The benefits of integrated control and safety (ICS) systems include reduced infrastructure, increased productivity and shorter development time in a single programming environment. But it can introduce additional cybersecurity concerns to both sides, control and safety, and together one may create vulnerabilities in the other. Strong cybersecurity protection is possible for the entire system with the right forethought and planning. Here are some cybersecurity tips for implementing good standards in an ICS system.
1. Layers of logins protect access to both sides of the network.
“The vendors that I'm familiar with, the safety portion of a PLC is not accessible via a network connection manager to be on the local area connection or even directly plugged into the PLC to get to the safety portion of it,” says Mark Russel, tech application support manager, Allied Electronics & Automation (www.alliedelec.com). “There are going to be a bunch of different levels that you're going to have to have access to actually get to where you could change the logic. So even if you had a PLC that had access to the safety side from a network connection, you're behind several different levels of logins. And some of those logins are multi-access logins. There are a lot of different layers that we put on top of operational technology before it ever accesses an actual Internet connection.”
2. Control and safety integration puts an end to security through obscurity.
“Functional safety and cybersecurity have become increasingly intertwined. In fact, in 2017 TÜV Rheinland set up a new training program that focuses on the cybersecurity for industrial IT and follows the same concept as its functional safety training program,” says Christopher Woller, safety product manager, Beckhoff Automation (www.beckhoff.com). “While the benefits of fully integrating safety and standard controls are fantastic, the adage of ‘security through obscurity’ no longer applies, if in fact it ever did.”
3. Functional safety is static, while cybersecurity is a moving target.
“It should be noted that functional safety and IT security are different things,” says Noah Greene, product specialist, Phoenix Contact (www.phoenixcontact.com). “IT security looks at how the process or machine can be protected from bad actors, while functional safety looks at how persons can be protected from a machine or process. Also, the risks presented in functional safety tend to be static during the machine’s lifetime. For example, a spinning motor will always be a hazard. When it comes to IT security, the exploits and methods used to gain unauthorized access to systems are constantly changing.”
4. Remote support and troubleshooting can act faster during threats.
“The complications come down to cybersecurity attacks,” says Rudy de Anda, head of strategic alliances, Stratus. “If an integrated control and safety system is somehow connected, it is now open to the same cyber risk—this will be a target. Hackers can easily shut down safety systems, which puts employees at risk. On the other hand, the advantages are centered around remote support and troubleshooting. They can more easily identify any issues in the integrated safety system. To reap the benefits, facilities should deploy a rugged and layered cybersecurity protection system that protects operations and safety systems.”
5. Robust protection on the front end for the whole system can reduce infrastructure costs.
“If everything's housed in the same location and if you don't have robust protection on your distributed control system (DCS), then, by extension, the safety instrumented system (SIS) is compromised too, and that's obviously a very tricky task,” says John Binion, controls and automation engineer, Hargrove Controls & Automation (www.hargrove-epc.com). “If you do have robust protection on the front end, if you take the right precautions, it certainly reduces the cost of infrastructure.”