Proactive security concepts instead of reactive defense: safety and security in industrial plants needs rethinking

In late 2017 the industrial control system (ICS) cybersecurity specialist Dragos announced that a safety controller (SIS) from a HIMA competitor deployed in a process facility in the Middle East had been targeted by a new malware attack and successfully hacked. Apparently, the aim of the attacker was to disable the safety functions of the system, which did not succeed due to programming errors.  The safety instrumented system (SIS) was compromised and did exactly what it was supposed to: it initiated a system shutdown. Nevertheless, the professional execution of the attack shows all too clearly how seriously plant operators need to take the issue of cybersecurity. This cyberattack also represents a new dimension of cyberthreats to critical infrastructure. According to current knowledge, it was specifically planned and designed to target the SIS of the manufacturer concerned. That sort of attack on an SIS is very demanding and requires significant effort. It is the fifth publicly known ICS incident to date, following Stuxnet, Havex, Blackenergy2 and Crashoverride. The importance of this attack can hardly be overestimated, because it was the first successful attack on a safety instrumented system – which is the last line of defense against a potentially catastrophic impact.

According to present knowledge, the attacker benefited from a significant factor: at the time of the cyberattack the SIS had been put in programming mode by a key switch. In an orderly configuration with the controller in run mode, where program changes are not possible, the attackers would have faced a much more difficult challenge. No other attacks on the same type of SIS are currently known.

The concept of safety is changing
The incident should serve as a wake-up call to heighten awareness of cybersecurity in the industry. Although only a particular system was attacked, the incident marks a turning point for plant security. In the future the focus must be on the interaction of safety and security. The SIS in the above example differs significantly from HIMA safety systems with regard to design philosophy and technology, so it is unlikely that the HIMA systems are also susceptible to the same cyberattack. However, it is clear that no SIS manufacturer can now or in the future promise a solution that is absolutely and always safe with regard to all eventualities and risks.

That is primarily because work processes and organizational deficiencies are still by far the most common targets for successful cyberattacks. For example, system interfaces that remain open during normal operation and can be used to alter program code give attackers a potential access point. As a consequence of this cyberattack, plant operators are strongly advised to not rely solely on cybersecure components, but instead to define an integral security concept for their own systems and consistently implement it in cooperation with manufacturers.

Safety-oriented automation solutions in industrial plants must now encompass more than just safe emergency shutdown (ESD); they must also provide effective protection against cyberattacks. This leads to a paradigm shift: Previously, automated systems only had to be designed for safety and then simply checked periodically to verify the initially defined risk reduction. In the future, safety solutions must be regularly adjusted and extended in the interest of security. This paradigm shift affects providers and operators of components for safety instrumented systems in equal measure. This totally alters the perception of safety solutions. A core aspect of modern safety solutions must be the ability to fend off cyberattacks in order to avoid costly shutdowns. This makes SIS an even more significant factor for plant profitability.

Standards compliance and level separation as a basis
A welcome trend is that companies in the process industry are increasingly recognizing the importance of safety and security standards for the safety and economic viability of their plants. However, there are still companies that are not using fully standards-compliant SIS. That means they run a significantly higher risk of lost production and harm to people and the environment. To achieve maximum safety and security, it is especially important for plant operators to implement the requirement of the standards for functional safety and automation security (IEC 61511 and IEC 62443) for physical separation between safety instrumented systems (SIS) and process control systems (BPCS).

Standards compliance is a key aspect of defense against cyberattacks. According to IEC 61511, safety instrumented systems and process control systems can only be regarded as independent safety levels if they are based on different platforms, development bases and philosophies. In concrete terms, this means that the system architecture must fundamentally be designed to prevent the simultaneous use of components of the process control system level and the safety level without a detailed safety analysis. Without clear separation, patches implemented in the process control system could, for example, influence functions of the integrated safety system. That can have fatal consequences. An equally problematic situation arises when a successful cyberattack on the process control system via the office PC of an employee leads to compromising the integrated safety system, with the result that functional safety and basic cybersecurity are also compromised. As can be seen from many of the above-mentioned examples of successful cyberattacks, the link between office IT and the production system always represents an extreme weakness. An attack on an integrated SIS/BPCS system is thus considerably easier than an attack on a stand-alone SIS.

There is a lot at stake in the event of a successful cyberattack. In the worst case it can impair plant safety, with incalculable consequences for the health of employees, the material assets of the company, and the environment. Cybersecurity insurance policies, which enable companies to at least partially protect themselves against financial losses from cyberattacks, are starting to emerge. However, it is questionable whether the plant operator’s insurance coverage would be fully effective in the absence of compliance with applicable standards or if blatant security deficiencies can be proven. Cybersecurity insurance demands clear risk assessments in plants, based on applicable standards, as otherwise insurance is not possible or not financially viable. Plant operation is only reliable when plant operators systematically implement cybersecurity measures, such as separation of protection levels, in addition to functional safety.

Proactive cybersecurity is necessary
Rapidly growing and increasingly professional cyber criminality compels both manufacturers of safety solutions and their users in the process industry to pursue proactive cybersecurity policies and establish integral safety concepts. As part of risk assessment, plant operators must weigh the financial expenditures for effective safety and security concepts against the costs of potential shutdowns, which can easily run into the millions. The money invested in cybersecurity, usually only a fraction of the cost of a shutdown, is not wasted – instead, it safeguards the productivity of the entire plant.

As a user, you can opt for the best possible defense by using safety instrumented systems with the fewest possible vulnerabilities. For example, a dedicated operating system specifically developed for safety-oriented applications runs on HIMA’s autonomous SIS controllers. It includes all functions of a safety PLC and omits all other unnecessary functions. There are no software components from third-party software packages and no built-in back doors. That renders typical attacks on IT systems ineffective. The operating systems of the controllers are tested for resistance to cyberattacks during the software development process. That is also ensured by security certification of the development process and by the development processes necessary for functional safety, such as the two-person principle.

However, for plant operators it is not enough to rely on standards-compliant hardware and software. Cybersecurity is a never-ending task, and it must be developed jointly by plant operators and safety specialists in the conceptual design of new plants or prior to update measures. The minimum requirement for existing plants is an exact analysis of potential cybersecurity weaknesses. Along with technical measures, users must also implement organizational measures, because no existing technology can provide complete protection against new forms of attack. Consequently, there is a strong need for periodic checking of internal networks and communications systems, for example by penetration tests carried out by independent parties.

In other industries it is now common practice to allocate fixed budget amounts for recurrent safety and security audits. In these audits, external specialists conduct threat tests to thoroughly examine internal cybersecurity measures, with the objective of identifying and eliminating weaknesses. This amounts to proactively employing hackers to find potential vulnerabilities that could be exploited by other hackers.
The results of these tests should be used to boost safety measures in the entire industry to a uniform and effective level. Associations and the German Federal Office for Information Security (BSI) can assist in this. The latter has already published helpful documents on the subject of cybersecurity in industrial control systems from the perspective of manufacturers and plant operators.

Good safety technology is not enough
The human factor is the most frequent source of cyber risks. That includes not only targeted cyberattacks aimed at disrupting production processes or stealing industrial secrets, but also disruptions that can arise from inattention. For safety-oriented systems, the usual cybersecurity rules are even more important because the SIS represents the last line of defense against a potential catastrophe. Protection against human penetration, whether intentional or unintentional, is therefore especially important. Consequently, a comprehensive security concept includes aspects such as specific access protection, physical safeguarding, or checking the plausibility of changes. Here technology can and must form the basis for taking the pressure off people.

It is also important to constantly be aware of possible means of manipulation and take them into account. In this regard, safety-critical applications are fundamentally different from other industrial PLC or office applications. Considerable expertise is necessary to ensure security in safety applications. This is a major challenge, especially for relatively small enterprises. Consequently, maintaining and constantly refining security often poses a nearly insurmountable hurdle for plant operators. It is therefore advisable – as with the previously mentioned threat tests – to draw on the services of experienced safety and security experts in order to jointly develop and implement effective concepts. Currently one of the major threats is “spear phishing” – the targeted spying out of access data for protected systems. Once employee passwords become known, launching a cyberattack is child's play. Nevertheless, plant operators should never regard their employees as the weakest link in the cybersecurity chain. Instead, they should engage all employees and encourage them to become familiar with the issue of IT security and be part of an effective proactive cybersecurity strategy.

Loss or damage that arises from the action of an employee should be considered a system issue. Such loss or damage should demonstrate the necessity to fill knowledge gaps and familiarize employees with threat scenarios, such as known social engineering strategies. Extensive programs for security training and increasing employee awareness are thus an essential component of a proactive safety concept.