Thursday, March 2, 2017

Cybersecurity Guidance is Available for Industrial Safety Systems

By Eric Cosman, Cybersecurity Working Group  Co-Chair

Information systems employed in Operations (including industrial control systems) are often subject to very stringent requirements related to information integrity and performance. Functional needs such as these can lead to the identification of secondary requirements and constraints in areas such as cybersecurity. The challenges associated with securing industrial control and related systems have in turn been topics of considerable discussion, debate, and analysis for the past several years. The ISA99 committee and IEC Technical Committee 65 Working Group 10 have developed the 62443 series of standards that provide requirements and guidance on all aspects of the subject. This information is deliberately expressed in broad terms, allowing it to be applied across a wide range of industries and situations.

The content of cybersecurity-related standards and practices can be quite technical – even arcane – requiring further interpretation within a specific context before it can be effectively applied. Interpretation of “security-speak” in the context of a related discipline is essential in understanding the full implications of security requirements. This is particularly true in areas of specialization that may have their own established terminology and concepts. 

One such related discipline is the development, operation, and support of process safety systems. There is a growing realization that functional safety and information technology are related. It is important for both functional areas to understand the differences and overlaps, as well as the typical differences in how the IT professional views their requirements versus how a process control engineer views theirs.

In the process industries, Safety Instrumented Systems (SIS) represent one layer of protection that may be implemented to reduce risk. Other layers may consist of instrumented systems performing alarms, interlocks, permissive functions, or controls using devices within the basic process control system (BPCS), as well as non-instrumented systems such as relief devices, check valves, etc.  Traditional process hazard analysis (PHA) in the past, have generally excluded the potential for cyber related attacks to cause process safety incidents. Given that targeted attacks on industrial automation and control systems –  including the systems executing safety controls, alarms, and interlocks (SCAI) – have occurred and these systems are increasingly being connected to other business systems, cyber vulnerabilities represent a significant potential for common mode failure. As a result, it is necessary in today’s world to include cyber risk in the overall PHA.

The ISA84 committee developed a technical report (ISA-TR84.00.09) for this purpose. It describes how functional safety and cybersecurity should be integrated, starting with a new process plant at the initial scope stage and continuing throughout all phases of the life cycle. The report defines performance criteria to guard against internal and external security threats to the safety instrumented system, and includes specific guidance on how to implement, operate, and maintain system security without compromising the performance of safety controls, alarms, and interlocks within the control system.

The second edition of this report has recently been approved by the committee and will soon be available for use in the process safety community. Throughout its development there has been a liaison relationship between the ISA84 and ISA99 committees, ensuring that the guidance included in the report is consistent with the general concepts and requirements in the 62443 series.

Process safety engineers and others involved in this discipline are encouraged to use this report as a valuable reference in helping them to apply cybersecurity to their safety systems.

About the Author

Eric Cosman is the co-chair of the MESA Cybersecurity working group. He provides consulting and advisory services in the management of information technology solutions in Operations and Engineering, and has contributed to various standards committees, industry focus groups, and advisory panels. Eric is a past vice president of standards and practices at ISA, a member of the ISA Executive Board and co-chair of the ISA99 committee on industrial control systems security. You can reach him at 

No comments: