The stakes are high in process industry: everything moves fast, in large quantity, and exposed to a wide range of hazards. Cyber Security is now added into the industrial operations risks too, but it has been tough to address it given limited guidance and industry-wide standard.
If you are starting to include Cyber Security in your operations, you check this fundamental guideline for industrial practitioners to help you get off the ground. Once you have a good grip about the subject, and ready to integrate it with Functional Safety, there is a good news for you: The IEC 61511, as presented by Mr. Manuel Diez in a conference recently.
The hidden relation between Cyber Security and IEC 61511
The linkage between Functional Safety and Cyber Security was not so apparent in the past. The first edition of IEC 61511 has only mentioned cyber security risk “in the passing”, with plenty of room of interpretation to exclude it. In the second edition, the IEC 61511:2016, it is now stated clearly that “a security risk assessment shall be carried out to identify the security vulnerabilities of the safety instrumented system (SIS).”
With such clause, a security analysis similar to a safety analysis has to be carried out in your operations in order to ensure that the systems are not exposed to Cyber Security risks. In the big picture, Cyber Security is now officially a part of Functional Safety.
IEC 61511 is part of the answer for Industrial Cyber Security
Nonetheless, you cannot take IEC 61511 as a single, final answer for Cyber Security in your manufacturing plant. The main purpose of IEC 61511 remains to serve as a top-level standard for process industry. Specific reference to Cyber Security are covered in different specific standards.
For implementation of electronically secure Industrial Automation and Control Systems (IACS), the IEC 62443 will be your main reference. It covers the standards, technical reports, and related information that can aid end-users, system integrators, and control systems manufacturers throughout the lifecycle.
In a more specific subject of safety-related parts of control systems (SRP/CS), the ISO 13849 provides the guidance on the design –including software design– and integration of SRP/CS. It applies for all kinds of machinery regardless of the type of technology and energy used (electrical, hydraulic, pneumatic, mechanical, etc.).
What we can learn about Cyber Security from Functional Safety perspective
Cyber Security always about technology. It is enabled, and threatened by it at the same time, but in process industry, technology is just a part of Cyber Security. Equal emphasis should be placed into process and people.
One of the newly added clause in IEC 61511 second edition is "Persons, departments, organizations involved in safety life cycle activities shall be competent to carry out the activities for which they are accountable.” This requires Engineering knowledge, training, and experience appropriate to the process application to be addressed and documented when considering the competence involved in SIS safety life cycle activities. By widening the consideration to the people factor, you would be able to effectively mitigate additional risks which normally left unassessed.
For instance, tightening the system’s security protocol to an extreme level will reduce the exposure to cyber risk, but it will still not exhaust the risk mitigations, not to mention that it may hinder operational efficiency. On the other hand, a reasonable security protocol, added with the reinforcement on people factor, such as personnel training, would effectively reduce external risks (e.g. contact of work device in public network outside the manufacturing plant) and may give you a more robust system security.
This is part of the presentation made by Mr. Manuel Diez, TUV Rheinland expert in Functional Safety and Cyber Security, in Asia ICS Cyber Security Conference 2017 in Singapore. You can view the presentation from the section below.
- Get a copy of Mr. Manuel Diez's presentation on ‘Overview and Interpretation IEC 61511 Edition 2.0’ here.
- Read the summary of panel discussion on IT and OT in Asia ICS Cyber Security Conference 2017 here.
- Get a copy of the ‘Functional Safety meets Cyber Security’ Whitepaper here.
- Find out Cyber Security services that TÜV Rheinland offers, please visit our service page.
- Need help on Functional Safety and/or Cyber Security? Ask TÜV Rheinland.
- Keep up-to-date to changes in regulatory and standards by subscribing to our mailing list.