This page contains a Flash digital edition of a book.
Plant Management


Integrated solution At first glance, economic reasons can be a persuasive factor for implementing an integrated safety system from the same company that manufactured the process control system. After all, a uniform system concept and a common bus, as well as a single engineering tool for the standard automation and functionally safe automation, promise several advantages. The advantages of convenience, however, come with disadvantages in the areas of functional safety and security, as anything that a user or the controller can do, an attacker can also do. A larger attack surface is the consequence.


With an integrated control system and safety system from a single source, all automated processes and convenience advantages must be critically tested. The more open and integrated a safety controller is, the more effort is required for organisation and security. Security attack vectors in this area include automated processes, such as diagnostic displays, the automatic interaction between engineering tool and controller, and the interaction between the visualisation of the control system and the safety system.


Levels of protection To reduce systematic errors, standards IEC 61511-1 (Safety) and IEC 62443-3- 3 (Security) require separate levels of protection and autonomy of the operating equipment and protective equipment. By design, an autonomous process control system and a safety system from different manufacturers require different engineering tools, databases and operating procedures. Such systems from different manufacturers avoid common cause risks and reduce the security risk through diverse technology.


Diverse technology also ensures a clear separation of the areas of responsibility and supports the different handling of operating equipment and protective devices, in practice. With operating


equipment the focus is on daily optimisation, updating and change; in contrast, risk is reduced when protective equipment is operated rarely, and then only by qualified personnel. Each access to protective equipment constitutes a risk, and changes are only permitted via a management of change process.


The international standard IEC 62443- 3-3, ‘Industrial communication networks – Network and system security’, requires compartmentalisation of production networks. Individual zones are determined (enterprise network, control room, safety system, process control system, etc) that are connected via defined transitions (conduits).


In accordance with the respective data or protocols that must be exchanged, protection is installed at each conduit in the form of a firewall. It is strictly required that exchanged data be clearly defined. Protective measures can only be provided if this structure is known to the user.


The forthcoming revision of standard DIN IEC 61511-1, ‘Functional safety – Safety instrumented systems for the process industry sector’, moves in this direction. It advocates testing, evaluating and ensuring the independence, diversity, physical separation, and avoids common cause errors between levels of protection.


Moreover, it includes the clear statement that a safety system should be physically separated where feasible. Current discussions in standardisation bodies such as NAMUR and DKE likewise address the topic that autonomous secure separation and an appropriately defined conduit are required for mastery of security risks. If there is doubt in this regard, automatic convenience functions must also be deactivated to reduce the complexity and thus the security risks.


A safety system must have a variety of security features to harden it against


www.engineerlive.com 13


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29