Webinar Recording: Road to Digitalization Leads Through Cybersecurity

Webinar Recording: Road to Digitalization Leads Through Cybersecurity

This ISA webinar on industrial cybersecurity was presented by Steve Mustard, cybsersecurity expert and Automation Federation Cybersecurity Committee chair, Leo Simonovich, global head of industrial cyber and digital security at Siemens Energy Inc. and Eddie Habibi, founder and CEO of PAS.


To watch the webinar in full screen mode, click here.

The promise is real. The age of digitalization, Industrie 4.0, and Industrial IoT-enabled smart factory will usher greater operational intelligence, more efficient production, and safer work environments. Realizing that promise means coming to terms with OT cybersecurity because the enablers of digitalization – smart sensors, ubiquitous connectivity, and remote access – are also enablers for cyberattacks.

A recent Ponemon Institute study revealed that only a third of oil and gas organizations surveyed rated their OT cyber readiness as high. With aging assets, poor security practices, and nearly a decade of bad guys learning how industrial control systems work, industry leaders are concerned about OT security challenges ahead. Now is that time for our operations and security leadership to plan and act more strategically so we can secure our digitalization future.

This ISA co-hosted webinar focuses on how industry must meet the challenge of securing operational environments. Cybersecurity veterans Leo Simonovich, Siemens’ vice president and global head of industrial cyber and digital security; Eddie Habibi, PAS founder and CEO; and Steve Mustard, chair of ISA’s Automation Federation Cybersecurity Committee offer insights on what holds industry back from a secure, digital future and what strategies leading edge companies are employing to mitigate enterprise risk.


About the Presenters

Steve Mustard is an independent automation consultant and the Automation Federation’s Cybersecurity Committee chair. Originally from the UK and now based in Houston, Tex., Steve is a recognized authority on industrial cybersecurity, having developed and delivered cybersecurity management systems, procedures, training and guidance to multiple critical infrastructure organizations.
Connect with Steve:
Leo Simonovich is vice president and global head, Industrial Cyber and Digital Security of Siemens Energy Inc. He is responsible for setting the company’s strategic direction worldwide in helping Siemens’ energy customers protect their infrastructure from cyber attacks. Leo identifies emerging market trends, works with customers and Siemens businesses to provide best-in-class cyber offers, and contributes to the company’s thought leadership on this topic. Previously, Leo led the cyber risk analytics practice area at the management consulting firm, Booz Allen Hamilton. Leo holds both a master’s degree in global finance and an MBA from the University of Denver.

Connect with Leo:
Eddie Habibi is founder and CEO of PAS. Eddie is a pioneer and a thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics, and operations management. In 2017, PAS was recognized in CRN’s 15 coolest industrial IoT companies, and Eddie was listed by CRN as one of the 30 Internet Of Things Executives Whose Names You Should Know. He is the co-author of two popular best practices books on operational risk and safety management: Alarm Management: A Comprehensive Guide and The High Performance HMI Handbook. Eddie holds an engineering degree from the University of Houston and an MBA from the University of St. Thomas.

Connect with Eddie


ISA’s Future Is Quickly Approaching, and Industrial Cybersecurity Will Play a Critical Role

ISA’s Future Is Quickly Approaching, and Industrial Cybersecurity Will Play a Critical Role

This post is authored by Brian Curtis, president of ISA 2018.


We are just getting into 2018 and some of us are already planning our summer vacation. Time passes quickly and the years go by so fast; it reminds me to reflect on the past and plan for the future.

Like so many ISA leaders, I have benefited from ISA membership. I have been able to participate in and give time and effort to ISA locally and internationally. The Society has reciprocated by providing me amazing opportunities to learn and lead. As an added benefit, I’ve enjoyed access to outstanding technical resources, and have been blessed to work with and benefit from so many talented professionals, many of whom have become old friends.

Our understanding of the global automation community is changing. As we begin to look for new opportunities for growth, our view must expand to include all the various industry segments and markets that depend on automation every day. With this new perspective comes the recognition that ISA’s ability to provide products and services for automation (professionals and industries) extends far beyond the process industries, where we have thrived for 73 years. We also enter 2018 with new and emerging technologies that allow us to engage in exciting ways with automation professionals and industries on the global playing field.

Emerging technologies = new opportunities

Emerging technologies have created new opportunities for automation, and have changed the roles, responsibilities, and needs of automation professionals. All of these developments impact ISA, its spectrum of products and services, and its global audience. ISA’s success, now and in the future, depends on its ability to seize these opportunities while remaining relevant to automation professionals and to the industries and entities they serve. How do we remain relevant?  We must continue to deliver value to individual members and to the global automation community – and we must do this with excellence.

In this month’s column, I turn my attention to a key area of continued focus for the Society—industrial cybersecurity. While there is growing awareness among industry leaders of the risks of cyberattack, we need to work harder to foster recognition in the marketplace that ISA offers real solutions to mitigate these risks. We have the standards, training, and technical resources for manufacturers and other industry organizations to improve operational reliability, profitability, safety, and security.

One of the high-level initiatives ISA leaders have identified for 2018 and beyond is for the Society to be the global authority for industrial control system cybersecurity standards and resources. When we talk about cyber threats, the natural tendency for all of us (including international governments) has been to think of identity theft and other cyberattacks affecting traditional information technology (IT) systems. People tend to forget about cyber threats to operational technology (OT) systems affecting a nation’s critical infrastructure in countries all around the world. Systems that control the operations of our manufacturing plants, chemical plants, water/utilities, power, etc., all face cyber threats with potentially devastating consequences, but the dialogue centers on data protection, privacy, and IT-focused cybersecurity.

Over the past several years, ISA has worked diligently to raise awareness of the control system challenges related to operations technology cybersecurity. Thanks to the Automation Federation and the tireless efforts and commitment of numerous members of ISA staff, volunteer leaders, and subject matter experts, the Society has taken a recognized leadership role in OT industrial control systems cybersecurity—not just in the US, but around the world.

We are off to a great start in this area, but what comes next? Is ISA positioned to fully take advantage of the cybersecurity opportunity? Are we “operationalized” enough to update and expand the current standard or to develop new standards as cybersecurity threats evolve? An important component of the ISA cybersecurity initiative is building a trained workforce in automation and control. What new programs should we develop to stay ahead of the needs in global industries?

ISA has developed an industrial cybersecurity certificate program, the ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate, “to help professionals involved in information technology and control systems security improve their understanding of ISA99/IEC 62443 principles and acquire a command of industrial cybersecurity terminology.” The certificate program has four different certificates that lead to recognition as an IEC 62443 Cybersecurity Expert.

Community college programs

ISA is already engaged with Cleveland Community College to develop industrial operations and cybersecurity training programs in support of workforce readiness initiatives. Can this be replicated at other technical institutions in the US around the globe? The demand from the marketplace for ISA cybersecurity training is increasing each year, and we will continue to evaluate our ability to change the current training programs as cybersecurity threats and opportunities evolve. It’s also important to note that conversations about cybersecurity can serve as the door opener to educate those about other important ISA offerings and capabilities.

On a personal level, we all have a part to play in our daily activities to prevent cyberattacks. We need to be vigilant in how we access social media; consider viewing these items on your cell phone rather than your PC or laptop, as a laptop that is corrupted will attack files on your hard drive, and potentially enter your companies network system, causing wider damage. Do not allow USB sticks to be used on your machine. When you receive emails, check the senders’ name and the content of the subject. If in doubt, don’t open it; send an email to the person to confirm who sent the suspicious email. Clear the cookies in your electronic devices regularly, and back up your hard drive frequently. If all of us apply simple precautions, we will contribute to security in a small way.

I am excited about all the possibilities the future holds for ISA, especially in industrial cybersecurity. We look forward to your contributions and support of these important initiatives. Please contact me at president@isa.org with your thoughts and insights. I look forward to hearing from you and working with you as we move forward in 2018.

About the Author
Brian Curtis, I. Eng., LCGI, is the Operations Manager for Veolia Energy Ireland, providing services to Novartis Ringaskiddy Ltd. in Cork, Ireland. He has more than 35 years of experience in petrochemical, biotech, and bulk pharmaceutical industries, specializing in design, construction management, and commissioning of electrical, instrumentation, and automation control systems. He has managed complex engineering projects in Ireland, England, Belgium, the Netherlands, Italy, and Germany. A long-time ISA member, Curtis has served on the ISA Executive Board since 2013, the Geographic Assembly Board (2012 – 2015), and the Finance Committee (2013 – 2017.) He was Ireland Section President and Vice President of District 12, which includes Europe, the Middle East, and Africa. Curtis has also been active on several Society task forces, including Cybersecurity, Governance, and Globalization-related committees. He received the ISA Distinguished Society Service Award in 2010. He is the Former President of Cobh & Harbor Chamber of Commerce (2013-2015) and Former Chairman of the Ireland Southern Region Chambers (2015-2016) and is an active member of the Ireland National Standards Body, ETCI.

Connect with Brian:
48x48-linkedin Twitter48x48-email


A version of this article also has been published at ISA Insights.

Connectivity, Productivity and Efficiency Benefits of IIoT Depend on Integrated Cybersecurity

Connectivity, Productivity and Efficiency Benefits of IIoT Depend on Integrated Cybersecurity

This article was written by Bill Lydon, chief editor at InTech magazine


I had a discussion with Gary Freburger, president of Schneider Electric’s process automation business, about the Industrial Internet of Things (IIoT). He framed the discussion by introducing a new concept, “intelligize.” Simply put, intelligize means establishing a method to sort, prioritize, and refine your data, to connect bits of data so they become meaningful information, and then to share that information with operators and other assets, ensuring that the most effective, valuable business and operating decisions and actions are taken.

“While all industry is chomping at the bit to realize the promise and rewards of IIoT,” Freburger noted, “all that connectivity and proposed productivity and efficiency won’t matter if the culture, systems, or plants are not inherently safe and secure. Before deploying IIoT, it is important to understand not only the implications for your business, but also the implications for overall safety and security.” In short, “a cornerstone of an effective industrial automation system is integrated cybersecurity.”

It is critically important to think about all the opportunities IIoT presents before connecting a large volume of sensors, solutions, and automation and control systems. The prospect of connecting billions of devices to industrial automation systems begs two really important questions.

First, how do we keep systems and information secure? Adding more devices creates a broader attack surface, which increases cybersecurity risks. In Freburger’s view, there must be a balance between adding intelligence, securing the devices, and protecting the data. Collecting data just for the sake of having more data might not create any additional value at all. More data has the potential to cause more operator confusion and increase the cyberattack risk.

Second, what do we do with the data and information? “You need a process to figure out what it means and what it is telling you,” he said. “There are a lot of options for using data, including trending, exception reporting, alarming, and other functions. But there needs to be a reason to collect all this data. It’s what we call an operational intelligence approach, which relies on optimizing automation and control, remote management, and predictive maintenance to enable managed services, advanced analytics, and the generation of actionable information that drive better, more informed decision making.”

Improving operational efficiency and reliability can be better accomplished by providing the intelligent data for operators to make the better decisions that optimize production. Freburger used an interesting analogy to make his point. “If you connect your washing machine to the Internet, what do you really want to know? Do you want to know when the water turns on, the soap dispenses, the drying cycle time, the rinse cycle time, the spin cycle duration and RPMs? That’s a lot of data. But is it valuable and worth extending your risk of a cyberincursion? And what would you do with the data anyway? In all practicality, all you probably want to know is when the washer turned on, when it’s complete, and if there is a potential problem. Just because I can connect my washing machine to the Internet doesn’t mean I should, unless it makes sense and unless I can do something valuable with the information.”

“What’s interesting to me from our perspective, with a lot of feedback from users, is that control systems have become complicated,” he told me. “We’ve come to the realization that we need to simplify the data and make it easier for users. This includes standardization in a number of areas to make things simpler—for example, standards that define the meaning of operator display colors for consistency. But ‘simpler’ and connecting another 5,000 devices don’t quite go together. The important thing is deciding how to intelligize the data, deciding what you really want to accomplish, how to use the data to do that, how to bring it into the systems, and how to keep it and your systems secure.”

“The Industrial Internet of Things is a wonderful advancement, and a real opportunity to increase ROI [return on investment] and asset value. When it comes to process automation, we should be using IIoT capabilities to push control further toward the device layer, which means making instrumentation much smarter. This should allow you to simplify the control architecture to match the topology, so that we are reducing time, cost, and effort to configure systems.”

Distinguishing the data you really need from the available data is important in system design. For Freburger, this simply means applying lean design concepts to improve operations, efficiency, and productivity. “The IIoT strengthens our capabilities so we are better able to help customers extend the life of their assets, enhance decision-making, and create a smart enterprise control system that drives improved financial performance for the business. But it has to be inherently cybersecure first.”


Bill LydonAbout the Author
Bill Lydon is chief editor of InTech magazine. Lydon has been active in manufacturing automation for more than 25 years. He started his career as a designer of computer-based machine tool controls; in other positions, he applied programmable logic controllers and process control technology. In addition to experience at various large companies, he co-founded and was president of a venture-capital-funded industrial automation software company. Lydon believes the success factors in manufacturing are changing, making it imperative to apply automation as a strategic tool to compete.
Connect with Bill:


A version of this article originally was published at InTech magazine

Managing the Cybersecurity Threat to Hazardous Process Plants

Managing the Cybersecurity Threat to Hazardous Process Plants

This guest blog post was written by Edward M. Marszal, president and CEO of Kenexis, and co-author of the ISA book Safety Integrity Level Selection.


Managing the risk of hazardous process plants is a difficult and resource-intensive activity. In order to reduce costs and improve productivity as technology evolves, process plants employ new equipment and techniques that introduce new hazards. Over the past few decades, the process industries have almost entirely shifted from control systems that were either analog electronic or pneumatic to distributed control systems (DCS) and programmable logic controllers. These computer-based systems made quantum leaps in functionality over their analog counterparts with respect to calculation complexity, data storage, and communication, but introduced a new threat—deliberate and malicious cyberattacks.

At this point, most process industry plants have not implemented much cybersecurity on their industrial control systems (ICS), leaving perimeter guarding to the discretion of their information technology departments. Even so, cyberattacks rarely cause physical damage to process plants. Process engineers have safeguarded their plants against failures that can cause significant safety consequences, and this is true whether or not the failure occurs organically through random hardware failures or deliberately through a cyberattack. The safeguards employed by these process engineers are common, inexpensive, and very often inherently safe against cyberattack, because most of these devices were invented dozens or hundreds of years before the advent of the computer.

Even though cyber threats are not adequately addressed with existing process hazard analysis (PHA) methods, there is no reason to abandon everything that we know about process risk assessment and start from scratch. Instead, industry is extending tried-and-true methodologies for PHA to address the problem of deliberate cyberattacks. By doing so, none of the existing PHA effort is wasted or needlessly duplicated. Instead, a small amount of additional effort is utilized by starting with traditional PHA and focusing only on scenarios where cyberattacks are the cause or scenarios where cyberattacks can prevent all the safeguards from operating properly. It is these key scenarios that will generate recommendations to implement safeguards that are inherently safe against cyberattack, or to define the appropriate level of safeguarding from cyberattack, as defined by a security level (SL).

Security level

Security levels are categories that define a set of policies, procedures, and practices that must be implemented to secure an industrial control system zone. Unlike the quantitative safety integrity level (SIL) defined in the IEC 61511/ISA-84 standard for safety instrumented functions, which is a band of average probability of failure on demand, an SL is a set of qualitative requirements that explain how a system should be designed and operated. IEC/ISA-62443 defines four security levels, one through four, with SL 1 being the least secure and SL 4 being the most secure. The levels are defined (in the abstract) as:

  • SL 1: Prevents the unauthorized disclosure of information via eavesdropping or casual exposure
  • SL 2: Prevents the unauthorized disclosure of information to an entity actively searching for it using simple means with low resources, generic skills, and low motivation
  • SL 3: Prevents the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with moderate resources, skills specific to industrial automation and control systems (IACSs), and high motivation
  • SL 4: Prevents the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with extended resources, IACS-specific skills, and high motivation

The above definitions of SL are quite philosophical, providing few concrete design specifications. Much more information is required to fully understand the differences in design practices between the various SLs. So much so, in fact, that an entire document in the IEC 62443 standard set is dedicated to explaining the differences between the various security levels: IEC 62443-3-3. Selecting an SL for each ICS zone provides a set of requirements to implement in subsequent cybersecurity life-cycle steps.

The SPR study

The security PHA review (SPR, pronounced “spur”) study is an evolution of PHA. It assigns performance targets to ICS cybersecurity and makes recommendations to implement safeguards that are inherently safe against cyberattack in lieu of setting high SL targets. The SPR approach was specifically developed to fit more naturally with the normal project life cycle of the design, implementation, and operation of process industry plants while also leveraging existing engineering tasks and reports generated for general process safety. In this way, the limitations of existing cyberrisk analysis approaches can be eliminated while maximizing the use of information and documentation generated in other stages of the engineering life cycle.

The SPR study (figure 1) is specifically designed to generate the required SL using the existing process hazard analysis as the foundation and starting point. The SPR process allows companies to select the SL of an ICS zone in a manner that is analogous to the way that layer of protection analysis allows them to select SIL targets for safety instrumented functions (SIF).

Figure 1. Simplified security PHA review process

The process begins with the collection of the results of a process hazard analysis. This can either be done with the report of an existing PHA, or as an additional step during a PHA studyz—while the study is in progress. Each scenario of the PHA is then reviewed to determine if it is “hackable,” which means that the scenario could be forced to occur by a malevolent actor who has taken control of the ICS. First, the cause or initiating event is reviewed to determine if it can be hacked. Generally, this would be true for any computer control loop failure or equipment item starting or stopping. It would not be true for human interactions with mechanical process equipment that is not connected to a computer. If the cause cannot be hacked, the analyst moves to the next scenario.

Next, the safeguards are reviewed to determine if they can be hacked. In general, all control loops, safety instrumented system functions, and operator responses to alarms are hackable, but mechanical devices such as relief valves are not. If any one of the safeguards cannot be hacked, the analyst moves on to the next scenario.

If the cause of a scenario and all of the safeguards can be hacked, then the overall scenario is determined to be hackable. This means that if a malevolent actor could take control of the ICS, that person would be able to generate the scenario under consideration and realize its consequence. For each hackable scenario, the consequence category from the PHA needs to be determined. Based on the risk tolerance criteria of the process owner, an IEC/ISA SL would then be assigned to that scenario. Of course, if the consequence is severe and causes an SL that is not desirable, the analysis team has the option of recommending a safeguard that is inherently safe against cyberattack. This would remove the scenario from consideration as a driver of the selected SL. After all the scenarios have been reviewed in this way, the SL that is assigned to a zone is the highest of all of the SLs that were assigned to the scenarios that are associated with the ICS equipment of that zone.

PHA overview

Process facilities are systematically assessed to determine what hazard scenarios could occur that could cause a significant consequence. For each of these scenarios, analysts assess the available safeguards to determine if they are adequate. This exercise is called a process hazard analysis. PHAs are performed using a variety of techniques. The most common and comprehensive technique is the hazard and operability (HAZOP) study. In a HAZOP study, analysts divide a facility into “nodes” of similar operating conditions and walk them through a set of deviations, such as high pressure, low temperature, or reverse flow. For each of these guide words, a multidisciplinary team (e.g., operations, safety, and engineering) determines if there is a cause of deviation beyond safe operating limits. If so, the team determines the consequence if the deviation were to occur, and then lists all the safeguards that are available to prevent that deviation from occurring—or at least escalating to the point where damage can occur. An example HAZOP worksheet is shown in figure 2.

Figure 2. Sample HAZOP worksheet

When a HAZOP is performed, a team of engineers looks at virtually every failure that can possibly occur and ensures that there are appropriate safeguards to protect against each one. If the team determines the degree of safeguarding is inadequate, it will recommend adding new protection layers or making modifications to improve existing safeguards. Using this process, virtually any process deviation that can be conceived is analyzed.

Although this process systematically and thoroughly assesses potential hazard scenarios, it currently does not make absolutely certain that a plant is inherently safe against cyberattack. The hazard scenarios are assessed to determine if safeguards are appropriate, but there is typically no additional consideration that the safeguards could all have been disabled by malicious attacks. This is the purpose of the SPR study.

Unhackable safeguards

The process industries commonly employ a number of safeguards that are inherently safe against cyberattack. One of these safeguards can be employed to protect a process plant against virtually any conceivable cyberattack. The real work of protecting process industry plants against cyberattack vectors that can cause large amounts of physical damage is to make the process for selecting and installing these safeguards thorough and systematic. Where they are not installed and the plant is vulnerable to a cyberattack, engineers should define an appropriate SL.

The common process industry safeguards that are inherently safe against cyberattack include:

  • pressure relief devices
  • mechanical overspeed trips
  • check valves
  • motor monitoring devices
  • instrument loop current monitor relays

Security PHA review example: thermal runaway reaction

A chemical process employs a reactor that contains a series of packed beds of catalyst to remove chemical impurities from a feed stream by reaction with hydrogen. The chemical feed is vaporized and mixed with hydrogen before it enters the reactor. Once the reactants enter the reactor vessel and contact the catalyst bed, an exothermic reaction occurs, significantly increasing the temperature of the reactant materials and the vessel. To reduce the temperature of the reaction products leaving the first bed, an additional cool hydrogen quench is supplied under flow control in between each catalyst bed. A simplified process flow diagram of the process is shown in figure 3.

Figure 3. Hydrogen reactor simplified process flow diagram

If the hydrogen quench were to fail, for instance, because the flow control loop supplying the quench hydrogen failed with its control valve in the closed position, the temperature in the next bed of the reactor would significantly increase. Additionally, as the temperature increases, the reaction rate also increases—causing a faster reaction and more heat release, thus a higher temperature. This vicious cycle continues and quickly gets to the point where subsequent quenches are no longer effective, and the temperature in the reactor and its outlet piping exceed the maximum allowable working temperature (MAWT), causing a loss of containment of the process contents as the piping and vessel melt and open to the atmosphere. This scenario was considered during a HAZOP-style PHA. The worksheet for the low-flow deviation is shown in figure 4.

Figure 4. Runaway reaction PHA worksheet

The SPR begins with an analysis of the initiating event. In this case, the initiating event is the failure of a flow control loop. Because the control loop is contained in a distributed control system, it is computer based. If a malevolent actor remotely took over the DCS, the position of the valve could be manipulated to the closed position. As such, the initiating event is determined to be hackable.

Next, all of the initiating events are reviewed to determine if they can be hacked. In this case, there are two safeguards that are related to operator intervention based on alarms and one that is an SIF. The two operator intervention safeguards are determined to be hackable, because the alarm annunciation occurs in the DCS. If a malevolent actor were to take control of the DCS, the operator could be blinded to the loss of the flow condition if the hacker disabled the alarm and froze the human-machine interface value in its last good state. The one SIF is also determined to be hackable, because it resides in an SIS that is based on a programmable logic controller. If the control system were taken over by a malevolent actor, the output of the SIF could be frozen in an energized state, making the SIF unable to respond to the hazardous condition.

Figure 5

Figure 6

In this case, the team determined that all the safeguards could be hacked. As a result, the next step is to identify the consequence category of the scenario, and use that consequence category to determine the SL required to make the risk of this scenario tolerable from a cybersecurity perspective. The consequence and SL are related by the operating company’s tolerable risk criteria (figure 7).

Figure 7. Tolerable risk criteria

The consequence category is high in this case, based on the potential for a single fatality from the fire that could accompany the loss of containment event. In accordance with the risk tolerance criteria in figure 8, this results in an SL assignment of SL 2.

Figure 8. Consequences

In this example, the assigned SL can be reasonably achieved by typical cybersecurity mechanisms that the plant is familiar with, so the project team accepts the SL assignment without further deliberation, and the SPR study continues. But consider a case where the SPR process resulted in the assignment of a very high SL that required a significant redesign of the cybersecurity mechanisms of the ICS that are beyond the capabilities of the plant equipment and staff to implement.

To explore this situation, consider the same process scenario again, but in this case, assume that the consequences are much higher. For instance, in another similar case, a release of the reactor material after loss of containment could cause a large toxic gas cloud instead of a localized fire. If the result of the release of the toxic gas cloud is multiple off-site fatalities, now the risk of the situation is entirely changed. Figure 9 presents a revised PHA study report excerpt for this situation

Figure 9. Runaway reaction PHA worksheet (revised consequence)

In this new case, the SPR would proceed in exactly the same way. The initiating event analysis would show that it is hackable, and the safeguard analysis would show that all the safeguards are hackable. But in this case, instead of a consequence category of “high” that results in an SL of 2, the consequence category is “very-very high,” resulting in an SL of 4. An SL of 4 is a very difficult target to achieve, and most ICS design, operation, and maintenance practices would not achieve SL 4 without very difficult and expensive modifications to equipment and practices. In a case like this, it may be prudent for the team to recommend implementation of a safeguard that cannot be hacked, so that the consequence of this scenario does not factor into the selection of the required SL.

Upon review of the common safeguards that cannot be hacked, it is determined that no self-contained mechanical device, like a pressure relief valve, is capable of preventing the scenario under consideration. Furthermore, because the hazardous event is a runaway reaction with no limit on the potential temperature that could be achieved, changing the vessel design to increase the MAWT will also not be effective. In this case, the only effective safeguard that is inherently safe against cyberattack is an analog “mimic” of the safety instrumented function.

The analog “mimic” of the SIF UZC-207 will employ the second thermocouple of a dual element thermocouple set in the existing thermowell. The second thermocouple element will be wired to an analog temperature transmitter that will convert the temperature measurement to a 4–20 mA signal. The 4–20 mA signal will be analyzed by an analog current monitor relay that will open a contact in the 24 VDC signal to the solenoid valve for UZV-207, de-energizing the solenoid, venting the valve’s actuator, and causing the valve to go to a closed position. As designed, this entire analog mimic is inherently safe against cyberattack, and any cyberattack that is waged on the digital complement (UZC-207) will not interfere in the safety functionality of the analog mimic function. The design of the mimic is shown in more detail in figure 10.

Figure 10. Hydrogen reactor SIF with analog “mimic”

Because the scenario can no longer be hacked, the SPR analysis yields a result of “no requirements” for the SL for this scenario.

Protecting the process industry

Process industry plants contain hazards that can have very severe consequences if a loss of containment occurs. Process industry design engineers have dozens or even hundreds of years of experience in protecting these facilities. Many of the safeguards that have been designed to protect process plants were developed years before computers even existed, and thus are inherently safe against cyberattack.

When properly employed at the required locations, these safeguards can make a process plant inherently safe against cyberattack. Application of these safeguards in the required locations can be performed in a thorough and systematic fashion through an SPR study. This process involves going through the process hazard analysis reports that have already been completed for a process plant and reviewing each scenario. The review involves considering the cause and safeguards to determine if they can be hacked. If so, and if the consequence is significant, then the plant should employ a safeguard that is inherently safe against cyberattack.

The SPR process determining the required SL of ICS is in its infancy, but being very rapidly adopted. It is being rapidly adopted because the process is simple and obvious to process safety practitioners once it is explained and the rationale for undertaking the additional study steps are defined.

About the Author
Edward M. Marszal, PE , is president and CEO of Kenexis. He has more than 20 years of experience in the design of instrumented safeguards, such as SIS and fire and gas systems. Marszal is an ISA Fellow, former director of the ISA safety division, and co-author of the ISA book Safety Integrity Level Selection. He is an ISA84 expert.


Connect with Edward:


A version of the article originally was published at InTech magazine.

Why You Must Incorporate Safety and Cybersecurity Standards Into Your Automation Design

Why You Must Incorporate Safety and Cybersecurity Standards Into Your Automation Design

This article was written by Marty Edwards, managing director of the Automation Federation


I have said it before and I will say it again. There are simple steps that must be taken now to make your automation systems more resilient to the inevitable cyberattack.

Attackers have now breached the next bastion of the safety envelope of a plant environment and influenced the operation of a safety system. It is important to state upfront that in this case the system detected the fault and went to a failsafe state just as it is supposed to do. But it will not be very long until attackers successfully modify the logic in these systems to accomplish their nefarious objectives. When it comes to safety instrumented systems (SIS), the most important part of the cybersecurity puzzle is understanding and securing access to the system, both from a physical and a cyber perspective.

Ask yourself: Who potentially could gain access to the system? (For good or for evil)

The recent attack intended to manipulate the safety system of an unidentified plant, and the attackers leveraged two significant access control weaknesses in the system. These are implementation or design weaknesses, not vulnerabilities in hardware or software components – so don’t expect the vendor to fix these, that is your job and your job alone!

  1. The physical key-switch on the SIS controller was left in the PROGRAM mode. I can’t say much more: If you leave the keys in the car someone will steal it. Place controllers in RUN mode as soon as configuration logic is changed, and regularly verify their position via walkdown.
  2. The attacker gained remote access to the SIS engineering workstation to deploy the attack tool.  This means that the workstation was not only connected to the SIS controller network, but was also able to communicate to the outside world via another network. The SIS environment should be appropriately isolated and operate independently from the basic process control system (BCPS).

ISA Cybersecurity Resources

ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:

By leveraging safety design principles articulated in international safety standards such as IEC 61508/IEC 61511/ISA84, automation engineers can make informed decisions about the appropriate methods to isolate the safety functions from the BCPS functions. They also must ensure that separation exists in all phases of plant design, operation and maintenance. A common engineering system or a SIS engineering workstation that is interconnected to the plant network may violate these fundamental principles.

The cybersecurity standards created by ISA99 and now recognized globally as IEC 62443 lay out the process to safely segment and isolate key control system components through methods such as “zones and conduits.”  Use defense in depth principles from ICS-CERT and utilize unidirectional gateway devices where required.

Some vendors will maintain they have proven that their integration of the BCPS and SIS, especially at the engineering workstation, conforms to and is consistent with these safety and cybersecurity standards. I urge you to ask hard questions, such as what if an attacker gains complete control of the engineering environment? How does the system ensure that unauthorized changes to SIS logic cannot be made?

Technical reports on these attacks are available from Mandiant® FireEye® as TRITON and Dragos® as TRISIS

About the Author
Marty Edwards is managing director of the Automation Federation. Marty previously served as director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an operational division of the National Cybersecurity and Communications Integration Center (NCCIC) in the Department of Homeland Security (DHS). He holds a diploma of technology in process control and industrial automation (magna cum laude) from the British Columbia Institute of Technology (BCIT), and in 2015 received its Distinguished Alumni Award. In 2016, Marty was recognized by FCW in its “Federal 100 awards” as being one of the top IT professionals in the federal government.

Connect with Marty:

Pin It on Pinterest