Reader Comment 10-20-10 Safety as Security

Andrew Ginter, who writes the Control System Security Blog, posted an interesting comment on yesterday’s blog on how Stuxnet could be used against high-risk chemical facilities. The comment addresses a number of good detailed points, all worth reading, but one of the most interesting is summed up in one very important sentence:

“Safety systems need to start being evaluated from an adversary's perspective: is there a set of components, which if destroyed or caused to malfunction simultaneously, can cause a catastrophe?”

As facilities take detailed looks at their security plans and procedures it will quickly become apparent that many of the security actions that facilities take will be closely related to safety procedures that are already in place. The reason for this is fairly obvious, the release of hazardous materials into the environment is the ultimate goal of both programs. Safety programs are designed to prevent accidental releases and security programs are designed to prevent deliberate releases.

From a control system perspective, Andrew points out a very important point; “The worst consequence that a worm, or even an insider with access to the control system, should be able to produce is denial-of-service: triggering a safety shutdown.” But, this will only be true if it is not possible for the same cyber system attack to affect both the safety systems in place in the facility and the control systems.

Upper management needs to have this clearly explained to them. At one facility where I worked the computer safety systems and the standard control system were installed on the same computer, using the same control system software. Engineering had requested a separate control system for the safety systems, but corporate management deleted that system from the budget, noting that the current control system had more than enough capacity to handle both systems.

We designed in some manual safety protections into our processes, including manually locking out valves for chemicals that could present reactive hazards for the process. But it is hard to keep such operator-centric safety processes operational; it requires aggressive auditing. Unfortunately we could not come up with such manual processes to back-up all of the cyber safety controls.

As many writers have pointed out safety is an attitude as much as it is a program. The same is true for security. All of the safety programs or security programs mean little if there is not a facility wide attitude that these programs are important and should not be shortcut under any circumstances. When the twin attitudes of safety and security are present in a facility team, the interactions between these two programs will reinforce both.