IS & Ex

Safety meets security

March 2019 IS & Ex

The importance of the safety technologies installed in machines and systems increase over the lifecycle of an application. However, as networking of automation systems with the IT world is becoming more and more commonplace, scenarios are likely to arise where a different approach is required, especially for safety applications.

Security challenges are growing

As production and IT become inextricably linked within the framework of Industry 4.0, the security challenges are also growing. The network interfaces between office IT systems and production networks represent a significant gateway for hackers. Examples of threats that industrial control systems currently face are:

• Infection with malware via the Internet.

• Introduction of malware via removable media and external hardware.

• Social engineering i.e. influencing of people in order to bring about certain modes of behaviour.

• Human error and sabotage.

• Unauthorised access to the system via remote maintenance solutions.

• Control components coupled to the Internet via the IP protocol.

A study by Kaspersky, conducted in 2017, revealed that nearly every third cyber-attack on computers for industrial control systems was directed against manufacturing companies. Experts fear that the number of malware attacks is set to increase in 2019, with the focus being on industrial systems. The worlds of safety and security meet when automated solutions implemented for functional safety become the target of hackers. A common strategy must therefore be developed in future. The Triton malware in combination with a cyber-attack against a Safety Instrumented System (SIS) is a current case, which demonstrates that this is a far from hypothetical scenario.

Indirect effect on the end product

Functional safety refers to the safety component of a system that relies on the correct function of the safety-related (control) system and other risk-reducing measures. In this case, the controller performs the task of initiating the safe state when a critical error occurs. The requirements for the quality of safety-relevant control components are described in the B-standard EN ISO 13849 and the IEC series 61508/61511/62061. Depending on the degree of risk, corresponding risk-reducing measures are classified into different safety levels – Performance Level (PL) or Safety Integrity Level (SIL).

In contrast to functional safety, security protects goods from detrimental impairment as a result of intentional or inadvertent attacks on the availability, integrity and confidentiality of their data. This involves the use of preventative or reactive technical and/or organisational measures. If security aspects in the area of safety are disregarded, this can not only have direct effects on production facilities, it can also indirectly affect the production process and therefore the end product. In the context of pharmaceutical products and safety-relevant components for the automotive industry, it is easy to see how the effects on consumers could be significant. The IEC 61511-1 therefore requires an IT risk assessment to be carried out for safety equipment in the process industry. If operators of process control engineering (PCE) safety equipment perform the IT risk assessment as specified in the attached NAMUR NA worksheets and implement the measures identified, it is likely they will have assessed their PCE safety equipment in accordance with the latest technical standards and will therefore have fulfilled their duty-of-care obligations.

Active search for weak points

When considering functional safety and access security, the potential risk must be considered based on a risk assessment or IT threat analysis. Here, a considerable difference in approaches is already evident. While the risks that design engineers need to consider within the scope of the risk assessment in accordance with the Machinery Directive – mechanical or electrical hazards for example – tend to remain the same, the environment in which IT security experts find themselves is constantly changing. In the latter case, attackers are always actively looking for ways to exploit vulnerabilities, which would be considered systematic errors in the area of functional safety.

Another important aspect to consider is the human factor: The expression ‘foreseeable misuse’ is used in the field of machine safety, for example, to describe situations where safety equipment – such as a door switch – is tampered with by operating personnel. With large-scale cyber-attacks on industrial systems, on the other hand, it must be assumed that a high degree of criminal energy is exerted.

Initial approach in a NAMUR worksheet

To safeguard the product life cycle of safety-oriented systems or components, manufacturers, system integrators and operators are required within the scope of Functional Safety Management to adopt an approach to quality management that reflects the requirements of the situation in accordance with IEC 61508. A comparable solution for this exists in the security world in the form of Information Security Management in accordance with ISO 27000. Since there is so much common ground, it should now be possible to interlink the two spheres of safety and security activity in practice.

The worksheet published by NAMUR titled IT risk assessment of PCE safety equipment adopts an initial pragmatic approach which leads in this direction. It describes an IT risk assessment method that uses the IEC 62443 security standard as its starting point to provide a basis for increasing the capability of the PCE safety equipment to avert IT threats. To this end, the three steps in phase 1 were performed once as an example for one system, which reflects the systems typically found in the NAMUR member companies. This allows the user to gauge the usefulness of the method for the PCE safety equipment to be assessed. The fourth step – monitoring implementation of the measures and documenting the IT security requirements and general conditions – must be carried out individually for all items of PCE safety equipment to be evaluated and constitutes phase II.

No adverse effects on functional integrity

From the hardware and software perspective, the system being examined can be subdivided into three zones:

• The core PCE safety equipment in zone A comprises the PCE safety equipment as defined in the IEC 61511-1. This includes the logic system, the input and output modules including remote I/O, and also the actuators and sensors. Connections and, if applicable, available network components – for example cables or switches – that are used to interface with devices located in zone A are also allocated to this zone.

• Components that are not necessary for implementation of the safety function but could nonetheless influence the behaviour of the core PCE safety equipment are allocated to the extended PCE safety equipment in zone B. These could be operator/control panels, visualisation stations, the programming unit for the PCE safety equipment, and also devices for sensor/actuator configuration.

• Components and systems that do not belong either directly or indirectly in the same category as the PCE safety equipment but could be linked to the safety function belong in the zone referred to as ‘environment’. This could be reset requirements or the visualisation of the status of the safety function.

The common objective of the zones is to ensure that the functional integrity of the safety equipment is not compromised by feedback effects from the environment.

Comprehensive training of relevant personnel

Measures must be taken to reduce the effects of compromised PCE safety equipment or to counteract threats. The human factor also plays a significant role in this process. This is highlighted by the fact that the blame for more than 50% of cybersecurity incidents ultimately lies with employees. It is therefore important that there is an IT security officer responsible for the security equipment. In this regard, all persons involved in the specification and design of the safety equipment should be made more aware of the subject of Automation Security, and trained accordingly. Furthermore, it is advisable for the end user to conclude confidentiality agreements with any contractual partners – i.e. manufacturers, suppliers and external operators – to safeguard information and knowledge in relation to the safety system.

Components, software tools and solutions by Phoenix Contact support users by providing them with a flexible and economic combination of safety and security technology to increase their competitive edge in the international market. This, complemented by a comprehensive range of services, which provides system planners and operators with a service portfolio tailored to their requirements throughout the entire safety lifecycle.

Cloud-based provision of key safety system data

The Proficloud from Phoenix Contact provides companies with important information on optimising production processes. Safety of machinery also remains a critical issue for plant engineers and machine operators. Although safety applications are in the first instance designed to protect users of the machine, they can also cause unplanned downtimes. The ability to access safety system data via the IIoT in real time and convert this into meaningful information has enormous potential.

With Profinet-based control solutions, status information for standard and safety functions is transmitted continuously to the Proficloud. Adopting a holistic approach to resources and machinery gives operators and designers a whole new range of options for increasing operational performance.

For more information contact Sheree Britz, Phoenix Contact, +27 11 801 8200, [email protected],


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Secure, digital communication in potentially explosive atmospheres
Pepperl+Fuchs IS & Ex
Consistently digitalised processes in the smart factory are a matter of course today, but not in potentially explosive atmospheres. The systems and devices used in these areas must have optimal protection mechanisms to ensure maximum safety.

Functional and compatible intrinsically safe loop approvals
Extech Safety Systems IS & Ex
With all the focus on IS loop approval, it is easy to forget to check that the loop will function correctly to see whether the field device has sufficient power (voltage & current) to operate over the full process range.

Upgrade your legacy alarm units
Omniflex Remote Monitoring Specialists IS & Ex
Darren Barratt, sales manager at alarm annunciator specialist Omniflex, explains the drawbacks of leaving outdated rack-based alarm annunciator systems in place, and why an upgrade might be simpler than you would expect.

Comprehensive protection of the network against attacks
Phoenix Contact IT in Manufacturing
In recent years, the generation of data to create ever better transparency and control of production has become a decisive competitive factor. IIoT has also contributed to more manufacturing systems being connected to IT or cloud systems. This places higher demands on access security, which Phoenix Contact meets with the Secure Edge Box.

Cathodic protection system for hazardous environments
Omniflex Remote Monitoring Specialists IS & Ex
When NSW Ports in Australia embarked on a two-year programme to rehabilitate the structures and combat corrosion levels at its Bulk Liquid Berth 1, it commissioned Melbourne-based consultancy Infracorr to deliver a bespoke cathodic protection) system. To deliver the system safely, Infraccor engaged cathodic protection specialist Omniflex to support the hazardous area and remote monitoring aspects of the CP system design.

Leading the way in PDS technology
IS & Ex
Booyco Electronics, an original equipment manufacturer specialising in mine safety equipment, has witnessed a surge in demand for its proximity detection systems (PDS) and collision prevention systems (CPS) since the Mine Health and Safety regulation focusing on trackless mobile machinery was promulgated. These systems offer crucial vehicle-to-pedestrian and vehicle-to-vehicle detection capabilities.

Ensuring lone worker safety
IS & Ex
The Conextivity Group’s startup – Wearin’ – has developed a solution connecting the lone worker with the control centre. This was commissioned by concrete producer, Pro Beton to ensure the safety of its teams of machine operators and cleaners working on production sites during the day, night, and weekends.

Safety breakthrough in live testing of large equipment
IS & Ex
While essential to effective maintenance, the live testing of mining vehicles and equipment can be hazardous and time consuming; but this has all changed with the SafeGauge range of digital testing systems. Developed in Australia, SafeGauge is now distributed in South Africa by Booyco Electronics, known for its leading role in promoting safety on mines through its proximity detection systems.

Explosion-protected control units
Pepperl+Fuchs IS & Ex
The new range of control units from Pepperl+Fuchs offers a clever solution for switching and controlling circuits in hazardous areas that are designated ATEX/IECEx Zones 1/21 and 2/22.

The importance of understanding SIL ratings
Omniflex Remote Monitoring Specialists IS & Ex
Major industrial accidents around the world, like the Bhopal chemical plant disaster, have occurred due to insufficient and poorly designed safety systems. Gary Bradshaw, director of alarm and safety system specialist Omniflex, explains how SIL ratings work and the dangers of the misconceptions that exist around them.