Book Excerpt + Author Q&A: Mission Critical Operations

Book Excerpt + Author Q&A: Mission Critical Operations

This ISA author Q&A was edited by Joel Don, ISA’s community manager. ISA’s new book, Mission Critical Operations Primer, focuses on the components of mission critical operations, including technology, standards, risk management, emergency response, cybersecurity, and operational activities and processes. It is a valuable resource to those new to the field and those who are currently in the workforce. In this Q&A feature, author Steve Mustard highlights the value and importance of his first ISA book. Click this link to download a free excerpt from Mission Critical Operations Primer. To get your copy of this informative reference manual, click this link to purchase it at the ISA website.

 

Q. How would you briefly describe “mission-critical operations”?

A. Mission-critical is a subjective term. Any organization can claim to have mission-critical systems or operations but we are really looking at those organizations in the 16 critical infrastructure sectors for whom failure can result in serious consequences, such as loss of life, harm to the environment or significant financial loss through production impact or damage to plant. The book attempts to give an introduction to the key aspects across the mission-critical operations space.

 

 

Q. What would you say is the core objective of the book? What key messages/points of emphasis are you trying to communicate? What challenge or set of challenges is the book trying to address or solve?

A. The aim is to give an overview of the key aspects of mission-critical operations, such as standards and regulations, safety and risk management factors, operational processes, and the technology involved.

A wide variety of factors can affect mission-critical operations, including:

  • Hardware or software failures
  • Network communications problems
  • Accidental damage or disruption
  • Natural disasters
  • Deliberate damage, such as cyberattacks

Q. Who would you say would be the core audience for the book?

A. This book is aimed at those people who are looking to start a career in mission-critical organizations, such as an operator or technician. The objective is to provide an introduction into all the key areas of mission-critical work, and provide some guidance for further reading for those who want to delve into more detail in certain areas.

 

Blog Author Q&A Free Bonus! Click this link to download a free excerpt from The Condensed Handbook of Measurement and Control. To get your copy of this informative reference manual, click this link to purchase it at the ISA website.

 

Q. What would you say to someone who may be considering reading the book? What would they gain by reading it?

A. The field of mission-critical operations is incredibly broad, and it can be hard to grasp all the terminology and issues that exist. While there are several books that go into depth in certain aspects, there are very few, if any, that cover the breadth of mission-critical operations as this book does. The book is an excellent introduction for those wishing to start a career and it is also an excellent guide for those already in the workforce.

Q. Cybersecurity is getting a lot of attention lately, but it’s important to focus on other mission-critical operations as well, correct?

A. Yes. Cybersecurity is a major driver in today’s mission-critical organizations so naturally it forms a big part of the book. However, there are other fundamentals of mission-critical operations that cannot be ignored, such as safety management and operational procedures. The book aims to provide a solid grounding in all the key aspects of mission-critical operations.

Q. Do you have any other points to make about the book…its importance and relevance today?

A. A whole culture of mission-critical operations specialists is emerging. These specialists understand the threats and risks as well as the consequences of failure. These specialists focus on areas such as robust IT network design, control system security, control room operations and alarm handling. In addition, they need to have a broad understanding of all key aspects of mission critical systems. No other career requires so many different aspects to be brought together in one role. The aim of this book is to provide a good introduction to all these aspects.

Meet the Author
Steve Mustard, author of the new ISA book, Mission Critical Operations Primer, is an independent automation consultant and subject-matter expert of ISA and its umbrella association, the Automation Federation. He also is an ISA Executive Board member. Backed by nearly 30 years of software development experience, Mustard specializes in the development and management of real-time embedded equipment and automation systems, and the integration of real-time processing, decision-support and other disparate systems to improve business processes. He serves as president of National Automation, Inc. Mustard is a recognized authority on industrial cybersecurity, having developed and delivered cybersecurity management systems, procedures, training and guidance to multiple critical infrastructure organizations. He serves as the chair of the Automation Federation’s Cybersecurity Committee. Mustard is a licensed Professional Engineer, UK registered Chartered Engineer, a European registered Eur Ing, an ISA Certified Automation Professional (CAP) and a certified Global Industrial Cybersecurity Professional (GICSP). He also is a Fellow in the Institution of Engineering and Technology (IET), and a senior member of ISA.

Connect with Steve:

LinkedInTwitterEmail

 

Webinar Recording: Road to Digitalization Leads Through Cybersecurity

Webinar Recording: Road to Digitalization Leads Through Cybersecurity

This ISA webinar on industrial cybersecurity was presented by Steve Mustard, cybsersecurity expert and Automation Federation Cybersecurity Committee chair, Leo Simonovich, global head of industrial cyber and digital security at Siemens Energy Inc. and Eddie Habibi, founder and CEO of PAS.

 

To watch the webinar in full screen mode, click here.

The promise is real. The age of digitalization, Industrie 4.0, and Industrial IoT-enabled smart factory will usher greater operational intelligence, more efficient production, and safer work environments. Realizing that promise means coming to terms with OT cybersecurity because the enablers of digitalization – smart sensors, ubiquitous connectivity, and remote access – are also enablers for cyberattacks.

A recent Ponemon Institute study revealed that only a third of oil and gas organizations surveyed rated their OT cyber readiness as high. With aging assets, poor security practices, and nearly a decade of bad guys learning how industrial control systems work, industry leaders are concerned about OT security challenges ahead. Now is that time for our operations and security leadership to plan and act more strategically so we can secure our digitalization future.

This ISA co-hosted webinar focuses on how industry must meet the challenge of securing operational environments. Cybersecurity veterans Leo Simonovich, Siemens’ vice president and global head of industrial cyber and digital security; Eddie Habibi, PAS founder and CEO; and Steve Mustard, chair of ISA’s Automation Federation Cybersecurity Committee offer insights on what holds industry back from a secure, digital future and what strategies leading edge companies are employing to mitigate enterprise risk.

 

About the Presenters

Steve Mustard is an independent automation consultant and the Automation Federation’s Cybersecurity Committee chair. Originally from the UK and now based in Houston, Tex., Steve is a recognized authority on industrial cybersecurity, having developed and delivered cybersecurity management systems, procedures, training and guidance to multiple critical infrastructure organizations.
 
Connect with Steve:
LinkedInTwitter
 
 
 
Leo Simonovich is vice president and global head, Industrial Cyber and Digital Security of Siemens Energy Inc. He is responsible for setting the company’s strategic direction worldwide in helping Siemens’ energy customers protect their infrastructure from cyber attacks. Leo identifies emerging market trends, works with customers and Siemens businesses to provide best-in-class cyber offers, and contributes to the company’s thought leadership on this topic. Previously, Leo led the cyber risk analytics practice area at the management consulting firm, Booz Allen Hamilton. Leo holds both a master’s degree in global finance and an MBA from the University of Denver.

Connect with Leo:
LinkedIn
 
 
 
Eddie Habibi is founder and CEO of PAS. Eddie is a pioneer and a thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics, and operations management. In 2017, PAS was recognized in CRN’s 15 coolest industrial IoT companies, and Eddie was listed by CRN as one of the 30 Internet Of Things Executives Whose Names You Should Know. He is the co-author of two popular best practices books on operational risk and safety management: Alarm Management: A Comprehensive Guide and The High Performance HMI Handbook. Eddie holds an engineering degree from the University of Houston and an MBA from the University of St. Thomas.

Connect with Eddie
:
48x48-linkedinTwitter

 

ISA’s Future Is Quickly Approaching, and Industrial Cybersecurity Will Play a Critical Role

ISA’s Future Is Quickly Approaching, and Industrial Cybersecurity Will Play a Critical Role

This post is authored by Brian Curtis, president of ISA 2018.

 

We are just getting into 2018 and some of us are already planning our summer vacation. Time passes quickly and the years go by so fast; it reminds me to reflect on the past and plan for the future.

Like so many ISA leaders, I have benefited from ISA membership. I have been able to participate in and give time and effort to ISA locally and internationally. The Society has reciprocated by providing me amazing opportunities to learn and lead. As an added benefit, I’ve enjoyed access to outstanding technical resources, and have been blessed to work with and benefit from so many talented professionals, many of whom have become old friends.

Our understanding of the global automation community is changing. As we begin to look for new opportunities for growth, our view must expand to include all the various industry segments and markets that depend on automation every day. With this new perspective comes the recognition that ISA’s ability to provide products and services for automation (professionals and industries) extends far beyond the process industries, where we have thrived for 73 years. We also enter 2018 with new and emerging technologies that allow us to engage in exciting ways with automation professionals and industries on the global playing field.

Emerging technologies = new opportunities

Emerging technologies have created new opportunities for automation, and have changed the roles, responsibilities, and needs of automation professionals. All of these developments impact ISA, its spectrum of products and services, and its global audience. ISA’s success, now and in the future, depends on its ability to seize these opportunities while remaining relevant to automation professionals and to the industries and entities they serve. How do we remain relevant?  We must continue to deliver value to individual members and to the global automation community – and we must do this with excellence.

In this month’s column, I turn my attention to a key area of continued focus for the Society—industrial cybersecurity. While there is growing awareness among industry leaders of the risks of cyberattack, we need to work harder to foster recognition in the marketplace that ISA offers real solutions to mitigate these risks. We have the standards, training, and technical resources for manufacturers and other industry organizations to improve operational reliability, profitability, safety, and security.

One of the high-level initiatives ISA leaders have identified for 2018 and beyond is for the Society to be the global authority for industrial control system cybersecurity standards and resources. When we talk about cyber threats, the natural tendency for all of us (including international governments) has been to think of identity theft and other cyberattacks affecting traditional information technology (IT) systems. People tend to forget about cyber threats to operational technology (OT) systems affecting a nation’s critical infrastructure in countries all around the world. Systems that control the operations of our manufacturing plants, chemical plants, water/utilities, power, etc., all face cyber threats with potentially devastating consequences, but the dialogue centers on data protection, privacy, and IT-focused cybersecurity.

Over the past several years, ISA has worked diligently to raise awareness of the control system challenges related to operations technology cybersecurity. Thanks to the Automation Federation and the tireless efforts and commitment of numerous members of ISA staff, volunteer leaders, and subject matter experts, the Society has taken a recognized leadership role in OT industrial control systems cybersecurity—not just in the US, but around the world.

We are off to a great start in this area, but what comes next? Is ISA positioned to fully take advantage of the cybersecurity opportunity? Are we “operationalized” enough to update and expand the current standard or to develop new standards as cybersecurity threats evolve? An important component of the ISA cybersecurity initiative is building a trained workforce in automation and control. What new programs should we develop to stay ahead of the needs in global industries?

ISA has developed an industrial cybersecurity certificate program, the ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate, “to help professionals involved in information technology and control systems security improve their understanding of ISA99/IEC 62443 principles and acquire a command of industrial cybersecurity terminology.” The certificate program has four different certificates that lead to recognition as an IEC 62443 Cybersecurity Expert.

Community college programs

ISA is already engaged with Cleveland Community College to develop industrial operations and cybersecurity training programs in support of workforce readiness initiatives. Can this be replicated at other technical institutions in the US around the globe? The demand from the marketplace for ISA cybersecurity training is increasing each year, and we will continue to evaluate our ability to change the current training programs as cybersecurity threats and opportunities evolve. It’s also important to note that conversations about cybersecurity can serve as the door opener to educate those about other important ISA offerings and capabilities.

On a personal level, we all have a part to play in our daily activities to prevent cyberattacks. We need to be vigilant in how we access social media; consider viewing these items on your cell phone rather than your PC or laptop, as a laptop that is corrupted will attack files on your hard drive, and potentially enter your companies network system, causing wider damage. Do not allow USB sticks to be used on your machine. When you receive emails, check the senders’ name and the content of the subject. If in doubt, don’t open it; send an email to the person to confirm who sent the suspicious email. Clear the cookies in your electronic devices regularly, and back up your hard drive frequently. If all of us apply simple precautions, we will contribute to security in a small way.

I am excited about all the possibilities the future holds for ISA, especially in industrial cybersecurity. We look forward to your contributions and support of these important initiatives. Please contact me at president@isa.org with your thoughts and insights. I look forward to hearing from you and working with you as we move forward in 2018.

About the Author
Brian Curtis, I. Eng., LCGI, is the Operations Manager for Veolia Energy Ireland, providing services to Novartis Ringaskiddy Ltd. in Cork, Ireland. He has more than 35 years of experience in petrochemical, biotech, and bulk pharmaceutical industries, specializing in design, construction management, and commissioning of electrical, instrumentation, and automation control systems. He has managed complex engineering projects in Ireland, England, Belgium, the Netherlands, Italy, and Germany. A long-time ISA member, Curtis has served on the ISA Executive Board since 2013, the Geographic Assembly Board (2012 – 2015), and the Finance Committee (2013 – 2017.) He was Ireland Section President and Vice President of District 12, which includes Europe, the Middle East, and Africa. Curtis has also been active on several Society task forces, including Cybersecurity, Governance, and Globalization-related committees. He received the ISA Distinguished Society Service Award in 2010. He is the Former President of Cobh & Harbor Chamber of Commerce (2013-2015) and Former Chairman of the Ireland Southern Region Chambers (2015-2016) and is an active member of the Ireland National Standards Body, ETCI.

Connect with Brian:
48x48-linkedin Twitter48x48-email

 

A version of this article also has been published at ISA Insights.

Connectivity, Productivity and Efficiency Benefits of IIoT Depend on Integrated Cybersecurity

Connectivity, Productivity and Efficiency Benefits of IIoT Depend on Integrated Cybersecurity

This article was written by Bill Lydon, chief editor at InTech magazine

 

I had a discussion with Gary Freburger, president of Schneider Electric’s process automation business, about the Industrial Internet of Things (IIoT). He framed the discussion by introducing a new concept, “intelligize.” Simply put, intelligize means establishing a method to sort, prioritize, and refine your data, to connect bits of data so they become meaningful information, and then to share that information with operators and other assets, ensuring that the most effective, valuable business and operating decisions and actions are taken.

“While all industry is chomping at the bit to realize the promise and rewards of IIoT,” Freburger noted, “all that connectivity and proposed productivity and efficiency won’t matter if the culture, systems, or plants are not inherently safe and secure. Before deploying IIoT, it is important to understand not only the implications for your business, but also the implications for overall safety and security.” In short, “a cornerstone of an effective industrial automation system is integrated cybersecurity.”

It is critically important to think about all the opportunities IIoT presents before connecting a large volume of sensors, solutions, and automation and control systems. The prospect of connecting billions of devices to industrial automation systems begs two really important questions.

First, how do we keep systems and information secure? Adding more devices creates a broader attack surface, which increases cybersecurity risks. In Freburger’s view, there must be a balance between adding intelligence, securing the devices, and protecting the data. Collecting data just for the sake of having more data might not create any additional value at all. More data has the potential to cause more operator confusion and increase the cyberattack risk.

Second, what do we do with the data and information? “You need a process to figure out what it means and what it is telling you,” he said. “There are a lot of options for using data, including trending, exception reporting, alarming, and other functions. But there needs to be a reason to collect all this data. It’s what we call an operational intelligence approach, which relies on optimizing automation and control, remote management, and predictive maintenance to enable managed services, advanced analytics, and the generation of actionable information that drive better, more informed decision making.”

Improving operational efficiency and reliability can be better accomplished by providing the intelligent data for operators to make the better decisions that optimize production. Freburger used an interesting analogy to make his point. “If you connect your washing machine to the Internet, what do you really want to know? Do you want to know when the water turns on, the soap dispenses, the drying cycle time, the rinse cycle time, the spin cycle duration and RPMs? That’s a lot of data. But is it valuable and worth extending your risk of a cyberincursion? And what would you do with the data anyway? In all practicality, all you probably want to know is when the washer turned on, when it’s complete, and if there is a potential problem. Just because I can connect my washing machine to the Internet doesn’t mean I should, unless it makes sense and unless I can do something valuable with the information.”

“What’s interesting to me from our perspective, with a lot of feedback from users, is that control systems have become complicated,” he told me. “We’ve come to the realization that we need to simplify the data and make it easier for users. This includes standardization in a number of areas to make things simpler—for example, standards that define the meaning of operator display colors for consistency. But ‘simpler’ and connecting another 5,000 devices don’t quite go together. The important thing is deciding how to intelligize the data, deciding what you really want to accomplish, how to use the data to do that, how to bring it into the systems, and how to keep it and your systems secure.”

“The Industrial Internet of Things is a wonderful advancement, and a real opportunity to increase ROI [return on investment] and asset value. When it comes to process automation, we should be using IIoT capabilities to push control further toward the device layer, which means making instrumentation much smarter. This should allow you to simplify the control architecture to match the topology, so that we are reducing time, cost, and effort to configure systems.”

Distinguishing the data you really need from the available data is important in system design. For Freburger, this simply means applying lean design concepts to improve operations, efficiency, and productivity. “The IIoT strengthens our capabilities so we are better able to help customers extend the life of their assets, enhance decision-making, and create a smart enterprise control system that drives improved financial performance for the business. But it has to be inherently cybersecure first.”

 

Bill LydonAbout the Author
Bill Lydon is chief editor of InTech magazine. Lydon has been active in manufacturing automation for more than 25 years. He started his career as a designer of computer-based machine tool controls; in other positions, he applied programmable logic controllers and process control technology. In addition to experience at various large companies, he co-founded and was president of a venture-capital-funded industrial automation software company. Lydon believes the success factors in manufacturing are changing, making it imperative to apply automation as a strategic tool to compete.
Connect with Bill:
48x48-linkedinTwitterEmail

 

A version of this article originally was published at InTech magazine

Managing the Cybersecurity Threat to Hazardous Process Plants

Managing the Cybersecurity Threat to Hazardous Process Plants

This guest blog post was written by Edward M. Marszal, president and CEO of Kenexis, and co-author of the ISA book Safety Integrity Level Selection.

 

Managing the risk of hazardous process plants is a difficult and resource-intensive activity. In order to reduce costs and improve productivity as technology evolves, process plants employ new equipment and techniques that introduce new hazards. Over the past few decades, the process industries have almost entirely shifted from control systems that were either analog electronic or pneumatic to distributed control systems (DCS) and programmable logic controllers. These computer-based systems made quantum leaps in functionality over their analog counterparts with respect to calculation complexity, data storage, and communication, but introduced a new threat—deliberate and malicious cyberattacks.

At this point, most process industry plants have not implemented much cybersecurity on their industrial control systems (ICS), leaving perimeter guarding to the discretion of their information technology departments. Even so, cyberattacks rarely cause physical damage to process plants. Process engineers have safeguarded their plants against failures that can cause significant safety consequences, and this is true whether or not the failure occurs organically through random hardware failures or deliberately through a cyberattack. The safeguards employed by these process engineers are common, inexpensive, and very often inherently safe against cyberattack, because most of these devices were invented dozens or hundreds of years before the advent of the computer.

 

 

Even though cyber threats are not adequately addressed with existing process hazard analysis (PHA) methods, there is no reason to abandon everything that we know about process risk assessment and start from scratch. Instead, industry is extending tried-and-true methodologies for PHA to address the problem of deliberate cyberattacks. By doing so, none of the existing PHA effort is wasted or needlessly duplicated. Instead, a small amount of additional effort is utilized by starting with traditional PHA and focusing only on scenarios where cyberattacks are the cause or scenarios where cyberattacks can prevent all the safeguards from operating properly. It is these key scenarios that will generate recommendations to implement safeguards that are inherently safe against cyberattack, or to define the appropriate level of safeguarding from cyberattack, as defined by a security level (SL).

Security level

Security levels are categories that define a set of policies, procedures, and practices that must be implemented to secure an industrial control system zone. Unlike the quantitative safety integrity level (SIL) defined in the IEC 61511/ISA-84 standard for safety instrumented functions, which is a band of average probability of failure on demand, an SL is a set of qualitative requirements that explain how a system should be designed and operated. IEC/ISA-62443 defines four security levels, one through four, with SL 1 being the least secure and SL 4 being the most secure. The levels are defined (in the abstract) as:

  • SL 1: Prevents the unauthorized disclosure of information via eavesdropping or casual exposure
  • SL 2: Prevents the unauthorized disclosure of information to an entity actively searching for it using simple means with low resources, generic skills, and low motivation
  • SL 3: Prevents the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with moderate resources, skills specific to industrial automation and control systems (IACSs), and high motivation
  • SL 4: Prevents the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with extended resources, IACS-specific skills, and high motivation

The above definitions of SL are quite philosophical, providing few concrete design specifications. Much more information is required to fully understand the differences in design practices between the various SLs. So much so, in fact, that an entire document in the IEC 62443 standard set is dedicated to explaining the differences between the various security levels: IEC 62443-3-3. Selecting an SL for each ICS zone provides a set of requirements to implement in subsequent cybersecurity life-cycle steps.

The SPR study

The security PHA review (SPR, pronounced “spur”) study is an evolution of PHA. It assigns performance targets to ICS cybersecurity and makes recommendations to implement safeguards that are inherently safe against cyberattack in lieu of setting high SL targets. The SPR approach was specifically developed to fit more naturally with the normal project life cycle of the design, implementation, and operation of process industry plants while also leveraging existing engineering tasks and reports generated for general process safety. In this way, the limitations of existing cyberrisk analysis approaches can be eliminated while maximizing the use of information and documentation generated in other stages of the engineering life cycle.

The SPR study (figure 1) is specifically designed to generate the required SL using the existing process hazard analysis as the foundation and starting point. The SPR process allows companies to select the SL of an ICS zone in a manner that is analogous to the way that layer of protection analysis allows them to select SIL targets for safety instrumented functions (SIF).

 

Figure 1. Simplified security PHA review process

 

The process begins with the collection of the results of a process hazard analysis. This can either be done with the report of an existing PHA, or as an additional step during a PHA studyz—while the study is in progress. Each scenario of the PHA is then reviewed to determine if it is “hackable,” which means that the scenario could be forced to occur by a malevolent actor who has taken control of the ICS. First, the cause or initiating event is reviewed to determine if it can be hacked. Generally, this would be true for any computer control loop failure or equipment item starting or stopping. It would not be true for human interactions with mechanical process equipment that is not connected to a computer. If the cause cannot be hacked, the analyst moves to the next scenario.

Next, the safeguards are reviewed to determine if they can be hacked. In general, all control loops, safety instrumented system functions, and operator responses to alarms are hackable, but mechanical devices such as relief valves are not. If any one of the safeguards cannot be hacked, the analyst moves on to the next scenario.

If the cause of a scenario and all of the safeguards can be hacked, then the overall scenario is determined to be hackable. This means that if a malevolent actor could take control of the ICS, that person would be able to generate the scenario under consideration and realize its consequence. For each hackable scenario, the consequence category from the PHA needs to be determined. Based on the risk tolerance criteria of the process owner, an IEC/ISA SL would then be assigned to that scenario. Of course, if the consequence is severe and causes an SL that is not desirable, the analysis team has the option of recommending a safeguard that is inherently safe against cyberattack. This would remove the scenario from consideration as a driver of the selected SL. After all the scenarios have been reviewed in this way, the SL that is assigned to a zone is the highest of all of the SLs that were assigned to the scenarios that are associated with the ICS equipment of that zone.

PHA overview

Process facilities are systematically assessed to determine what hazard scenarios could occur that could cause a significant consequence. For each of these scenarios, analysts assess the available safeguards to determine if they are adequate. This exercise is called a process hazard analysis. PHAs are performed using a variety of techniques. The most common and comprehensive technique is the hazard and operability (HAZOP) study. In a HAZOP study, analysts divide a facility into “nodes” of similar operating conditions and walk them through a set of deviations, such as high pressure, low temperature, or reverse flow. For each of these guide words, a multidisciplinary team (e.g., operations, safety, and engineering) determines if there is a cause of deviation beyond safe operating limits. If so, the team determines the consequence if the deviation were to occur, and then lists all the safeguards that are available to prevent that deviation from occurring—or at least escalating to the point where damage can occur. An example HAZOP worksheet is shown in figure 2.

 

Figure 2. Sample HAZOP worksheet

 

When a HAZOP is performed, a team of engineers looks at virtually every failure that can possibly occur and ensures that there are appropriate safeguards to protect against each one. If the team determines the degree of safeguarding is inadequate, it will recommend adding new protection layers or making modifications to improve existing safeguards. Using this process, virtually any process deviation that can be conceived is analyzed.

Although this process systematically and thoroughly assesses potential hazard scenarios, it currently does not make absolutely certain that a plant is inherently safe against cyberattack. The hazard scenarios are assessed to determine if safeguards are appropriate, but there is typically no additional consideration that the safeguards could all have been disabled by malicious attacks. This is the purpose of the SPR study.

Unhackable safeguards

The process industries commonly employ a number of safeguards that are inherently safe against cyberattack. One of these safeguards can be employed to protect a process plant against virtually any conceivable cyberattack. The real work of protecting process industry plants against cyberattack vectors that can cause large amounts of physical damage is to make the process for selecting and installing these safeguards thorough and systematic. Where they are not installed and the plant is vulnerable to a cyberattack, engineers should define an appropriate SL.

The common process industry safeguards that are inherently safe against cyberattack include:

  • pressure relief devices
  • mechanical overspeed trips
  • check valves
  • motor monitoring devices
  • instrument loop current monitor relays

Security PHA review example: thermal runaway reaction

A chemical process employs a reactor that contains a series of packed beds of catalyst to remove chemical impurities from a feed stream by reaction with hydrogen. The chemical feed is vaporized and mixed with hydrogen before it enters the reactor. Once the reactants enter the reactor vessel and contact the catalyst bed, an exothermic reaction occurs, significantly increasing the temperature of the reactant materials and the vessel. To reduce the temperature of the reaction products leaving the first bed, an additional cool hydrogen quench is supplied under flow control in between each catalyst bed. A simplified process flow diagram of the process is shown in figure 3.

 

Figure 3. Hydrogen reactor simplified process flow diagram

 

If the hydrogen quench were to fail, for instance, because the flow control loop supplying the quench hydrogen failed with its control valve in the closed position, the temperature in the next bed of the reactor would significantly increase. Additionally, as the temperature increases, the reaction rate also increases—causing a faster reaction and more heat release, thus a higher temperature. This vicious cycle continues and quickly gets to the point where subsequent quenches are no longer effective, and the temperature in the reactor and its outlet piping exceed the maximum allowable working temperature (MAWT), causing a loss of containment of the process contents as the piping and vessel melt and open to the atmosphere. This scenario was considered during a HAZOP-style PHA. The worksheet for the low-flow deviation is shown in figure 4.

 

Figure 4. Runaway reaction PHA worksheet

 

The SPR begins with an analysis of the initiating event. In this case, the initiating event is the failure of a flow control loop. Because the control loop is contained in a distributed control system, it is computer based. If a malevolent actor remotely took over the DCS, the position of the valve could be manipulated to the closed position. As such, the initiating event is determined to be hackable.

Next, all of the initiating events are reviewed to determine if they can be hacked. In this case, there are two safeguards that are related to operator intervention based on alarms and one that is an SIF. The two operator intervention safeguards are determined to be hackable, because the alarm annunciation occurs in the DCS. If a malevolent actor were to take control of the DCS, the operator could be blinded to the loss of the flow condition if the hacker disabled the alarm and froze the human-machine interface value in its last good state. The one SIF is also determined to be hackable, because it resides in an SIS that is based on a programmable logic controller. If the control system were taken over by a malevolent actor, the output of the SIF could be frozen in an energized state, making the SIF unable to respond to the hazardous condition.

 

Figure 5

Figure 6

 

In this case, the team determined that all the safeguards could be hacked. As a result, the next step is to identify the consequence category of the scenario, and use that consequence category to determine the SL required to make the risk of this scenario tolerable from a cybersecurity perspective. The consequence and SL are related by the operating company’s tolerable risk criteria (figure 7).

 

Figure 7. Tolerable risk criteria

 

The consequence category is high in this case, based on the potential for a single fatality from the fire that could accompany the loss of containment event. In accordance with the risk tolerance criteria in figure 8, this results in an SL assignment of SL 2.

 

Figure 8. Consequences

 

In this example, the assigned SL can be reasonably achieved by typical cybersecurity mechanisms that the plant is familiar with, so the project team accepts the SL assignment without further deliberation, and the SPR study continues. But consider a case where the SPR process resulted in the assignment of a very high SL that required a significant redesign of the cybersecurity mechanisms of the ICS that are beyond the capabilities of the plant equipment and staff to implement.

To explore this situation, consider the same process scenario again, but in this case, assume that the consequences are much higher. For instance, in another similar case, a release of the reactor material after loss of containment could cause a large toxic gas cloud instead of a localized fire. If the result of the release of the toxic gas cloud is multiple off-site fatalities, now the risk of the situation is entirely changed. Figure 9 presents a revised PHA study report excerpt for this situation

 

Figure 9. Runaway reaction PHA worksheet (revised consequence)

 

In this new case, the SPR would proceed in exactly the same way. The initiating event analysis would show that it is hackable, and the safeguard analysis would show that all the safeguards are hackable. But in this case, instead of a consequence category of “high” that results in an SL of 2, the consequence category is “very-very high,” resulting in an SL of 4. An SL of 4 is a very difficult target to achieve, and most ICS design, operation, and maintenance practices would not achieve SL 4 without very difficult and expensive modifications to equipment and practices. In a case like this, it may be prudent for the team to recommend implementation of a safeguard that cannot be hacked, so that the consequence of this scenario does not factor into the selection of the required SL.

Upon review of the common safeguards that cannot be hacked, it is determined that no self-contained mechanical device, like a pressure relief valve, is capable of preventing the scenario under consideration. Furthermore, because the hazardous event is a runaway reaction with no limit on the potential temperature that could be achieved, changing the vessel design to increase the MAWT will also not be effective. In this case, the only effective safeguard that is inherently safe against cyberattack is an analog “mimic” of the safety instrumented function.

The analog “mimic” of the SIF UZC-207 will employ the second thermocouple of a dual element thermocouple set in the existing thermowell. The second thermocouple element will be wired to an analog temperature transmitter that will convert the temperature measurement to a 4–20 mA signal. The 4–20 mA signal will be analyzed by an analog current monitor relay that will open a contact in the 24 VDC signal to the solenoid valve for UZV-207, de-energizing the solenoid, venting the valve’s actuator, and causing the valve to go to a closed position. As designed, this entire analog mimic is inherently safe against cyberattack, and any cyberattack that is waged on the digital complement (UZC-207) will not interfere in the safety functionality of the analog mimic function. The design of the mimic is shown in more detail in figure 10.

 

Figure 10. Hydrogen reactor SIF with analog “mimic”

 

Because the scenario can no longer be hacked, the SPR analysis yields a result of “no requirements” for the SL for this scenario.

Protecting the process industry

Process industry plants contain hazards that can have very severe consequences if a loss of containment occurs. Process industry design engineers have dozens or even hundreds of years of experience in protecting these facilities. Many of the safeguards that have been designed to protect process plants were developed years before computers even existed, and thus are inherently safe against cyberattack.

When properly employed at the required locations, these safeguards can make a process plant inherently safe against cyberattack. Application of these safeguards in the required locations can be performed in a thorough and systematic fashion through an SPR study. This process involves going through the process hazard analysis reports that have already been completed for a process plant and reviewing each scenario. The review involves considering the cause and safeguards to determine if they can be hacked. If so, and if the consequence is significant, then the plant should employ a safeguard that is inherently safe against cyberattack.

The SPR process determining the required SL of ICS is in its infancy, but being very rapidly adopted. It is being rapidly adopted because the process is simple and obvious to process safety practitioners once it is explained and the rationale for undertaking the additional study steps are defined.

About the Author
Edward M. Marszal, PE , is president and CEO of Kenexis. He has more than 20 years of experience in the design of instrumented safeguards, such as SIS and fire and gas systems. Marszal is an ISA Fellow, former director of the ISA safety division, and co-author of the ISA book Safety Integrity Level Selection. He is an ISA84 expert.

 

Connect with Edward:
48x48-linkedinTwitterEmail

 

A version of the article originally was published at InTech magazine.

Broadening ISA’s Global Perspective and Focusing on the Next Generation of ISA Members

Broadening ISA’s Global Perspective and Focusing on the Next Generation of ISA Members

This post is authored by Brian Curtis, president of ISA 2018.

 

I am extremely honored to serve as ISA’s Society president in 2018. This organization has contributed so much to both my professional and personal growth, and I’ve been a strong believer in ISA’s mission for over 30 years.

I am only the third non-North American Society president in 73 years, and I hope this is the beginning of a more international dimension to ISA. I intend to bring this focus to my term as president and I look forward to working with my colleagues in all regions of the world to bring ISA’s knowledge, expertise, and resources to their countries.

At the heart of ISA are its dedicated members, volunteer leaders, and staff. I want to express my appreciation, at the outset, for your commitment and teamwork. The common, unifying thread is the passion we all have for ISA. This is an exciting time for ISA; the Society is well positioned to secure new opportunities amid a highly changing world economy and global automation community.

It’s essential that we always encourage our volunteer leaders to bring their perspective and experience to their ISA roles, emphasizing the importance of gaining different viewpoints, since experience proves that an inclusive approach leads to better business decisions. Ensuring that every leader brings their unique perspective and experience to our discussions can only help create a better ISA.

As we work to create a brighter future for ISA, we can’t overlook the significance of membership. Without a new generation of young engineering professionals, where will we find the next wave of ISA members? ISA’s long-term viability and relevance depends on attracting new members, and in order to attract the next generation, we need to be more flexible and more open to new ideas and prospects for growth. We need to work with university and technical school students to bridge the gap between finishing post-secondary education and landing their first job. Once they have a job, young engineering professionals need engagement from ISA to progress their careers and find the resources they need to excel.

Cybersecurity leadership

Another key area of continued focus for the Society is in industrial cybersecurity. While there is growing awareness among industry leaders of the risks of cyberattack, we need to work harder to foster recognition in the marketplace that ISA offers real solutions to mitigate these risks. We have the standards, training, and technical resources for manufacturers and other industry organizations to improve operational reliability, profitability, safety, and security.

I’m looking forward to working with the ISA Executive Board to build on the progress we’ve made over the last several years in our areas of strategic focus and our global brand recognition. Though we’ve made great strides in our planning process, there is still much work to be done. We must accelerate our focus on what works outside North America, knowing that equivalent does not always mean effective and there may be more than one model for all. Understanding local cultures, challenges, and opportunities, while protecting our brand and intellectual property, will be the basis for us to truly become an international association.

Strategic plan development

In December, the ISA Executive Board and senior staff held an intensive workshop to begin the development of the next iteration of ISA’s strategic plan. We will be working to develop the details of this plan over the coming weeks, but we initially identified these key statements as potential focus areas for ISA in the future:

  • ISA needs to review and enhance its strategy to create, capture, validate and deliver best-in-class content utilizing its engaged community.
  • ISA will actively seek out and utilize systems and technologies that are focused on the user experience as a way of enabling engagement and growth within the ISA community.
  • The Executive Board will operate at the highest standard, understanding its governance role in establishing clear and concise strategies and goals. The ISA Staff will operate at the direction of the Executive Director, with the trust and partnership of the Executive Board, to meet the objectives of the board and manage the organization. The Executive Board will engage to review the performance of the Society related to the strategic objectives.
  • We will develop and foster an organizational culture where all leaders are trained to collaborate on mission-focused, strategic initiatives for the betterment of the overall Society.
  • ISA will strategically implement programs to foster growth globally.
  • ISA and its brand family will continue to strive for a level of standards acceptance around the world such that they are the default, legally-recognized requirement.
  • ISA’s infrastructure of professionals, who are dedicated to furthering the core competency of automation, will work across the globe to educate and inform students before they choose a career, thus enabling these students to make better decisions about the future of their world.

These statements are guiding ideals that will shape how we develop the next iteration of the strategic plan in the coming weeks. Stay tuned for updates on our progress.

Setting global standards

In closing, I sincerely thank the Society and its members for this remarkable honor. I look forward to working with all of you in the months ahead, and sharing with you new evidence of our success and progress.

I have never been so optimistic about the future of ISA. Together we can help ISA achieve our vision to set the global standard for automation and enable automation professionals across the world to work collectively for the benefit of all. Please contact me at president@isa.org with your thoughts and insights. I look forward to hearing from you and working with you as we move forward in 2018.

About the Author
Brian Curtis, I. Eng., LCGI, is the Operations Manager for Veolia Energy Ireland, providing services to Novartis Ringaskiddy Ltd. in Cork, Ireland. He has more than 35 years of experience in petrochemical, biotech, and bulk pharmaceutical industries, specializing in design, construction management, and commissioning of electrical, instrumentation, and automation control systems. He has managed complex engineering projects in Ireland, England, Belgium, the Netherlands, Italy, and Germany. A long-time ISA member, Curtis has served on the ISA Executive Board since 2013, the Geographic Assembly Board (2012 – 2015), and the Finance Committee (2013 – 2017.) He was Ireland Section President and Vice President of District 12, which includes Europe, the Middle East, and Africa. Curtis has also been active on several Society task forces, including Cybersecurity, Governance, and Globalization-related committees. He received the ISA Distinguished Society Service Award in 2010. He is the Former President of Cobh & Harbor Chamber of Commerce (2013-2015) and Former Chairman of the Ireland Southern Region Chambers (2015-2016) and is an active member of the Ireland National Standards Body, ETCI.

Connect with Brian:
48x48-linkedin Twitter48x48-email

 

A version of this article also has been published at ISA Insights.

Pin It on Pinterest