Module 3: Implementation Guide

Safety System Integration

15 min
+50 XP

Safety System Integration

Cybersecurity must integrate with, not impede, safety functions in energy operations.

Safety vs. Security

Safety Systems

Purpose: Protect people, environment, equipment from process hazards Approach:

  • Fail-safe design
  • Redundancy and diversity
  • Physical separation from control systems
  • Automatic protective actions

Security Systems

Purpose: Protect systems and data from cyber threats Approach:

  • Access controls and authentication
  • Network monitoring and detection
  • Defense-in-depth
  • Incident response

Potential Conflicts

Security must not compromise safety:

  • Authentication delays in emergencies
  • Security updates causing safety system unavailability
  • Network segmentation blocking critical safety communications
  • Monitoring tools interfering with real-time safety functions

Safety Instrumented Systems (SIS)

What are SIS?

Independent protection systems that:

  • Monitor process conditions continuously
  • Automatically take protective action when limits exceeded
  • Bring process to safe state
  • Operate independently of control systems

Safety Integrity Levels (SIL)

SIS rated by reliability:

  • SIL 4: Highest (10^-5 to 10^-4 probability of failure on demand)
  • SIL 3: High (10^-4 to 10^-3)
  • SIL 2: Medium (10^-3 to 10^-2)
  • SIL 1: Lower (10^-2 to 10^-1)

Higher SIL requires more rigorous cybersecurity.

ISO 27019 Safety System Requirements

Network Separation

SIS must be on separate network:

  • Physically separated from control network
  • No direct connections to corporate IT
  • Unidirectional monitoring only (if any connection)
  • Dedicated engineering access (not shared with control systems)

Access Control

Minimal personnel with SIS access:

  • Only certified safety engineers
  • Multi-person authorization for changes
  • Physical and logical access controls
  • Emergency access procedures documented

Change Management

Rigorous safety-appropriate processes:

  • Safety impact assessment for all changes
  • Testing appropriate to SIL level
  • Independent verification
  • Functional safety expert approval
  • Management of change (MOC) procedures

The TRITON/TRISIS Wake-Up Call

What Happened (2017)

First-ever malware targeting safety systems:

  • Attacked Schneider Electric Triconex SIS at Saudi petrochemical plant
  • Attempted to modify safety logic
  • Goal was to cause catastrophic physical damage
  • Attack detected and plant shut down safely

Lessons Learned

  • Safety systems ARE targets for sophisticated attackers
  • "Safety through obscurity" is not sufficient
  • Need defense-in-depth for SIS
  • Monitoring and detection essential
  • Incident response must include safety scenarios

Hardening Safety Systems

Physical Security

  • Separate control rooms or locked cabinets
  • Tamper detection on enclosures
  • Serial ports locked or disabled
  • USB ports disabled or monitored
  • No wireless connections

Network Security

  • Air gaps where possible
  • Industrial firewalls if networked
  • Unidirectional gateways for monitoring
  • No remote access to SIS
  • Separate from SCADA and control networks

Authentication and Access

  • Multi-factor authentication
  • Role-based access (safety engineers only)
  • Multi-person authorization for critical actions
  • Session logging and monitoring
  • No shared accounts

Configuration Management

  • Offline secure baseline storage
  • Configuration change review by safety personnel
  • Version control for safety logic
  • Cryptographic verification of configurations
  • Change history audit trail

Incident Response Priorities

When cybersecurity incident affects or could affect safety:

1. Safety First

  • Ensure all safety systems remain functional
  • If in doubt, bring process to safe state
  • Don't disable safety systems during incident response
  • Coordinate with safety personnel

2. Assess Impact

  • Are safety systems affected?
  • Can they still perform protective functions?
  • Is process currently in safe state?
  • What is risk of continuing operations?

3. Containment

  • Isolate affected systems WITHOUT compromising safety
  • Maintain safety system operation during containment
  • Use manual operations if control systems unavailable
  • Keep safety systems as last line of defense

4. Recovery

  • Verify safety system integrity before resuming operations
  • Test all safety functions before restart
  • Independent verification by safety personnel
  • Document safety implications in incident report

Integration with Safety Programs

Coordinate with Safety Team

  • Regular meetings between cyber security and functional safety teams
  • Joint training on cyber-physical risks
  • Shared understanding of safety system architecture
  • Collaborative incident response procedures

Document Integration

  • How cybersecurity supports safety objectives
  • Cybersecurity requirements in safety documentation
  • Cyber scenarios in safety analysis
  • Recovery procedures maintaining safety

Metrics and Monitoring

  • Safety system availability (cyber and non-cyber causes)
  • Cybersecurity incidents affecting safety systems
  • Near-misses (attempted but unsuccessful impacts)
  • Trending and continuous improvement

Next Lesson: OT-specific incident response procedures.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Risk Assessment for Process Control

Next

Incident Response for OT