How DeltaV does SIS security

Jim Montague

While cybersecurity of process control and automation systems is essential, cybersecurity of safety instrumented systems (SIS) is even more crucial. They are the last line of defense—and potentially the difference between safe operations and equipment damage, injury or fatalities. Fortunately, Emerson’s DeltaV distributed control system (DCS) and DeltaV SIS and their supporting software include many capabilities that can protect users, applications and facilities against cyber threats and attacks.

"Sometimes cybersecurity presentations are good about creating awareness, but fail to provide practical information about what to do, so we try to provide very specific examples about how to achieve a more defendable SIS," said Sergio Diaz, product marketing manager, DeltaV SIS, Emerson, who presented "Best practices for a cyber secure SIS" with Alexandre Peixoto, DeltaV product marketing manager, cybersecurity and network products, Emerson, at the 2019 Emerson Global Users Exchange in Nashville, Tennessee. "DeltaV has many built-in features that can prevent unauthorized changes in safety logic configuration as well as unauthorized downloads, bypasses and field device changes."

Security in context

Before addressing SIS security, Diaz reported stressed the importance of first understanding the overall context in which cybersecurity happens. Probably the most notable of these is "defense in depth," which is simply the concept of establishing multiple protection layers to reduce the odds of cyber probes or intrusions succeeding.

Common cybersecurity mechanisms in DeltaV and DeltaV SIS include:

  • Security information and event management (SIEM) for DeltaV;
  • Network security monitor;
  • Automated patch management;
  • Emerson Smart Firewall;
  • Backup and recovery;
  • Application whitelisting;
  • Endpoint security;
  • DeltaV Firewall-IPD (intrusion protection device);
  • Multi-factor authentication;
  • GPS time server;
  • Symantec ICS (industrial control system) protection; and.
  • Industrial network firewall.

On the other side of the cybersecurity equation, five common threats to a SIS include:

  • Changes to its offline configuration in the database;
  • Unauthorized downloads;
  • Online changes that could impact safety logic, such as to a trip limit;
  • Unauthorized bypasses; and,
  • Unauthorized device configuration changes.

"If there's a probe of an SIS like this, it's more than likely malicious, and it can shut down systems and/or cause major consequences," said Diaz.

Counter measures for secure logic

To use defense-in-depth principles to protect an SIS, Diaz provided a series of recommendations:

  • To prevent offline modifications in safety logic, give users just enough privileges to perform their tasks, and use DeltaV keys to define the scope of each user. Next, prevent remote attacks by enforcing physical presence, and requiring users to have a smart card and a PIN to log into the system.
  • To prevent unauthorized downloads, Diaz advises requiring additional approvers, who must authorize software modules before they can be downloaded. DeltaV can accommodate up to five approvers. Following modification, modules become unauthorized again, and can't be downloaded again until re-approved.
  • DeltaV also has a physical presence method for preventing downloads which requires that the CHARMs Smart Logic Solver (CSLS) be physically unlocked to allow any downloads. Locking the CSLS key switch prevents downloads, decommissioning, debug mode and HART write commands. In DeltaV, Version 14, CSLS is timed-unlocked and also prevents certain online changes. Version 14 can also be locked by an SZ controller switch.

"A lot of mechanisms come together to give DeltaV robust cybersecurity," says Diaz. "User privileges, two-factor authentication, additional approvers, locking CSLS and physical presence are the defense-in-depth layers that protect DeltaV's safety logic and prevent unauthorized changes."

Peixoto added, "We usually ask 'what if' before adding a new defense-in-depth layer. If one ring is removed, our protections are weaker."

Disabling unauthorized bypasses

Sometimes it's necessary to bypass inputs in an SIS for updates and maintenance, but Diaz cautioned that allowing multiple bypasses in the same SIF isn't good practice because it disables the SIF. He added that preventing multiple bypasses at the control system isn't good practice, and that the best method is to handle bypasses at the logic solver level.

Preventing multiple bypasses in DeltaV begin with an initial secure design countermeasure of unchecking the "multiple bypasses are allowed" and 'bypass permit not required to bypass" boxes in the software's Bypass Opts sections. This means changing Bypass Opts requires either an authorized download or unlocking of the logic solver.

Preventing bypasses in DeltaV can also be done by enforcing physical presence, in this case, with a physical switch connected to an input. This switch must in the right position before allowing a bypass, which remote hackers can't do. Meanwhile, operators can remove bypass permits that remove bypasses, even if there is no human-machine interface.

Authentication can prevent bypasses by requiring proper privileges and the entry of physical credentials to set a bypass. For added security, it's also possible to use two-factor authentication to enforce physical presence.

While one user can move a key switch and have enough privileges to set a bypass, an additional approver can also be required to prevent multiple bypasses. This second approver doesn't need SIS privileges, and only needs to be given approving privileges.

Enabling notifications in DeltaV is another way to prevent bypasses, and many types of alerts and alarms are available in its SIF Alerts section, which can tell users, for example, if equipment has been left in a less than secure state. These read-only alerts can also be sent to smart phones and tablet PCs via DeltaV Mobile.

Finally, setting a timer, allowing bypasses to time out, and enabling automatic bypass removal are ways to prevent bypasses from inadvertently being left active. For example, a certain bypass may only be allowed during a proof test, and while it doesn't need a switch, the user must unlock the logic solver before setting the bypass permit for the proof test, which should last less than one minute.

In summary, physical presence, two-factor authentication, additional approver, notifications and automatic removal are the defense-in-depth layers in DeltaV that prevent unauthorized bypasses.

Preventing field device changes

Another important SIS cybersecurity procedure is preventing changes in field devices. This is crucial because intruders and cyber attacks can change device configurations to disable device operations; make device signals constant, so they mask real process readings; and impact mA signals by placing a ground to also mask real readings.

"Most field devices are only monitoring processes and sending data to be managed," said Diaz. "However, if they allow ranges to be changed in processes, then changes in readouts and current are possible, and devices can be disabled to create hazards."

Diaz added that some of the most useful countermeasures for preventing field device changes include:

  • Lock cabinets where DeltaV components are located;
  • Lock HART devices. HART 7 supports locking secondary masters. This lock can be set from DeltaV Explorer, but it doesn't prevent primary master from making changes;
  • Alert when a fixed signal occurs, but first consider the affect on logic and maintenance work practices;
  • Alert when a disparity happens, such as in loop current, but again, think through the impact on logic and work practices;
  • Alert when a line fault occurs. While a common safety measure, such faults affect security, too;
  • Configuration changes need to be monitored, and alerts must be made when changes are detected; and,
  • Lock logic solvers, such as those handling HART write commands.

In short, physical presence, lock logic solver, alerts, locking devices and physical security are the defense-in-depth layers in DeltaV that protect field devices.

It helps to remember that what makes sense for safety usually makes sense for cybersecurity." Emerson’s Sergio Diaz discussed specific threats and appropriate counter measures available in the DeltaV and DeltaV SIS environment.

Protecing the system

Once individual sets of defense-in-depth layers are established for logic solvers, bypasses and field devices. Diaz reported that each group can be further protected from malicious probes, intrusion and attacks within layers for their overall system and network. These include the usual cybersecurity measures of:

  • Segmenting networks with managed Ethernet switches used as firewalls;
  • Establishing whitelisting for authorized devices and users;
  • Enabling and updating antivirus software; and,
  • Maintaining firewalls between operations and enterprise areas.

"Safety instrumented systems are typically isolated, but defense-in-depth layers can be added on top as part of the cybersecurity for the larger system," added Diaz. "It also helps to remember that what makes sense for safety usually makes sense for cybersecurity. Also, using built-in features, such as those in DeltaV, leads to a more defendable SIS."