Emerson’s Sergio Diaz and Alexandre Peixoto presented Best Practices for a Cybersecure SIS at the 2019 Emerson Exchange conference. Sergio opened that the goal of this presentation is to provide practical information to maintain a more defendable security posture for safety instrumented systems (SISs).
Like control systems, defense in depth is an important concept for an SIS. It starts at plant level security, work practices, and down to system level defenses.
Sergio shared an example of a two-out-of-three safety instrumented function (SIF) for a high-pressure shutdown as an example for ways to provide levels of defenses. One threat is a change in the offline configuration. Another threat is making an online change to the pressure setpoint into a dangerous region. Another is unauthorized download to change the logic or download to change the three pressure sensor devices.
For the offline configuration change, the first step is to only enable access privilege to those qualified and trained to make changes. Use DeltaV keys to define the scope of each user and provide just enough privileges for users to perform the tasks they are authorized to perform. Enforcement of physical presence using a smart card and PIN to log into the system to make changes. This security step prevents remote access to changes.
The next step is to prevent the offline configuration from being downloaded to the SIS logic solver. A security step is to add an approver who must be logged into the system to approve the download before it can occur. The next layer of protection is lock on the logic solver via a software lock. This prevents downloads, decommissioning, debugging and HART write functions to interrupt operation. A layer on top of that is to force physical presence to unlock a physical key to make any changes.
A key has its own challenges since anyone physically present can turn it or it can be accidently left unlocked. Sergio described the combination of both a physical lock and software lock with automatic relock to add levels of security to address these challenges.
Depth includes user privileges, two-factor authentication, additional approvals, locking the logic solver, and physical presence to make any changes.
Alexandre came up to discuss safety system bypasses that are a part of the requirements when proof testing or performing maintenance. Each loop can have bypass options that can be performed or denied. For example, multiple bypasses can be denied unless there is a bypass permit approved. Physical presence can be enforced for this approval. Another layer is to make sure the user performing the bypass has privileges and use two-factor authentication in addition to physical presence. Another layer is to provide a safety instrumented function alert when a bypass is made so that the operators are aware that the bypass has been made. This alarm can be focused for just the operations and maintenance staff that would need to know this bypass has been made.
As these layers are added, there is a tradeoff of convenience for security. To sum up layers of protection around bypasses include physical presence, two-factor authentication, additional approver, notifications and automatic bypass removal.
Alexandre also highlighted the layers of defenses for the logic solver I/O, sensors and final control elements in the safety instrumented function. Physical security is very important. For HART 7 devices used in the SIF, secondary master cannot make any changes—only one primary master can. The DeltaV system can be this primary master. Alerts can made if there are any disparities, line faults, and configuration change detection. Another layer is to lock the logic solver to prevent HART communications to the devices to make changes.
All these layers of defense are in addition to network segmentation, whitelisting, anti-virus and other cybersecurity measures outlined for basic process control systems.