IEC 61511 Security Requirement – Cyber Security And What It Means for you

Cyber Security - IEC 61511 Security Requirement – what does it mean for you?

Example network security architecture (from ISA-62433 Part 1-1)

Traditionally, the process industry and the regulatory bodies have been primarily concerned with the safety risk associated with Industrial Automation and Control Systems (IACS). As a result, there are well established process and functional safety management regimes, and supporting hazard identification and risk analysis methods such as Hazard and Operability (HAZOP) Studies, Layers of Protection Analysis (LOPA), and Quantitative Risk Assessment (QRA). IEC 61511 (Functional Safety – Safety instrumented systems for the process industry sector) has been widely adopted as the functional safety standard for the process industry.

Cyber Security Risk of IACS

There has been an increasing concern on the cyber security risk of IACS. This is because:

Modern IACS is more susceptible to a cyber attack

There is a steady increase in network connectivity of IACS with the adoption of Commercial Off The Shelf (COTS) hardware and software, and standard network protocols (e.g. IP). This has made modern IACS more susceptible to cyber attacks which have plagued IT systems since the dawn of the Internet.

IACS security breaches may have high consequences

Cyber attacks could lead to malfunction or unavailability of IACS or render Safety Instrumented Systems (SIS) inoperable. IACS security risk has the potential to result in accidents with major health, safety or environmental consequences.

Recent Security Breaches

Simply put, if an IACS is not secure, it is not safe. This has been witnessed by a sample of security breaches taken place in recent years:

  • Ukraine. Attackers gained remote access and manipulated the industrial control systems of a regional electricity distribution company and shut down power for some 225,000 Ukrainian power customers for several hours [1]
  • Germany. An attack on a steel works in Germany causing significant damage, by disrupting the control systems such that a blast furnace could not be properly shut down [2]
  • ‘Stuxnet worm’. Damaged centrifuges at an Iran nuclear facility (through use of USB) [3]

Standards and Compliance

Standards and regulatory bodies have responded to the increased cyber security risk to IACS, for example:

  • In the recently (year 2016) published edition 2 of IEC 61511, there is a NEW explicit requirement to conduct a security risk assessment (IEC 61511, Part 1, Clause 8.2.4).
  • UK Health and Safety Executive (HSE) has drafted an Operational Guidance for HSE Hazardous Installations Directorate (HID) Electronical, Control and Instrumentation (EC&I) Specialist Inspectors on the subject of Cyber Security for IACS and SIS.

Is your plant compliant with the security requirements from IEC 61511 edition 2, or ready for HSE inspection under the new guidance on cyber security? What does this mean for you?

To answer this question, you need to ask yourself the following questions:

  • Is there a security management system in place? The cyber security management system should cover the following topics as a minimum:
    • Corporate cyber security policy
    • Competency
    • Requirements on cyber security risk assessment
    • Cyber security audit
    • Cyber security performance monitoring
    • Change management
  • Has a security risk assessment been conducted for the IACS and SIS?
    • Is the IACS and SIS connected to a Local Area Network (LAN), a Wide Area Network (WAN), the Internet?
    • Is the IACS and SIS vulnerable to a cyber attack?
    • What are the assets, threats, vulnerabilities, existing counter measures, and the resulting cyber security risks?
    • What are the cyber security requirements to reduce risk?

ESC and Industrial Control Systems Cyber Security

ESC offers the following services on cyber security in support our functional safety services (in accordance with IEC 61508 and IEC 61511):

  • Cyber security management system
  • Cyber security risk assessment

See ESC’s Industrial Control Systems Cyber Security page for more details.

[1] http://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

[2] https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf

[3] http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf