Linking Safety and Security

Joe Weiss has an interesting blog post, Why SOCs are not comprehensive enough for ICS cyber security, over on ControlGlobal.com. At first glance, it is a re-working of a common complaint of Joe’s, the inability to initially differentiate between control system errors and cyber-attacks; a very important problem in process industries. But Joe points out a very real need to coordinate safety, physical security and cybersecurity activities in the process environment. And that is worth serious discussion.

Joe and I have talked about this on more than a couple of occasions. We both got into the cybersecurity world via the process side of operations; Joe in nuclear power plant engineering and me as a manufacturing process chemist. For both of us, process safety was an important consideration in everything we did.

Safety Reviews

A key tool that we both have used (with a variety of names) is the process hazard analysis, or PHA. In the chemical industry, this is a process for looking at the chemical manufacturing process that employs a step by manufacturing step analysis of a process to identify all of the things that can go wrong.

While techniques vary, each step of the process is looked at. A team of individuals (representing the various areas of expertise involved in a modern manufacturing environment) looks at each process variable (temperature, mixing, pressure, ingredient addition, etc.) to determine what would happen if the variable were changed. If the consequence raises a safety issue, the potential causes of the non-standard situation are identified and compensating controls are identified to prevent the non-standard occurrence. As the potential consequence get worse, the team is required to identify more mitigation measures.

One of the variables that is always included in these reviews is operator error. When there is an extensive process history available (these PHAs are periodically re-done, even if no changes are made to the process), then each of the operator errors that have occurred in the past is specifically include when the appropriate portion of the process is reviewed. Otherwise, the team (which always includes at least one operator and an operations supervisor) looks at what types of operator errors might be expected to be made.

The one operator error that is almost never included is a deliberate attempt by the operator to sabotage the process. This is because it is almost impossible to mitigate this type of ‘operator error’. The only effective mitigation is the implementation of a two-man rule where an operation can only be triggered by operating two physically separated controls nearly simultaneously. This is a very expensive (both in engineering and manpower) and used in only the most extreme situations.

An item that is always included in the list of things that can go wrong is the failure of a piece of process equipment. Pumps, valves, sensor, actuators can all fail and Father Murphy is well known by all process professionals. Common mitigation measures include routine calibration, inspection and schedueled preventative maintenance of process equipment. In situations where equipment failure has the most extreme consequences a common technique is to have parallel processing capability installed where the failed piece of equipment can be bypassed automatically or by simple operator action. Where critical sensors are a concern, multiple and independent sensors are installed and allowable output variations are established.

Security Reviews

Industry has been slower to conduct formal physical security reviews of their facilities. Until 9-11, most such reviews (nuclear power generation facilities excepted) were primarily directed at inventory shrink more than preventing attacks on the facility. Since 9-11 that has changed and there has been more attention paid at preventing terrorist attacks and stopping active shooter situations.

Most physical security reviews (there has not been the level of standardization of security reviews as we have seen with safety reviews) focus on identifying critical portions of the facility and positing what standard attack scenarios are expected and then placing controls in place to deter, delay and detect such events. As in safety reviews, a physical security review increases the mitigation measures employed as the potential consequences (or the probability) of attack increases.

Formal cybersecurity reviews for the process industries are much less common and seem (from the limited data that I have seen) to focus on vulnerability management (patching) and access controls. We are just starting to see implementation of tools to actively monitor process controls to detect intrusions.

Linking Safety and Security

Safety and security have very similar purposes in the process industry, prevention of unintended consequences, particularly hurtful consequences. In very many ways they are two sides of the same coin. Safety protects against random system failures and security prevents system failures caused by deliberate actions. Understanding the potential consequences of any given system failure allows for prioritization of costs and efforts.

Security folks need to have representation on the PHA teams. Not so much for their contributions to safety (though that is an obvious benefit), but so that they can truly understand the critical portions of the process environment. If they understand what the key safety components of the control system are, they may be able to plan a more effective defense-in-depth that provides additional security against intrusion (or more quickly identifies intrusion) into those critical parts of the control system.

Likewise, safety people and process people need to be represented on the security reviews, both physical and cyber (if those are done separately). Their input will be necessary to understand how security measures will impact operations and safety. Planning for a police response to an active shooter incident at a facility handling flammable materials will require careful consideration of safety issues. Allowing for multiple (and contemporaneous) operator logon to controls systems may be necessary. These are just two of the possible operations and safety considerations that need to be accounted for in a security review.

Protecting facilities from incidents that impact operations or the local community is the goal of both safety and security managers. Close cooperation between the two and with the operations team is something that has to take place for all three teams to succeed in supporting a successful business.