ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Incorporate Safety and Cybersecurity Standards Into Automation Design

 

This post was authored by Marty Edwards, managing director of the Automation Federation.

 

I have said it before and I will say it again. There are simple steps that must be taken now to make your automation systems more resilient to the inevitable cyberattack. Attackers have now breached the next bastion of the safety envelope of a plant environment and influenced the operation of a safety system.

It is important to state upfront that in this case the system detected the fault and went to a failsafe state just as it is supposed to do. But it will not be very long until attackers successfully modify the logic in these systems to accomplish their nefarious objectives. When it comes to safety instrumented systems (SIS), the most important part of the cybersecurity puzzle is understanding and securing access to the system, both from a physical and a cyber perspective.

 

Ask yourself: Who potentially could gain access to the system? (For good or for evil)

The recent attack intended to manipulate the safety system of an unidentified plant, and the attackers leveraged two significant access control weaknesses in the system. These are implementation or design weaknesses, not vulnerabilities in hardware or software components – so don’t expect the vendor to fix these, that is your job and your job alone!

 

  1. The physical key-switch on the SIS controller was left in the PROGRAM mode. I can’t say much more: If you leave the keys in the car someone will steal it. Place controllers in RUN mode as soon as configuration logic is changed, and regularly verify their position via walkdown.
  2. The attacker gained remote access to the SIS engineering workstation to deploy the attack tool.  This means that the workstation was not only connected to the SIS controller network, but was also able to communicate to the outside world via another network. The SIS environment should be appropriately isolated and operate independently from the basic process control system (BCPS).

 

ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:

 

By leveraging safety design principles articulated in international safety standards such as IEC 61508/IEC 61511/ISA84, automation engineers can make informed decisions about the appropriate methods to isolate the safety functions from the BCPS functions. They also must ensure that separation exists in all phases of plant design, operation and maintenance.

A common engineering system or a SIS engineering workstation that is interconnected to the plant network may violate these fundamental principles. The cybersecurity standards created by ISA99 and now recognized globally as IEC 62443 lay out the process to safely segment and isolate key control system components through methods such as “zones and conduits.”  Use defense in depth principles from ICS-CERT and utilize unidirectional gateway devices where required.

Some vendors will maintain they have proven that their integration of the BCPS and SIS, especially at the engineering workstation, conforms to and is consistent with these safety and cybersecurity standards. I urge you to ask hard questions, such as what if an attacker gains complete control of the engineering environment? How does the system ensure that unauthorized changes to SIS logic cannot be made? Technical reports on these attacks are available from Mandiant® FireEye® as TRITON and Dragos® as TRISIS

 

About the Author
Marty Edwards is managing director of the Automation Federation. Marty previously served as director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an operational division of the National Cybersecurity and Communications Integration Center (NCCIC) in the Department of Homeland Security (DHS). He holds a diploma of technology in process control and industrial automation (magna cum laude) from the British Columbia Institute of Technology (BCIT), and in 2015 received its Distinguished Alumni Award. In 2016, Marty was recognized by FCW in its “Federal 100 awards” as being one of the top IT professionals in the federal government.

 

Connect with Marty
48x48-linkedinTwitterEmail

 


Related Posts

Checking In With Mimo, ISA's Large Language Model Trained on ISA Content

Over the summer of 2024, the International Society of Automation (ISA) announced a large language model (...
Kara Phelps Nov 15, 2024 7:00:00 AM

Ask the Automation Pros: The Use of Artificial Intelligence in Process Control

The following discussion is part of an occasional series, "Ask the Automation Pros," authored by Greg McM...
Greg McMillan Nov 12, 2024 4:30:00 PM

Protecting Electrical Terminal Blocks From Tampering

Electrical terminal blocks are a common sight in the automation world. Usually mounted on DIN rail in ind...
Anna Goncharova Nov 8, 2024 10:30:00 AM