—ICHEME HAZARDS 29 CONFERENCE | BIRMINGHAM | MAY 22-24, 2019

Functional Safety & Cyber Security Lifecycle ManagementDevelopment of a Combined Lifecycle Management ApproachJohn Walkington, Global Manager, ABB Global FSM Technical Authority

Suresh Sugavanam, Principal Functional Safety and Security Consultant, ABB Global FSM Technical Authority

—

A Combined Lifecycle Management Approach

Functional Safety & Cyber Security Lifecycle Management

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 2

Speaker

Suresh Sugavanam

– Principal Functional Safety & Security Consultant

– TϋV Rheinland FS Expert

– ABB Limited

– St. Neots, United Kingdom– suresh.sugavanam@gb.abb.com

—A Definition in the Context of Power and Automation Technology

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 3

Cyber security: Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack1

Cyber security: Measures taken to protect the reliability, integrity, and availability of power and automation technologies against unauthorized access or attack2

Information Technology (IT) Operational Technology (OT)

Requirements for IACS

Attacker main objective:

Access and steal information owned by the target system

Attacker main objective:

Cause production disturbance / shutdown

1. Merriam-Webster’s dctionary2. ISA99 / IEC 62443

—Cyber Security Concerns on IACS – Managing the Risk

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 4

─ Cyber attacks on IACS can lead to:• Off spec product / losing consumer confidence• Equipment damage / production loss• Environmental consequences / endangering public health• Personnel injury / fatalities

─ Cyber Security Level will generally be higher than the Safety Integrity Level for a specific plant because an attack can affect many systems/equipment simultaneously (common cause and common mode failures)

─ SIL is usually related to individual risk and CSL may be related to societal risk….

—

Comparison of IT and IACS Disciplines

Organisational Risk Culture

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 5

Dimension IT IACS

Technology Lifecycle 3-5 years 20+ years

Availability Occasional outages tolerated Outages not tolerable

Response Time Performance Usually not considered One of the key parameters

Patching Timely Less Frequent / As Required

Cybersecurity Awareness Good Improving

Process Safety Risk Awareness Usually not considered Good

Changes Easier to implement More challenging to implement

Safety & Security Integrity Awareness Reduced Good

—Why do you need a robust Lifecyle management approach for IACS Cyber Security?

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 6

─ IACS are increasing in accessibility and connectivity with the use of information technology (IT) solutions and off the shelf technology

─ Businesses are continually developing their Information Management Systems (IMS) to gain a competitive advantage

─ This means accessing information down at the IACS level and together with the use of current operator interface platforms, may provide the potential for increased vulnerability to a cyber-attack

─ In today’s world, neither functional safety nor information technology are independent of one another

─ Safety Systems and Cybersecurity are dependent

—Managing Safety & Cyber Security - 4 key questions should be addressed:

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 7

Do you know our infrastructure and systems?

Can you identify potentially malicious activities?Can you really defend ourselves?

Can you recover from any incident?

Do you have a defined lifecycle management process implemented for addressing these questions?

—Managing Safety & Cyber Security – Practically, this means...

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 8

Your defence mechanism:

─ Is it layered?

─ Do you have defence in depth and

robustness in place?

─ Have you tested to verify this is the

case?

Know your system:

─ What does it look like?

─ Are the IACS boundary defined for

the project?

─ Is it ageing, distributed, maybe you

have carried out an upgrade of a

subsystem lately?

─ Do you have the latest topology,

proper documentation, information

about all assets/inventory database

including IP address, OS used,

applications installed?

─ Where will I find all this

information?

Identify malicious activities:

─ Have the security risk assessment been

performed (which includes system

vulnerability, threats, identification and

counter measure requirements

specification)?

─ Have you implemented a proper level

of monitoring?

─ Do you have alerts active?

─ Do you have the right logic in place to

identify malicious activities?

─ Have you tested your solutions?

─ Have you tuned your solutions?

─ Do you have competent people

available to deliver and interpret such

requirements?

Recovery:

─ Is the recovery plan and procedures available?

─ If an incident did happen, do you know how fast you would be able to react and recover?

─ Have you identified your strategy to achieve our goals?

─ Do you have all the backups, right resources, competencies to achieve this in place?

─ Are the staff trained in recovery procedure execution?

—Proper Safety & Cyber Security Lifecycle Management

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 9

Requirements:

• Management Process

• Technology & Application Countermeasures

• Competency Assurance

• Human Factors

IEC 61511: The policy & strategy for achieving functional safety shall be identified together with the methods forevaluating their achievement shall be communicated within the organisation.

IEC 62443: Program designed by an organization to maintain the cyber security of the entire organization’s assetsto an established level of confidentiality, integrity and availability, whether they are on the business side or the IACS side of the organization.

ISA 84.00.09: An organization’s functional safety policy and strategy should be underpinned by an organizational cybersecurity strategy, both of which will be supported by robust performance measurement procedures.

—Functional Safety Lifecycle

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 10

IEC 61511 Safety Lifecycle

Three Key Management Process Stages:

─ Assessment Phase

─ Develop & Implement Phase

─ Operate & Maintain Phase

What does IEC 61511 specifically require for security for SIS?Design and

development of other means of

risk reduction

Hazard and risk assessment1

Allocation of safety functions to

protection layers 2

Safety requirements specification for the SIS

3

Design and engineering of SIS4

Installation, commissioning and validation5

Operation and maintenance6

Modification7

Decommissioning8

Man

agem

ent

of

fun

ctio

nal

saf

ety

and

fu

nct

ion

al s

afet

y as

sess

men

t an

d a

ud

itin

g

10

Safe

ty li

fe-c

ycle

str

uct

ure

an

d p

lan

nin

g

11

Ver

ific

atio

n

9

—IEC 61511-1: 2016 Requirements Related to Cyber Security

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 11

8.2.4 A security risk assessment shall be carried out to identify the security vulnerabilities of the SIS. It shall result in:

• a description of the devices …;

• a description of identified threats …;

• a description of the potential consequences …;

• consideration of various phases such as design, implementation, commissioning, operation, and maintenance;

• the determination of requirements for additional risk reduction;

• a description of, or references to information on, the measures taken to reduce or remove the threats.

– 11.2.12 The design of the SIS shall be such that it provides the necessary resilience against the identified security risks (see 8.2.4).

– NOTE Guidance related to SIS security is provided in ISA TR84.00.09, ISO/IEC 27001:2013, and IEC 62443-2-1:2010.

—Cyber Security – Policy for IACS (ISA TR84.00.09)

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 12

The Functional safety policy and strategy should be underpinned by an organizational Cyber Security policy and strategy and both shall be supported by robust performance measurement procedures

Policy and procedures may include staff training, awareness programs, testing programs, change management programs, identification and authorisation procedures and the like

Those responsible for the execution and/or measurement of the performance for each of the security lifecycle phases should be clearly identified and then communicated to applicable personnel so that they understand their accountabilities and responsibilities

—Competency Management – Safety & Security / Cybersecurity

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 13

IEC 61511

─ Persons, departments, organizations or other units which are responsible for carrying out and reviewing each of the safety life-cycle phases shall be identified and be informed of the responsibilities assigned to them

─ Persons, departments or organizations involved in safety life-cycle activities shall be competent to carry out the activities for which they are accountable

─ A procedure shall be in place to manage competence of all those involved in the safety life cycle

─ Periodic assessments shall be carried out to document the competence of individuals against the activities they are performing and on change of an individual within a role

IEC 62443

─ All personnel should receive adequate technical trainingassociated with the known threats and vulnerabilities of hardware, software and social engineering

─ In the area of IACS, the same emphasis should be placed on cyber security as on safety and operational integrity, because the consequences can be just as severe.

─ Security awareness for all personnel is an essential tool for reducing cyber security risks. Knowledgeable and vigilant staff are one of the most important lines of defence in securing a system.

─ It is therefore important for all personnel to understand the importance of security in maintaining the safe operation of the system

In other words… a similar Competency Management Process…

—Why have a combined safety & cyber security lifecycle management approach?

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 14

Optimising the cost and effectiveness of safety & cyber security lifecycle management:

─ Similar requirements for management ‘process’ – efficient and robustQMS/IMS/FSM/CSM system (focus, clarity, guidance)

─ Managing ‘Risk’ identification of hazards, threats, vulnerabilities and identification is a common element (centralisation, ease of review/maintenance and overall visibility)

─ Need similar competencies to be applied for risk assessment, design, engineering, operation and maintenance – avoidance of ‘Silo Mentality’ (roles, responsibilities, raising awareness and competency assurance)

─ Need similar performance Audits and Assessments to support risk management/assumptions (common approach, schedule visibility and support for culture change)

—Functional Safety and Cyber Security Lifecycles – Combined Lifecycle Strategy

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 15

Cybersecurity Requirements

Specification

(ISA 62443-3-2)4

Design and engineering of

cybersecurity

countermeasures

Design and development

of other means of risk

reduction

5

High-Level Cyber Risk

Assessment

(ISA 62443-3-2)1

Allocation of IACS

Assets to Security

Zones or Conduits

(ISA 62443-3-2)2

Detailed Cyber Risk

Assessment

(ISA 62443-3-2)3

Installation, commissioning and

validation of cybersecurity

countermeasures

(62443-2-4)6

Cybersecurity Maintenance,

Monitoring and Management of

Change

(ISA 62443-2-1)7

Cyber Incident

Response & Recovery

(ISA 62443-2-1)8

Cyb

er S

ecur

ity M

anag

emen

t Sys

tem

: Pol

icie

s, P

roce

dure

s, T

rain

ing

& A

war

enes

s(I

SA

624

43-2

-1)

Per

iodi

c C

yber

secu

rity

Aud

its(I

SA

624

43-2

-1)

Assess PhaseAssess Phase

Develop &

Implement

Phase

Develop &

Implement

Phase

Maintain

Phase

Maintain

Phase

IEC 62443

Design and

development of other

means of

risk reduction

Hazard and risk assessment1

Allocation of safety

functions to

protection layers 2

Safety requirements

specification for the SIS

3

Design and engineering of SIS

4

Installation, commissioning and validation

5

Operation and maintenance6

Modification7

Decommissioning8

Ma

na

ge

me

nt

of fu

nctio

na

l sa

fety

an

d fu

nctio

na

l sa

fety

asse

ssm

en

t a

nd

au

ditin

g

10

Sa

fety

life

-cycle

str

uctu

re a

nd

pla

nn

ing

11

Ve

rifica

tio

n

9

IEC 61511

—Functional Safety / Cyber Security Lifecycle Integration

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 16

Fun

ctio

nal

Saf

ety

Ver

ific

atio

n

Cyb

er S

ecu

rity

Man

agem

ent

Fun

ctio

nal

Saf

ety

Pla

nn

ing

Fun

ctio

nal

Saf

ety

Man

agem

ent

Cyb

er S

ecu

rity

Pla

nn

ing

Cyb

er S

ecu

rity

Ver

ific

atio

n

IEC 61508 / 61511 standards

Plant Functional Safety Concept

Process Risk Assessment

SIS Design

SIS O&M

SIS Decommissioning

IEC 62443 suite of standards and ISA TR84.00.09

Plant Cyber Security Concept

Cyber Security Risk Assessment

IACS* Security Design

IACS Cyber Security O&M

IACS Cyber Security Decommissioning

Common Requirements for Management, Planning & Verification

Key Functional SafetyLifecycle Activities

—Cyber Security vs. Functional Safety – Similar, but different.....

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 17

─ Cyber Security and Functional Safety standards are both performance based

─ Both call for achieving a safety culture

─ Both are about processes (supporting systematic capability)

─ Both require competency management

─ Both require adequate maintenance and regular audit / assessment

─ Both can cause potentially dangerous events

Similarities

Differences

─ Functional Safety is more static and more predictable (threats are generally known)

─ Cyber Security risk is constantly changing (threats change due to technology obsolescence and the attacker is constantly evolving)

─ Functional safety risk may be quantified and Cyber Security risk is based on qualitative measures

—Summary

May 28, 2019 IChemE Hazards 29 Conference, Birmingham.Slide 18

─ Potential to integrate requirements from the FS and CS standards into one management ‘process’ and establish into company QMS

─ Baselining the relevant IEC clauses against the existing company procedures supports corporate memory and ease of explanation to both internal and external stakeholders

─ Supports holistic ‘safety’ & ‘security’ claims for both functional safety & cyber security requirements

─ Provides focus and cross working team requirements to improve ‘safety culture’, awareness and communications within the organisation

─ Supports the business drivers to constantly monitor and manage ‘the current operational risk’

Remember Good Safety & Security = Good Business….

—

If you have questions, please contact me further

Q&A and contact information

Suresh Sugavanam

– ABB Global FSM Technical Authority U.K.

– Phone: +44 (0) 1480 488365Mobile: +44 (0) 7718 704 525

– suresh.sugavanam@gb.abb.com

Speaker