If you're responsible for a Safety Instrumented System (SIS) with Safety Integrity Level (SIL) rated functions, then you might be wondering where to start with cybersecurity standards for industrial automation and control systems (IACS). Read this blog to find out my personal take.
The recently updated process sector safety instrumented system (SIS) standard IEC 61511 edition 2 now requires that a "security risk assessment is carried out to identify security vulnerabilities of the SIS" [1]. But how should cybersecurity for industrial automation and control systems (IACS) be approached?
Security standards for the OT - SIS world
Distinguished authors in the safety and security domain have written extensively about the convergence of the IT (Information Technology) and OT (Operations Technology) worlds. As a great reference which makes things really clear, read the 2018 paper by Cusimano and Rostick [2] referenced at the end of this blog for more detail and background.
Suffice it to say for this blog, the OT world is the one that I'm most familiar with, and the "IT" subject of cybersecurity for industrial automation and control systems (IACS) has only been coming up as a topic of discussion in SIS projects since edition 2 of IEC 61511 was published.
There are three (3) cross-referenced security-related documents in IEC 61511-1 edition 2 clause 8.2.4, covering the subject of security risk assessment. These are:
- IEC 62443-2-1 (2010) [3]
- ISO/IEC 27001 (2013) [4]
- ISA TR84.00.09 (2017) [5]
As the topic is an evolving specialist area for the OT world of SIS, the IEC 61511 standard itself does not give very detailed background on how to approach things; hence the cross-references to other documents.
In my personal quest to discover more before updating an online training course on SIS, I have to say that each of the cross-referenced documents have a different bias which is not fully apparent until one delves further.
The first thing to note is the publication date of each document. The most recent 2017 document is almost definitely the most directly applicable in the short term - especially to someone from an OT background. With this in mind, I'll deal with them briefly in date order, from the oldest to the most recent.
OT Security standard IEC 62443
IEC 62443-2-1 (2010) is aimed at industrial cybersecurity, but is not specific to SIS or process applications.
IEC 62443-2-1* is one a series of 13 parts aimed at various different levels of detail for industrial cybersecurity. It is aimed at OT, but this specific part deals with "Policy, Procedure, Practice and Personnel"; dealing with how in general to establish an industrial automation and control system cyber-security management system (CSMS). The part actually referenced in IEC 61511 does not deal with the specifics of conducting a cyber-security risk assessment. In the 62443 series, the likely most relevant for risk assessment is still in draft form (as of January 2019).
*UPDATE Note: IEC 62443-3-2 [6] is now published, as of September 2020. The standard is aimed at security for industrial automation and control systems, and the scope is "security risk assessment for system design".
IT Security standard IEC 27001
The ISO/IEC 27001 (2013) standard is firmly rooted in the IT world. This does not make it irrelevant to people in OT disciplines, but it does mean that anyone with an automation, electrical, control or instrumentation bias would probably be better spending their time referring to other reference sources. This recommendation is simply because the relevant security aspects have already been picked out by others and re-presented in the OT context.
ISO/IEC 27001 (2013) is an IT standard.
SIS Security Technical Report by ISA
If, like me, you are already familiar with the functional safety life-cycle of IEC 61511, then you will probably be immediately more at ease with the content of the ISA TR84.00.09 (2017) Technical Report, published by ISA [5].
ISA TR84.00.09 (2017) is a document of around 115 pages, so not exactly light, but it is organised in a way that will be familiar to SIS practitioners; by adding cybersecurity activities to each stage of the functional safety life-cycle of an SIS.
ISA TR84.00.09 (2017) is aimed at Cybersecurity and the SIS Safety Life-cycle.
The document states that it incorporates requirements from IEC 61511 and several other related process safety documents, plus the IEC 62443 series of standards. As such, ISA TR84.00.09 (2017) would seem to be the most complete and up to date reference source for anyone looking to build in security measures in addition to an existing SIS safety life-cycle.
REFERENCES
[1] IEC 61511: Functional safety of safety instrumented systems for the process industry sector. This standard is now variously known as IEC 61511 edition 2:2016 or BS EN 61511:2017 in UK and ISA 61511 in the USA.
[2] If it isn't SECURE it isn't SAFE, John Cusimano & Paul Rostick, AIChE paper, April 2018.
[3] IEC 62443-2-1: Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program.
[4] ISO/IEC 27001 (2013): Information Security Management (ISMS).
[5] ISA TR84.00.09 (2017): Cybersecurity Related to the Functional Safety Lifecycle.
[6] IEC 62443-3-2 (2020): Security for industrial automation and control systems, Part 3-2: Security risk assessment for system design.