Search
-
Recent Posts
Recent Comments
- Gabi Spencer on The importance of Process Hazard Analysis studies
- Ephraim Gasitene Phonela on The importance of Process Hazard Analysis studies
- Gabi Spencer on ESC’s TÜV Rheinland Cyber Security Training Program
- David Dewdney on ESC’s TÜV Rheinland Cyber Security Training Program
- David Balfour on Functional Safety (FS) for Technicians – Proposed CompEx modules
Archives
- May 2022
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- January 2020
- July 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- November 2018
- August 2018
- April 2018
- March 2018
- February 2018
- November 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- August 2015
- June 2015
- May 2015
- February 2015
- November 2014
- September 2014
- July 2014
- April 2014
Categories
IEC 61511 Security Requirement – Cyber Security And What It Means for you
Example network security architecture (from ISA-62433 Part 1-1)
Traditionally, the process industry and the regulatory bodies have been primarily concerned with the safety risk associated with Industrial Automation and Control Systems (IACS). As a result, there are well established process and functional safety management regimes, and supporting hazard identification and risk analysis methods such as Hazard and Operability (HAZOP) Studies, Layers of Protection Analysis (LOPA), and Quantitative Risk Assessment (QRA). IEC 61511 (Functional Safety – Safety instrumented systems for the process industry sector) has been widely adopted as the functional safety standard for the process industry.
Cyber Security Risk of IACS
There has been an increasing concern on the cyber security risk of IACS. This is because:
Modern IACS is more susceptible to a cyber attack
There is a steady increase in network connectivity of IACS with the adoption of Commercial Off The Shelf (COTS) hardware and software, and standard network protocols (e.g. IP). This has made modern IACS more susceptible to cyber attacks which have plagued IT systems since the dawn of the Internet.
IACS security breaches may have high consequences
Cyber attacks could lead to malfunction or unavailability of IACS or render Safety Instrumented Systems (SIS) inoperable. IACS security risk has the potential to result in accidents with major health, safety or environmental consequences.
Recent Security Breaches
Simply put, if an IACS is not secure, it is not safe. This has been witnessed by a sample of security breaches taken place in recent years:
- Ukraine. Attackers gained remote access and manipulated the industrial control systems of a regional electricity distribution company and shut down power for some 225,000 Ukrainian power customers for several hours [1]
- Germany. An attack on a steel works in Germany causing significant damage, by disrupting the control systems such that a blast furnace could not be properly shut down [2]
- ‘Stuxnet worm’. Damaged centrifuges at an Iran nuclear facility (through use of USB) [3]
Standards and Compliance
Standards and regulatory bodies have responded to the increased cyber security risk to IACS, for example:
- In the recently (year 2016) published edition 2 of IEC 61511, there is a NEW explicit requirement to conduct a security risk assessment (IEC 61511, Part 1, Clause 8.2.4).
- UK Health and Safety Executive (HSE) has drafted an Operational Guidance for HSE Hazardous Installations Directorate (HID) Electronical, Control and Instrumentation (EC&I) Specialist Inspectors on the subject of Cyber Security for IACS and SIS.
Is your plant compliant with the security requirements from IEC 61511 edition 2, or ready for HSE inspection under the new guidance on cyber security? What does this mean for you?
To answer this question, you need to ask yourself the following questions:
- Is there a security management system in place? The cyber security management system should cover the following topics as a minimum:
- Corporate cyber security policy
- Competency
- Requirements on cyber security risk assessment
- Cyber security audit
- Cyber security performance monitoring
- Change management
- Has a security risk assessment been conducted for the IACS and SIS?
- Is the IACS and SIS connected to a Local Area Network (LAN), a Wide Area Network (WAN), the Internet?
- Is the IACS and SIS vulnerable to a cyber attack?
- What are the assets, threats, vulnerabilities, existing counter measures, and the resulting cyber security risks?
- What are the cyber security requirements to reduce risk?
ESC and Industrial Control Systems Cyber Security
ESC offers the following services on cyber security in support our functional safety services (in accordance with IEC 61508 and IEC 61511):
- Cyber security management system
- Cyber security risk assessment
See ESC’s Industrial Control Systems Cyber Security page for more details.
[1] http://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
[2] https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf
[3] http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf
Certificate No.