While cybersecurity of process control and automation systems is essential, cybersecurity of safety instrumented systems (SIS) is even more crucial. They are the last line of defense—and potentially the difference between safe operations and equipment damage, injury or fatalities. Fortunately, Emerson’s DeltaV distributed control system (DCS) and DeltaV SIS and their supporting software include many capabilities that can protect users, applications and facilities against cyber threats and attacks.
"Sometimes cybersecurity presentations are good about creating awareness, but fail to provide practical information about what to do, so we try to provide very specific examples about how to achieve a more defendable SIS," said Sergio Diaz, product marketing manager, DeltaV SIS, Emerson, who presented "Best practices for a cyber secure SIS" with Alexandre Peixoto, DeltaV product marketing manager, cybersecurity and network products, Emerson, at the 2019 Emerson Global Users Exchange in Nashville, Tennessee. "DeltaV has many built-in features that can prevent unauthorized changes in safety logic configuration as well as unauthorized downloads, bypasses and field device changes."
Security in context
Before addressing SIS security, Diaz reported stressed the importance of first understanding the overall context in which cybersecurity happens. Probably the most notable of these is "defense in depth," which is simply the concept of establishing multiple protection layers to reduce the odds of cyber probes or intrusions succeeding.
Common cybersecurity mechanisms in DeltaV and DeltaV SIS include:
On the other side of the cybersecurity equation, five common threats to a SIS include:
"If there's a probe of an SIS like this, it's more than likely malicious, and it can shut down systems and/or cause major consequences," said Diaz.
Counter measures for secure logic
To use defense-in-depth principles to protect an SIS, Diaz provided a series of recommendations:
"A lot of mechanisms come together to give DeltaV robust cybersecurity," says Diaz. "User privileges, two-factor authentication, additional approvers, locking CSLS and physical presence are the defense-in-depth layers that protect DeltaV's safety logic and prevent unauthorized changes."
Peixoto added, "We usually ask 'what if' before adding a new defense-in-depth layer. If one ring is removed, our protections are weaker."
Disabling unauthorized bypasses
Sometimes it's necessary to bypass inputs in an SIS for updates and maintenance, but Diaz cautioned that allowing multiple bypasses in the same SIF isn't good practice because it disables the SIF. He added that preventing multiple bypasses at the control system isn't good practice, and that the best method is to handle bypasses at the logic solver level.
Preventing multiple bypasses in DeltaV begin with an initial secure design countermeasure of unchecking the "multiple bypasses are allowed" and 'bypass permit not required to bypass" boxes in the software's Bypass Opts sections. This means changing Bypass Opts requires either an authorized download or unlocking of the logic solver.
Preventing bypasses in DeltaV can also be done by enforcing physical presence, in this case, with a physical switch connected to an input. This switch must in the right position before allowing a bypass, which remote hackers can't do. Meanwhile, operators can remove bypass permits that remove bypasses, even if there is no human-machine interface.
Authentication can prevent bypasses by requiring proper privileges and the entry of physical credentials to set a bypass. For added security, it's also possible to use two-factor authentication to enforce physical presence.
While one user can move a key switch and have enough privileges to set a bypass, an additional approver can also be required to prevent multiple bypasses. This second approver doesn't need SIS privileges, and only needs to be given approving privileges.
Enabling notifications in DeltaV is another way to prevent bypasses, and many types of alerts and alarms are available in its SIF Alerts section, which can tell users, for example, if equipment has been left in a less than secure state. These read-only alerts can also be sent to smart phones and tablet PCs via DeltaV Mobile.
Finally, setting a timer, allowing bypasses to time out, and enabling automatic bypass removal are ways to prevent bypasses from inadvertently being left active. For example, a certain bypass may only be allowed during a proof test, and while it doesn't need a switch, the user must unlock the logic solver before setting the bypass permit for the proof test, which should last less than one minute.
In summary, physical presence, two-factor authentication, additional approver, notifications and automatic removal are the defense-in-depth layers in DeltaV that prevent unauthorized bypasses.
Preventing field device changes
Another important SIS cybersecurity procedure is preventing changes in field devices. This is crucial because intruders and cyber attacks can change device configurations to disable device operations; make device signals constant, so they mask real process readings; and impact mA signals by placing a ground to also mask real readings.
"Most field devices are only monitoring processes and sending data to be managed," said Diaz. "However, if they allow ranges to be changed in processes, then changes in readouts and current are possible, and devices can be disabled to create hazards."
Diaz added that some of the most useful countermeasures for preventing field device changes include:
In short, physical presence, lock logic solver, alerts, locking devices and physical security are the defense-in-depth layers in DeltaV that protect field devices.
“It helps to remember that what makes sense for safety usually makes sense for cybersecurity." Emerson’s Sergio Diaz discussed specific threats and appropriate counter measures available in the DeltaV and DeltaV SIS environment.
Protecing the system
Once individual sets of defense-in-depth layers are established for logic solvers, bypasses and field devices. Diaz reported that each group can be further protected from malicious probes, intrusion and attacks within layers for their overall system and network. These include the usual cybersecurity measures of:
"Safety instrumented systems are typically isolated, but defense-in-depth layers can be added on top as part of the cybersecurity for the larger system," added Diaz. "It also helps to remember that what makes sense for safety usually makes sense for cybersecurity. Also, using built-in features, such as those in DeltaV, leads to a more defendable SIS."