by Demand?
Every time that things go out of the normal range, the safety system is called upon to act and save the plant/equipment from disaster. This is known as a demand on the safety system. For example, if you are operating an equipment and something unusual happens, you can push the Emergency Stop button on it to bring it to a safe state (shut it down safely).
Probability to Fail on Demand (PFD)
You expect that it will work (almost) every time you push it, to bring the machine/plant to a safe state. In other words, it is reliable and has a very low Probability of Failure on demand.
What affects the reliability of a Safety System?
In the Functional Safety domain, the reliability of the Safety System is thought to be based on mainly two factors:
1. Random Hardware failures and
2. Systematic Failures.
Random hardware failures are just random. A resistor may short out in a PLCs electronic circuitry, or a mechanical link in a valve actuator may break. Random hardware failures can be addressed by certain measures to reduce failures. The reliability of the safety function is captured in the term “Safety Integrity Level” (SIL for short). Higher the SIL, more the reliability of the Safety Function and less is the chance of an accident.
Systematic failures are the result of systematic problems, due to poor management. For example using the wrong specification sheet, or writing defective software. Systematic Failures can be addressed by using measures to avoid failures. This is captured by the parameter “Systematic Capability” or SC for short. Higher the systematic capability, lesser is the probability of a failure due to systematic errors.
Both failures given are considered to be not deliberate.
The IEC 61508 Functional Safety standard
IEC stands for the International Electrotechnical Commission, of which major industrialized countries are members. The primary standard that deals with Functional Safety is the IEC 61508 standard and it has several parts.
There are several industry versions of this main standard. For example the IEC 61511 standard is the Process Industry version, the IEC 62061 standard is the Machinery Industry version for Functional Safety and the ISO 26262 standard is the Automotive industry implementation of the standard.
The standards list out these measures in detail. Following these, should give you a robust Safety Instrumented System.
Thus if both the types of failures are addressed by the system designer as well as by the owner/operator of the plant/machinery then one can be reasonably sure that the safety system will be almost 100% reliable. (Almost because nothing can be 100% reliable- the best designed equipment can fail or systematic errors can creep in). But one can be assured that if we follow the core principles of functional safety, our safety system will function well.
Malicious Failures
The above measures work only for non malicious failures. They do not work if there is sabotage.
The assumption, all along, even among functional safety experts was, that it was very hard (almost impossible), for any malicious actor to attack an SIS. This was true maybe a decade back, but now SIS are being cyber attacked and can be disabled remotely with the potential to cause a big disaster.
TRITON attack
This was amply demonstrated recently when the TRICONEX Safety Logic Solver, which was part of the Safety Instrumented System at a Saudi Arabian petrochemical plant was cyber attacked. Luckily, the attack was discovered while being carried out and the plant was brought to a safe shutdown by alert operators and engineers.
If not noticed in time, it could have resulted in a disaster.
Lessons Learnt
The principles of Functional Safety hold true, only if the Safety Instrumented System is secure from cyber attacks. Hence if you are involved in Functional Safety in any way, maybe as a Design Engineer working on a new Safety Instrumented System, or a maintenance engineer tasked with keeping the BPCS (Basic Process Control System) and the SIS (Safety Instrumented System) running well in order to control the plant well, as well as to prevent a disaster in case of abnormal conditions, then you MUST first ensure that both your BPCS and SIS are secure against cyber attacks.
Cybersecurity clauses in IEC 61508 and IEC 62443
There are several clauses in IEC 61508 that talk about security of the SIS.This is covered in detail in our Functional Safety training course and Safety Instrumented Systems training course
IEC 61508 also refers to IEC 62443, which is another set of standards related to Industrial cyber security.
Note: You may have come across the term OT, this is short for Operational Technology, which means the systems that you use such as your BPCS (whether based on DCS, PLCs or a SCADA architecture) and your SIS. OT security is another term for Industrial Cybersecurity.
This is to distinguish itself from IT security, which relates to protecting IT systems such as your ERP , MIS and similar systems from cyber attacks.
Note that OT security and IT security are completely different. Using IT security measures in OT systems is not recommended.
ISA has started work on a new technical report and the draft has been released for public comment ( ISA-TR84 .00.09-2023 Part 1 -Cyber Security Related to the Safety Lifecycle).
What can you do about this?
First of all, don’t be intimidated. If you know Industrial automation and Functional Safety well, you can also handle the Industrial Cybersecurity part, provided you get trained.
So next step- take the Abhisam CICP Course on Industrial Cybersecurity to not only know how to protect your control system and safety system from cyber attacks, but also to get certified as an Industrial Cybersecurity professional.
Going ahead, most companies will require that their employees be aware and can handle securing the SIS. This certification will demonstrate to your employers and clients that you can do this.
So go ahead and take this course now. As of today this is the only course that is available for just $595 which is far less than what you would have to pay if you selected a different provider.
Course Bundles and GOLD Membership Plan
You can find course bundles that save you even more when you combine courses. Also if you become an Abhisam GOLD member, you get instant access to most Abhisam courses, including those on Industrial Cybersecurity and Functional Safety for a very low price.
