The Rocky Relationship between Safety and Security

 

An industry practice reflected in the international safety standards (i.e. IEC 61508) is the need for independence among the multiple protection layers on an industrial site “…the EUC control system shall be independent from the E/E/PE safety-related systems and other risk reduction measures…” however even the 1st generation of digital Safety Systems (Electronic/Programmable Electronic Systems) had
communication ports with support for open protocols (i.e. Modbus RTU) in order to provide diagnostics and other information relevant for the operation of process (EUC).
 
Users have connected (interfaced) safety systems to BPCS since mid 1980s and aimed to develop tighter connectivity at least since 1995. These efforts were based on proprietary protocols until the adoption of open network protocols and Windows on industrial control systems increased the connectivity to business systems and at the same (at least in theory) exposed them to the same issues (virus, cyber
attacks, etc).
 
This paper will discuss the methods used to ensure that the integration between the safety system and the BPCS DO NOT compromise Functional Independence and define best practices to secure an industrial system and in particular safety systems in this integrated environment.