Safety instrumented systems and security standards
If you're responsible for a Safety Instrumented System (SIS) with Safety Integrity Level (SIL) rated functions, then you might be wondering where to start with cybersecurity standards for industrial automation and control systems (IACS). Read this blog to find out my personal take.
The recently updated process sector safety instrumented system (SIS) standard IEC 61511 edition 2 now requires that a "security risk assessment is carried out to identify security vulnerabilities of the SIS" . But how should cybersecurity for industrial automation and control systems (IACS) be approached?
Security standards for the OT - SIS world
Distinguished authors in the safety and security domain have written extensively about the convergence of the IT (Information Technology) and OT (Operations Technology) worlds. As a great reference which makes things really clear, read the 2018 paper by Cusimano and Rostick  referenced at the end of this blog for more detail and background.
Suffice it to say for this blog, the OT world is the one that I'm most familiar with, and the "IT" subject of cybersecurity for industrial automation and control systems (IACS) has only been coming up as a topic of discussion in SIS projects since edition 2 of IEC 61511 was published.
There are three (3) cross-referenced security-related documents in IEC 61511-1 edition 2 clause 8.2.4, covering the subject of security risk assessment. These are:
- IEC 62443-2-1 (2010) 
- ISO/IEC 27001 (2013) 
- ISA TR84.00.09 (2017) 
As the topic is an evolving specialist area for the OT world of SIS, the IEC 61511 standard itself does not give very detailed background on how to approach things; hence the cross-references to other documents.
In my personal quest to discover more before updating an online training course on SIS, I have to say that each of the cross-referenced documents have a different bias which is not fully apparent until one delves further.
The first thing to note is the publication date of each document. The most recent 2017 document is almost definitely the most directly applicable in the short term - especially to someone from an OT background. With this in mind, I'll deal with them briefly in date order, from the oldest to the most recent.
OT Security standard IEC 62443
IEC 62443-2-1 (2010) is aimed at industrial cybersecurity, but is not specific to SIS or process applications.
IEC 62443-2-1* is one a series of 13 parts aimed at various different levels of detail for industrial cybersecurity. It is aimed at OT, but this specific part deals with "Policy, Procedure, Practice and Personnel"; dealing with how in general to establish an industrial automation and control system cyber-security management system (CSMS). The part actually referenced in IEC 61511 does not deal with the specifics of conducting a cyber-security risk assessment. In the 62443 series, the likely most relevant for risk assessment is still in draft form (as of January 2019), but will eventually be published as IEC 62443-3-2 - Security risk assessment for system design.
*Note: According to the IEC website (January 2019), IEC 62443-2-1 is due for re-publishing in April 2020.
IT Security standard IEC 27001
ISO/IEC 27001 (2013) is an IT standard.
The ISO/IEC 27001 (2013) standard is firmly rooted in the IT world. This does not make it irrelevant to people in OT disciplines, but it does mean that anyone with an automation, electrical, control or instrumentation bias would probably be better spending their time referring to other reference sources. This recommendation is simply because the relevant security aspects have already been picked out by others and re-presented in the OT context.
SIS Security Technical Report by ISA
ISA TR84.00.09 (2017) is aimed at Cybersecurity and the SIS Safety Life-cycle.
If, like me, you are already familiar with the functional safety life-cycle of IEC 61511, then you will probably be immediately more at ease with the content of the ISA TR84.00.09 (2017) Technical Report, published by ISA .
ISA TR84.00.09 (2017) is a document of around 115 pages, so not exactly light, but it is organised in a way that will be familiar to SIS practitioners; by adding cybersecurity activities to each stage of the functional safety life-cycle of an SIS.
The document states that it incorporates requirements from IEC 61511 and several other related process safety documents, plus the IEC 62443 series of standards. As such, ISA TR84.00.09 (2017) would seem to be the most complete and up to date reference source for anyone looking to build in security measures in addition to an existing SIS safety life-cycle (advice most relevant at the time of this blog in January 2019).
In a short blog, it is not possible to elaborate on all the detail in ISA TR84.00.09 (2017), but a few aspects caught my eye which may help anyone looking for an initial overview:
- Following a very similar life-cycle approach to IEC 61511, the ISA TR84.00.09 document outlines cybersecurity requirements for management (including cybersecurity assessment and audit), risk assessment, requirements specification, design and implementation, engineering, FAT, installation, commissioning and validation, and finishes with operation and decommissioning.
- Conceptually, the document is also written to meet the US NIST (National Institute of Standards and Technology) Framework which outlines five cybersecurity steps labelled Identify, Protect, Detect, Respond and Recover.
- There are quite a number of new (at least to OT practitioners) security terms to get to grips with. These are not that tricky to follow given the clear descriptions in the definitions section. Standardised terms should help with making reports on cybersecurity much more uniform and simple to follow.
- One important term is Security Level (SL), defined on a scale of SL 0 (no specific requirements or security protection) to SL 4 (the highest level of requirement and security protection).
- Security Level (SL) is rather helpfully further categorized to make it clearer what is being talked about: SL-T (Security Level Target), SL-C (Capability) and SL-A (Achieved). In practice this will mean a cybersecurity risk assessment should be looking at defining SL-T, an SIS system vendor should hopefully be able to help with defining SL-C, and a cybersecurity vulnerability assessment should be able to estimate SL-A once countermeasures have been designed and adopted.
- There are various helpful "sub life-cycles" which indicate inputs, procedures and outputs at each major phase of activity; Assess, Design & Implement, Operate and Maintain. For an end user/operator of SIS not undergoing any SIS modification, the first and last of these sub life-cycles would be the most applicable to get to grips with.
- Annex A provides example network cybersecurity architectures and then compares these with typical architecture resilience to cyber attack. This annex could be helpful for comparison once a network architecture has been determined for an existing or new system.
- Annex B provides a proposed outline procedure for high level and detailed level cyber risk assessments which should be useful to end users with existing systems that need initial cyber risk assessment, or Cyber PHA as this document calls it.
- Annex C outlines cyber vulnerability assessment based upon IEC 62443-2-1 principles.
- Annex D provides an example cybersecurity level verification, including a sample risk matrix to use for cyber risk assessment.
- Annex E details some advisory cybersecurity metrics which should be relatively practical to implement for end users with existing systems. These cover measuring aspects such as user successful/rejected access attempts which could provide early warning of threats to an SIS.
- Annex F provides some expectations that manufacturers should provide as a cybersecurity manual for their system or product.
- Annex G has various tables listed outlining typical countermeasures.
 IEC 61511: Functional safety of safety instrumented systems for the process industry sector. This standard is now variously known as IEC 61511 edition 2:2016 or BS EN 61511:2017 in UK and ISA 61511 in the USA.
 If it isn't SECURE it isn't SAFE, John Cusimano & Paul Rostick, AIChE paper, April 2018. https://www.aesolns.com/news-resources/white-papers/cybersecurity-white-papers/
 IEC 62443-2-1: Industrial communication networks - Network and system security - Part 2-1: Establishing an industrial automation and control system security program.
 ISO/IEC 27001 (2013): Information Security Management (ISMS).
 ISA TR84.00.09 (2017): Cybersecurity Related to the Functional Safety Lifecycle.