At the ARC Industry Forum which was held in Orlando, Florida, from February 12 – 15, HIMA presented its comprehensive functional safety concept which offers security by expanding the scope from the safety instrumented system to its security-relevant environment.
In recent years, large-scale professional cyberattacks and chip hardware vulnerabilities affecting industrial plants around the globe have clearly shown the need for the process industry to take cybersecurity seriously. At the ARC Industry Forum, HIMA safety experts explained why plant operators should implement a holistic functional safety approach that ensures plant security in times of increasing cybercrime.
In late 2017 a safety controller deployed in a Middle East process facility was successfully hacked. The safety instrumented system (SIS) was compromised and initiated a plant shutdown. While no damage or injuries occurred, the incident should serve as a wake-up call to heighten awareness of cybersecurity in the industry as it was the first publicly-known successful attack on a safety instrumented system – which is the last line of defense in any process plant. Furthermore, critical hardware vulnerabilities affecting most modern processors have recently been identified. Attack modes such as Meltdown and Spectre exploited these in order to steal data from computers all around the world.
“In both of the above-mentioned cases, HIMA safety controllers were not affected. But we take these incidents very seriously and work hard to always be one step ahead,” Dr. Alexander Horch, Vice President Research, Development & Product Management at HIMA comments: “It is important to note that there is no such thing as 100% guaranteed safety or security.”
The purpose of modern functional safety solutions is to reduce safety and security risks to a minimum. Therefore, a holistic approach is needed which not only includes the core SIS (final control elements, logic solver incl. I/O module and sensors), but also its environment like the engineering station, asset management tools (AMS) and handhelds as well as field entry panels and HMIs. By complementing the SIS with the “HIMA Security Environment for Functional Safety,” this approach takes all important security-relevant aspects of industrial control systems (ICS) into account. These include the five following areas: Controller hardware and firmware, engineering toolkit, PC infrastructure, communication infrastructure and lifecycle management.
In terms of firmware, a dedicated operating system specifically developed for safety-critical applications runs on HIMA safety controllers. It is impossible to access the program code during operation as application programs run within a container and no other parts of the CPU firmware can be accessed. On the hardware side, unused Ethernet ports can be disabled and/or locked physically. Thanks to the total separation of SIS and basic process control functions and systems (BPCS) according to the requirements of the standards for functional safety (IEC 61511) and automation security (IEC 62443), no common cause failures can occur.
When it comes to the engineering, HIMA works with its own, single-purpose engineering tool SILworX, again 100% HIMA software. This solution offers various security features such as two-factor authentication for project and controller data, a well-defined user management including security admin role as well as functional blocks with password protection (locking/read-only), just to name a few. By monitoring the application program via system variables, SILworX is even able to detect changes and to issue an alarm in case unauthorized changes are made.
Also, the communication infrastructure has to be secured. The HIMA security environment relies on the proprietary protocol for controller communication SafeEthernet, and the communication stack is Achilles certified by Wurldtech. Separated protection layers between CPU and COM modules lead to an absence of feedback. Networks are clearly separated via firewalls and demilitarized zones, and the controller is tap-proofed to prevent ARP spoofing.
For an effective cyber-defense, the PC infrastructure should be set up with a secure BIOS management, reduced access rights and with only the required Windows services activated. Office laptops should not be used as engineering stations. The engineering station should be kept completely separate. The PCs should feature an intelligent password management system and work with a minimal set of application programs only.
Lastly, the lifecycle management has to take security into account, too. HIMA safety systems have received various security certifications such as Achilles, ISASecure, EDSA and TUV. The ISO 27001 certification for HIMA’s information security management systems (ISMS) is ongoing. HIMA also carries out penetration tests together with customers, service providers and universities. Development takes place in a dedicated network, and access to source codes is strictly restricted and supervised.