The main goal of this chapter – and this book – is not to provide an extensive education on the engineering specifics of SISs, as many resources and publications already exist on this subject and have been available for some time. We will instead focus on what you need to understand about SISs within the context of cybersecurity, in order to allow you to grasp the ideas presented in this book without getting too caught up in the details.

SISs are deemed as the most critical barrier of plant process safety and the last prevention layer against process hazards. Usually, when combined with other engineering and administrative controls, a SIS provides a comprehensive set of safeguards and a layered protection approach as part of a plant’s safety philosophy to control risk to As Low As Reasonably Practicable (ALARP) or As Low As Reasonably Achievable (ALARA), taking into account social and economic factors. However, these measures are separate from those of a Basic Process Control System (BPCS), which is used for process control. This is the key differentiator between an SIS and a BPCS.

According to the International Electrotechnical Commission (IEC) definition, SISs are built to achieve three key objectives:

• To safely and gracefully (or partially) shut down a process when something goes wrong (i.e., a deviation from the norm)
• To let a process run when safe conditions are met
• To respond in a timely manner to prevent Emergency Shutdown (ESD), mitigate Fire and Gas (F&G), or minimize the consequences of a hazard

The term SIS typically consists of multiple elements. It includes, but is not limited to, sensors or detectors to monitor process conditions, logic solvers or controllers to process input signals, and final elements (such as valves or actuators) to perform operations and communication networks that facilitate the exchange of information. These components work together to ensure that the process remains within safe operating limits and to initiate an appropriate response when a safety-critical situation arises.

SIS elements

As depicted in the following illustration, an SIS consists of three key elements:

Figure 1.1 – SIS elements

Let’s discuss them further:

• Sensor: The sensors (or transmitters) are used to measure the process variable conditions and detect any hazardous conditions in the process.

  Here are some common types of SIS sensors used in process industries:

  • Pressure transmitters: Utilized to measure the pressure of gases or liquids in pipes or vessels
  • Temperature transmitters: Employed to gauge the temperature of liquids or gases in vessels or pipes
  • Level transmitters: Used to measure the level of liquid in tanks or vessels
  • Flow transmitters: Widely deployed to measure the velocity of liquids or gases in pipes
  • Gas detectors: Employed to ascertain the presence of hazardous gases in the environment, such as carbon monoxide and hydrogen sulfide
  • Flame detectors: Used to detect the presence of flames, such as those caused by a fire
  • Smoke detectors: Utilized to detect the presence of smoke, which can indicate the presence of a fire
  • Motion sensors: Used to detect the movement of equipment or materials in a process, and can help to identify potential hazards or abnormal conditions
• Logic solver: The logic solver is essentially the CPU of the SIS that receives input signals, applies safety logic, and generates output signals to control devices such as valves and actuators. It processes data and makes decisions to ensure the safe operation of a process or industrial plant.
• Final element: The final element of an SIS is a physical device such as an on/off valve or actuator. It receives output signals from the logic solver and executes the necessary actions to maintain the safety of the plant.

A safety function is part of a system that can have several subsystems and elements:

Figure 1.2 – Example of a system and subsystems

Like any complex system, an SIS can experience failures. There are several types of failures that can occur in an SIS, including the following:

• Random hardware failures: These are spontaneous failures at random times, which result from one or more possible degradation mechanisms in the hardware – for example, the aging of electronic components, mechanical failure of relays or solenoids, and so on.
• Software failures: SISs typically rely on software to perform complex calculations, monitor process data, and control final elements. Software failures can occur due to programming errors, memory leaks, or other issues.
• Systematic failures: These are when a pre-existing fault occurs under particular conditions and can only be eliminated by removing that fault by modification of the design, process, procedures, documentation, or other relevant factors.

  Examples of systematic failures could be a hidden fault in the design or implementation of software as well as hardware, an error in the design specifications, user manuals, procedures or security operational procedures (SOPs), and so on. It can occur in any lifecycle phase activity.

• Configuration errors: SISs must be carefully configured to ensure that they perform their intended functions correctly. Configuration errors can occur due to human error, deviations or derogations, misinterpretation of specifications, or as a result of changes made to the system that are not properly tested.
• Environmental factors: SISs can be impacted by environmental factors such as temperature, humidity, and vibration. For example, extreme temperatures can cause electronic components to malfunction, and vibrations can cause wires or other connections to become loose.
• Cybersecurity threats: SISs are increasingly integrated with a BPCS, which increases their attack surface and makes them more susceptible to cyber risks. This can affect both process integrity and system availability.

An SIS can operate in four distinct states that are defined by the state I/O signals originating from the system, as presented in the following table:

Table 1.1 – Different SIS states

Important note – deviations and derogations

Deviations typically refer to a departure from the standard performance or prescribed procedures of a system. In functional safety, for instance, a deviation could denote a failure in a safety function or system, resulting in the system not performing as intended. Such deviations could be due to individual component failures, system errors, or security weaknesses. Addressing these deviations necessitates investigating the root cause and devising corrective measures to bring the system back to its standard operating condition. In terms of cybersecurity, deviations could represent any unexpected or irregular activities that could potentially signify a breach or vulnerability threat that requires immediate investigation and remediation.

Derogations, on the other hand, represent a formal exemption from a standard or regulation. In the arena of ICS cybersecurity, derogations are often granted when it is impractical to adhere strictly to the standard or when alternative measures provide an equal or higher level of security. Typically, such derogations must be securely controlled, justified properly, and approved by relevant authority figures, ensuring they don’t compromise the overall integrity of the system. It’s important to note that derogations are not shortcuts or loopholes but are considered flexibilities within the regulatory framework, provided they don’t compromise the objective of the standard.

Both deviations and derogations hold immense significance for an ICS’s functional safety and cybersecurity. While managing deviations involves identifying, analyzing, and remediating unexpected occurrences, handling derogations involves ensuring any exemptions from standards maintain the requisite level of safety and security.

BPCS versus SIS

SISs are primarily designed to track and sustain the safety of the process and are typically passive and dormant for long periods of time. SISs wait to respond to system demands only when necessary. They use Safety Instrumented Functions (SIFs) to execute specific safety-related tasks such as Emergency Shutdown (ESD) and Fire and Gas (F&G).

Maintenance and diagnostics are essential in SISs to confirm that the system is functioning properly and reduce the need for manual tests. All SIS modifications after installation require strict compliance with the Management of Change (MoC) processes, as even the slightest alteration can have a significant impact.

On the other hand, BPCSs are very dynamic in nature with numerous changes. A BPCS provides oversight over the process with a range of digital and analog inputs and outputs that respond to logic functions, making it easier to detect any malfunctions or failures. However, these systems require frequent changes to ensure accurate process control. BPCSs typically consist of hardware and software components, including sensors, controllers, Human-Machine Interfaces (HMIs), and communication networks. BPCSs often use open standard protocols, such as Modbus and OPC, to communicate with other devices in the plant.

The following figure illustrates the typical components of BCPS and SIS and how they interact from a process perspective:

Figure 1.3 – BPCS versus SIS

SIS and BPCS have many similarities, yet their differences lead to different design, maintenance, and integrity requirements.

The implementation of cybersecurity for these systems varies significantly, yet both are susceptible to various threats, including malware, hacking, zero-days, Man-in-the-Middle (MitM) attacks, and human errors. Nevertheless, the ramifications of a successful SIS breach can be more severe than in BPCSs, as SISs are responsible for protecting the plant and its personnel from hazardous events. A compromised SIS can lead to the failure of safety functions and potentially catastrophic consequences, such as fires, explosions, and toxic releases. We will explore this further in the next chapter.

SIS applications – where are they used?

SISs are of paramount importance when it comes to protecting process safety. Process plants are beneficial as they can transform raw materials and ingredients into tangible products and goods as part of a complex supply chain. Unfortunately, the techniques used to conduct this conversion can trigger dangerous conditions that, if not efficiently controlled and properly contained, might cause major incidents or top events. Hazardous conditions may be present when dealing with combustible materials such as solids, liquids, gases, vapors, and dust.

In addition, administrative controls and safeguards should be used to address the control of risk.

SISs are deployed for many purposes in petrochemical facilities and pipelines and for other industry-specific needs. Examples of these systems include the following:

• ESD: This is a specialized form of control system, created to provide an extra layer of safety for high-risk areas such as oil and gas, nuclear power, and other potentially hazardous environments. Primarily, these systems serve to protect both personnel and the environment if process parameters exceed acceptable levels. By minimizing the potential damage from emergency scenarios such as uncontrolled flooding, the escape of hydrocarbons, and fire outbreaks, ESD systems provide an invaluable service.

  The following screenshot presents an example of an ESD system and its components:

Figure 1.4 – ESD system

The main purpose of ESD can be summarized as follows:

• ESD systems detect unsafe conditions and initiate a shutdown of the process to prevent potentially hazardous situations.
• ESD systems are equipped with sensors that monitor process parameters such as pressure, temperature, level, and flow. If any of these parameters exceed a predetermined limit, the system will initiate a shutdown of the process.
• ESD systems can also be used to activate safety alarms or to stop certain components of the process. This ensures that safety is maintained and potential hazards are avoided.

• High-Integrity Protection Systems (HIPSs): HIPSs are deployed to prevent Process Shutdown (PSD) from being affected by any of the destructive factors of overpressure, elevated temperatures, and high-level events. The valves in the HIPS are closed decisively to make the production line secure, and one set of triggers records the observed processes, the logic solver (controller) processes the data, and a few end elements take the safeguarding action by cutting down or stopping the pumps with valves or actuated pumps and circuit breakers that perform the closing (shutdown) operation.

  The HIPS serves as the ultimate protection system for the process, and often eliminates the need for pressure release, thereby tending to the environment and mitigating the risks linked to manual handling errors. It also calibrates the overconfidence (high level of trust) that engineers might sometimes have in Distributed Control Systems (DCSs) and ESD systems.

  Some of the most popular deployments of HIPSs include, but are not restricted to, the following:

  • High-integrity pressure protection systems
  • High-integrity temperature protection systems
  • High-integrity level protection systems
  • HIPS interlock systems

  The following illustration depicts a typical HIPS deployment for a subsea field environment:

Figure 1.5 – HIPS

• Burner Management System (BMS): This is typically employed to ensure the safe ignition and operation as well as the shutdown of industrial burners when required. This system can be found in many process industries including oil and gas, power generation, manufacturing, and chemical industries, that rely on flame-operated equipment such as furnaces, boilers, and the like. The system is able to keep track of flames with flame detectors, as well as manage igniters, burners, and other actuators such as shut-off valves.

  The majority of BMSs are designed with the aim of providing protection against potentially hazardous operating conditions and the admission of fuel that is not suitable. A BMS gives the user important status information and support, while additionally, if there is a hazardous condition, it can initiate a safe operating condition or a shutdown interlock.

  According to the National Fire Protection Association (NFPA) 85 Boiler and Combustion Systems Hazards Code, a BMS is a control system that is devoted to boiler furnace safety and operator support. This system assures the safe and efficient working of the boiler, thereby contributing to the safety of the facility as a whole.

  The chance of fire and hazards will increase significantly without a BMS in place. Organizations nowadays implement BMS in SIS to increase safety and system availability, as well as to remain compliant with sector regulations and the latest industry best practices.

  Figure 1.6 illustrates an example of a BMS and its various elements:

Figure 1.6 – BMS

A list of BMS components, including their functions, can be found in the following table:

Table 1.2 – BMS components and functions

It is no surprise that SISs play an essential role within process industries in guaranteeing the safety and dependability of critical operations. A few examples of where an SIS is required to aid in the safeguarding of people, equipment, and the wider environment include the following:

• Process safety in the chemical industry: The use of SIS in the chemical industry can be focused on Health, Safety, and Environmental (HSE) considerations, and mitigating the consequences of a major accident. For example, an SIS can be used to automatically shut down a process if a critical parameter exceeds a predetermined limit, thereby preventing a catastrophic incident.
• Power generation: An SIS can be used in power generation plants to protect critical equipment and processes, such as turbines, boilers, and generators. For example, an SIS can be used to automatically shut down a turbine or generator in the event of an abnormal condition, such as low oil pressure or high temperature, to prevent damage to the equipment and ensure safe operation.
• Transportation safety: An SIS can be used in transportation systems, such as railways and pipelines, to detect and mitigate hazardous conditions. For example, an SIS can be used to automatically apply the brakes on a train if it exceeds a certain speed limit or if it encounters an obstacle on the track, thereby preventing a potential collision.
• Offshore oil and gas production: An SIS can be implemented in oil and gas environments – including oil fields and offshore platforms – to protect personnel as well as assets from the hazards of explosive gases, fire, and other risks associated with the production process. For example, an SIS can be used to automatically shut down production in the event of a leakage of gas or fire to prevent an explosion or other catastrophic event.

In the next section, we will examine ICS cybersecurity as a new discipline in detail. We will also explore how the IT and engineering communities perceive ICS cybersecurity in their respective fields.

The term ICS is used in a broad sense to refer to programmable-based devices that are used to control, monitor, supervise, automate, or interact with assets used in continuous, discrete, and hybrid processes in manufacturing, infrastructure, and other commercial and industrial sectors.

At its heart, ICS cybersecurity is about both protecting industrial assets and recovering from system upsets that occur from electronic communications between systems, or between systems and people.

An ICS includes various components, such as the following:

• Distributed Control Systems (DCS)
• SIS
• HMIs
• Historians
• Supervisory Control And Data Acquisition (SCADA)
• Programmable Logic Controllers (PLCs)
• Remote Terminal Units (RTUs)
• Intelligent Electronic Devices (IEDs)
• Power Monitoring Systems (PMSs)
• Protection relays
• F&G
• ESD
• PSD
• BMS
• Building Control Management Systems (BCMSs)
• Electrical Network Monitoring Control Systems (ENMCSs)
• Alarm management systems
• Intelligent Asset Management Systems (IAMSs)
• Sensors and transmitters
• Valves
• Drives, converters, and so on

Establishing a secure baseline for an ICS can be a complex and wide-reaching process as this can cover software, hardware, and communications interfaces. These hardening parameters need to be defined, at the very minimum level, by the following:

• OS security
• Endpoint security
• Embedded device security
• Application software security
• Network security
• Access control (physical and logical)
• Anti-malware
• Security monitoring

Despite certain common attributes, ICS differs from the traditional IT systems that are widely deployed in office and enterprise networks. Historically, ICS implementations were heavily reliant on physical security and lacked interconnection with IT networks and the internet. However, as the trend toward ICS intertwining with IT networks intensifies, this creates a greater need to secure these systems from remote, external threats as well as against adversary and non-adversary threats such as disgruntled employees, malicious intruders, and malicious or accidental actions taken by insiders.

In relation to the CIA’s information security model, availability and integrity are given precedence over confidentiality for ICS. The ICS security model is therefore often referred to as an AIC model. In the meantime, reliability and safety remain top priority!

The following figure compares the priorities of the ICS security model with the IT information security model:

Figure 1.7 – An ICS versus an IT model

Let’s have a closer look at the definition of each element of the (S)AIC triad:

• Safety: The assurance from unacceptable risk.
• Availability: The ability of a system or asset to be accessed and used by an authorized user when required.
• Integrity: The assurance that a system or asset is accurate and complete. It also refers to the assurance that the system or asset can only be modified by an authorized user.
• Confidentiality: The assurance that a system or asset is only accessible to an authorized user and is kept secure from unauthorized access. It also refers to the assurance that information within the system or asset is only accessible to an authorized user.

The increasing convergence of business and plant floor systems, emerging standards such as the International Society of Automation’s ISA/IEC-62443 and the National Institute of Standards and Technology’s NIST 800-82 series, and emerging regulatory requirements in a number of countries, all point toward a growing awareness of the susceptibility of the modern industrial process to cybersecurity threats.

Considering the potentially dangerous safety consequences that can occur as a result of these failures, today’s plants need to clearly understand the actual risks – and how best to mitigate these risks – in order to maintain safe and reliable operations.

The potential implications of ICS security breaches encompass a wide range of damaging consequences that might include, but are not limited to, asset, financial, environmental, and reputational damage:

• Compromise and unauthorized disclosure of confidential data to the public
• Tampering of system reliability or integrity of process data and production information
• Loss of View (LoV) and Loss of Control (LoC)
• Process abuse and corruption that could bring about degraded process efficiency, poor product quality, diminished manufacturing capability, impaired process safety, or environmental release
• Damage to assets
• Health implications including injuries and fatalities
• Demeaned and negative reputation and public trust
• Breach of contractual and regulatory obligations (such as clients, partners, and regulators)
• Impact on national security and critical infrastructures

The following consequences have already occurred within ICS installations including SIS:

• Manipulation of process data or setpoints
• Unauthorized changes to commands or alarm thresholds
• Erroneous information being passed on to operators (loss or manipulation of view)
• Software or settings being tampered with and interference with safety systems, all of which could have far-reaching and potentially fatal consequences

How do IT and engineering communities perceive ICS cybersecurity?

The IT and engineering communities are increasingly aware of the need for ICS cybersecurity. As ICS become ever more connected and automated, they also open themselves up to greater risk of cyberattacks. To address this, both communities are now developing a range of solutions and working closely to protect these systems from emerging threats.

While both communities view ICS cybersecurity from different angles and perspectives – due in large part to the historical gap that exists between IT and ICS as well as differing priorities – they have come to recognize the need to bridge the gap in order to tackle the increasing challenges facing industrial facilities. As a result, a new discipline has emerged that combines the best of both engineering and cybersecurity practices.

For example, engineers are typically more focused on the physical process of an ICS, such as the hardware and software, while IT professionals are more concerned with the network and data security aspects.

A more comprehensive approach to ICS cybersecurity can be achieved by combining both engineering and IT practices. This includes both the physical and the digital components of the system to ensure that the assets are secure from cyber threats.

The following sections will dive into the distinct aspects of international standards for cybersecurity and safety.

Industry associations and governments have established various cybersecurity and functional safety standards in recent years, providing mandatory guidance and regulations for compliance. Furthermore, these standards are regarded as industry best practices for ensuring the safety and reliability of numerous process industries.

These standards are issued by the IEC, thus many countries have superseded their own national requirements and implemented these standards instead. This has provided substantial operational leverage for businesses with operations in multiple countries, as the global standards allow for a single standard to be applied throughout the organization.

This section will provide an overview of SIS-applicable standards with a brief description of the relevant security controls. For other functional safety requirements not outlined here, we recommend that you review the applicable IEC standards.

The IEC provides two renowned, widely used functional safety standards – IEC 61508 and IEC 61511:

• IEC 61508 is a general safety document from the IEC that provides an overarching framework for achieving functional safety in safety-related systems for many industries and applications. IEC 61508 is used as a foundation for sector-specific functional safety standards including IEC 61511, IEC 61513, ISO 26262, and IEC 62304.
• IEC 61511 is a dedicated standard that is primarily focused on process industries and is based on IEC 61508.
• IEC 62304 covers software safety classification, while ISO 26262 is about road vehicles’ functional safety.

The following diagram depicts the most widely used industry functional safety standards:

Figure 1.8 – Scope of IEC 61508 and IEC 61511

The scope of IEC 61508 and IEC 61511 can be described as follows:

• IEC 61511 – Functional safety – Safety Instrumented Systems for the Process Industry Sector

  IEC 61511 is a global norm prescribing requirements and guidance for the formation, execution, and operation of SIS for the process industries with a spotlight on the end users. The standard encompasses the overall safety lifecycle of an SIS, including cybersecurity requirements as a part of functional safety and risk management as stipulated by IEC 61508.

  In terms of safety and cybersecurity intersection, the IEC 61511 standard (edition 2) was amended in 2016, with clause 8.2.4 outlining the need for conducting a cybersecurity risk assessment to determine the presence of any potential security weaknesses or vulnerabilities on the SIS. To this end, users of the IEC 61511 standard are directed to seek guidance related to SIS security from the IEC 62443 standards and ISA TR84.00.09.

  IEC61511-1: 2016 edition 2 https://webstore.iec.ch/publication/24241 clause 8.2.4 mandates a thorough examination of security risks to pinpoint any vulnerabilities within the SIS. This assessment should encompass the following:

  • Defining the devices under scrutiny (including the SIS, BPCS, or any connected devices)
  • Identifying potential threats capable of exploiting vulnerabilities, leading to security breaches (ranging from deliberate attacks on hardware and software to inadvertent errors)
  • Assessing the potential repercussions of security breaches and estimating their likelihood
  • Addressing various project phases, including design, implementation, commissioning, operation, and maintenance
  • Determining any additional measures required to mitigate risks
  • Outlining the steps taken to mitigate or eliminate identified threats, or providing references to relevant information
• IEC 61508 – Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems

  IEC 61508 is a standard series of functional safety, which applies throughout the lifespan of Electrical, Electronic, and Programmable Electronic (E/E/PE) systems and products. This set of regulations encompasses parts of devices and equipment that perform automated safety characteristics; these components may include sensors, control logic, actuators, and microprocessors.

  The uniform technical approach mandated by IEC 61508 can be applied to all safety systems within the electronics and related software industries, regardless of sector. Not only does this horizontal standard target suppliers of safety systems but it can also be used to some extent by those that provide equipment for these safety systems. Furthermore, IEC 61508 sets out four different Safety Integrity Levels (SILs) to determine the success of a system in meeting its specified safety objectives. These SILs are dependent on the robust analysis of the potential risks and hazards of a device, as well as on the consequent likelihood and severity of any such hazard.

  Clause 7 of the standard, specifically titled Realization of the Safety Function, includes criteria for implementing safety functions in an SIS, as well as requirements and guidance for addressing cybersecurity risks. Therefore, although the IEC 61508 standard does not concentrate exclusively on cybersecurity, it does provide recommendations for mitigating cybersecurity risks in an SIS.

As for ICS cybersecurity, common ICS security-related standards include the following:

• ISA/IEC 62443 – Security of Industrial Automation and Control Systems

  The IEC 62443 series provides a structural foundation that encompasses the safety of Industrial Automation and Control Systems (IACSs) including SIS. This set of standards currently consists of 13 documents that address topics such as developing a proper IACS security program and system design requirements for securely integrating control systems. Additionally, ISA TR84.00.09 builds on the work of ISA99 for IEC 62443 and examines defensive measures to reduce the chance of a breach that may compromise the SIS’s performance. This technical report also furnishes criteria for warding off external and internal security threats and outlines ways to meet the requirements of IEC 61511.

  The following diagram provides an overview of the IEC 62443 standards series and key areas of focus:

Figure 1.9 – Structure of the IEC 62443 series

• NIST 800-82 – Guide to Industrial Control Systems (ICSs) Security

  SP 800-82 from the National Institute of Standards and Technology affords insight into enhancing the security of ICSs. This includes SCADA, DCS, and PLCs, while also handling their varied specifications as well as safety prerequisites. It offers an excursus on ICSs and their general system layouts, pinpoints potential threats, and prescribes countermeasures to cut down the related risks, including SIS. NIST 800-82 emphasizes the importance of risk management in ICS security by providing guidance on conducting risk assessments, identifying threats and vulnerabilities, and developing risk mitigation strategies.

• NRC regulation 5.71 – Cyber Security Programs for Nuclear Power Reactors

  The US Nuclear Regulatory Commission’s 10 CFR 5.71 regulation stresses the significance of cyber defense in the architecture and running of systems that are safety-critical. It requires licensees to build and execute digital safety-related systems with the highest levels of assurance, making sure that they are resilient to cyber intrusions that could jeopardize their safety functions. This regulation also mandates licensees to put cybersecurity programs into place that incorporate certain measures to both manage cyber threats and maintain system dependability and consistency in the long run.

  Revision 1 of NRC regulation 5.71 provides required guidance on Defense-in-Depth (DiD) practices based on international standards such as the NIST 800 series and International Atomic Energy Agency (IAEA) cybersecurity guidance. This version provides insight into concerns raised from cybersecurity reviews, trends in the industry, emerging legislations, and disruptive technologies as well as outreach programs including lessons learned from cybersecurity incidents.

• NEI 08-09 – Cyber Security Plan for Nuclear Power Reactors

  NEI 08-09 is a high-level security plan (or strategy) with a layered architecture and a variety of security controls based on the NIST SP 800-82 and NIST SP 800-53 standards. This strategy ensures that systems and networks linked with safety-related operations are protected against cyberattacks that could potentially harm their mission critical functions.

• NERC CIP

  The North American Electric Reliability Council Critical Infrastructure Protection (NERC CIP) is a regulation to monitor, enforce, and manage the cybersecurity of the Bulk Electric System (BES) in North America. This set of standards is intended to identify and protect vulnerable assets that can influence the reliable supply of electricity throughout the continent’s BES. The CIP framework is designed to ensure the security of the CI.

  Requirements CIP-002-5.1a and CIP-005-6 under NERC CIP focus on the identification and protection of cybersecurity management for safety systems. These standards mandate that responsible organizations must recognize and record details of safety systems. These are described as systems and equipment that are essential for detecting, preventing, or mitigating scenarios that might cause significant disruptions or hinder the safe shutdown of the bulk electric system.

  Here is a high-level overview of these standards:

  • CIP-002-5.1a BES Cyber System Categorization: This categorizes BES cyber systems and their associated assets to tailor cybersecurity measures appropriately, based on the potential impact that damage, unauthorized access, or misuse could have on the BES’s reliability.
  • CIP-005-6 Electronic Security Perimeter: This defines a controlled boundary around networks where critical cyber assets are connected, controlling access to these networks. The goal is to regulate electronic access to BES cyber systems and establish a secure perimeter to prevent actions that could disrupt or destabilize the BES.

In the next section, we will discuss the various stages of the functional safety lifecycle as well as the high-level cybersecurity phases that are crucial to safety critical systems. We will also explore the common processes and methods that are used in each phase as well as their importance in ensuring safe operations.

This section will cover the safety and cybersecurity lifecycle, exploring different functional safety phases as well as common practices to reduce risk.

Safety lifecycle

Recent safety standards pertaining to SIS have a core concept of the Safety Lifecycle (SLC). This engineering process is built to ensure a comprehensive level of safety from analysis to implementation, covering the operational and maintenance phases of the system. By adhering to the SLC’s rules and regulations, industrial automation systems are ensured to be able to efficiently reduce the industrial process risk.

In addition, the SLC offers the following baselines:

• A routine, steady architecture for the definition, planning, establishment, and upkeep of an SIS
• A solid foundation for Risk Assessment Methodology (RAM) techniques
• An SIS management system, and the Key Performance Indicators (KPIs) expected of each safety instrumented function

The following diagram illustrates the required steps and phases that can be found as part of the SIS SLC:

Figure 1.10 – ISA-84.00.01-2004 SIS SLC

The preceding diagram provides a high-level overview of the SLC’s main phases that we will cover briefly here:

• Analysis phase

  This phase systematically identifies hazards, assesses risks, and defines the safety requirements of the system in order to design and implement effective security instruments (SIFs) that can minimize the risks associated with the system.

  Furthermore, this phase also involves developing a safety concept and safety functions to determine the necessary safety integrity measures and reduce the risk of hazards to an acceptable level. In certain cases, hazards will be found to be within an acceptable range, and as such, no further mitigation is required.

  Therefore, no SIF is warranted. However, in other instances, a risk mitigation measure is needed, and its effectiveness is determined by its Safety Integrity Level (SIL).

• Implementation phase

  Once the SIFs have been identified and documented, work can commence on the design. This includes the selection of suitable vendors for the sensor, logic solver, and final element, as well as the determination of whether to include redundancy for high safety integrity, to minimize false trips, or both. Subsequently, after the selection of products and their associated components, the design should review the safety philosophy and any known constraints as identified and provided in the Safety Requirements Specification (SRS). As the SIS is designed to not be activated, it is essential that it be inspected and evaluated thoroughly at predetermined intervals.

• Operation phase

  The operation phase is the final phase of the SIS functional SLC. During this phase, the SIS is fully operational and is used for its intended purpose. This phase includes activities such as the ongoing monitoring, maintenance, and verification of system effectiveness. The goals of this phase are to ensure that the SIS continues to perform its intended function and to identify and address any potential issues that could negatively impact safety. This phase is critical for maintaining the safety of the system and ensuring its continued reliability.

  If there are any modifications to be carried out, these must strictly follow the MoC protocol of the organization and a Stage 5 Functional Safety Assessment (FSA5) should be conducted. Regular audits must also be part of this essential lifecycle phase.

  As part of this phase, questions related to design and maintenance, the management of change processes, and so on must be addressed within the Pre-Startup Safety Review (PSSR). Examples of these questions include but are not limited to the following:

  • Does the system comply with all the specifications outlined in the SRS?
  • Have the SIL targets and Mean Time to Failure (MTTF) targets been achieved for all SIFs?
  • Are all the requirements of the SIS SLC being effectively completed?
  • Is all equipment configured in accordance with the manufacturer’s safety manual?
  • Has a Hazard and Risk Analysis (H&RA) been carried out and have any recommendations been implemented?
  • Have the recommendations from any Functional Safety Assessment (FSA) been resolved?
  • Has a cybersecurity evaluation been conducted?
  • Is there an established schedule for periodic inspections and tests for each SIF?
  • Have the maintenance procedures been established and validated?
  • Is there an established procedure for managing changes?
  • Is there a security patch management strategy enforced?
  • Are the operation and maintenance teams trained, certified, and qualified for the work?

  Only once the aforementioned questions have been addressed adequately can we move on to the startup and operation can continue.

As depicted in Figure 1.9, the FSAs, as part of the management of functional safety and functional safety assessment and auditing, are conducted throughout the lifecycle phases:

• FSA1: The aim of performing a Functional Safety Assessment (FSA1), once the analysis step has been concluded and the SRS has been created, is to detect any possible safety risks.
• FSA2: Once the SIS’s detailed design and engineering have been finished, it is necessary to carry out a Functional Safety Assessment (FSA2).
• FSA3: Prior to SIS startup and after installation, commissioning, and Site Acceptance Test (SAT), a systematic – and mandatory – SIL validation shall be conducted to fulfill functional safety standard requirements.
• FSA4: System operation and maintenance must be conducted by personnel who are qualified and have demonstrable experience from past projects.

  This is an essential requirement. Regular Stage 4 Functional Safety Assessments (FSA4s) must be performed to verify the following:

  • The alignment of ongoing activities with the initial design assumptions
  • Full compliance with the safety management and verification requirements stipulated in IEC 61511
• FSA5: FSA5 shall be carried out before the modifications. Once the modification activity is complete, another FSA5 shall be required to assess and confirm that the necessary modification is meeting the safety integrity requirements.

Cybersecurity lifecycle

The cybersecurity lifecycle shares strong similarities with the SLC in terms of risk reduction, yet they differ from one another due to their separate design by different communities, each with its own terminologies, contexts, and ways of working.

IT security professionals prioritize dealing with immediate threats, whereas process safety engineers are chiefly concerned with much longer lifespans of up to 10 years. Historically, the role of IT within industrial networks has been focused primarily on data (historian replication in IT) access, support for communication interfaces, or access to tools.

Many forward-focused organizations are now attempting to change the culture and bring these two communities closer together through the formation of new operating models, with the aim of enhancing collaboration and jointly confronting the increasing cyber risk that threatens organizations globally.

With the industry approaching the cybersecurity lifecycle in so many different ways, we will focus solely on industrial standards such as IEC 62443 and NIST, as these include ICS practical guidance. We will explore these further in later sections of this book.

Important note

It is important to emphasize that compliance and security are not the same. The proposed standards provide guidance and advice regarding certain security controls that have been adopted for general use in ICS environments. Nevertheless, no standard is capable of accounting for all the specifications of your company’s business processes. Therefore, it is essential to be cautious when implementing these standards for ICS security projects and to remember that adhering to standards does not guarantee your security.

In this chapter, we have discussed the fundamental concepts that shape functional safety and ICS cybersecurity with a great emphasis on risk mitigation. We have covered the components, standards, terms, and practices that are currently used in multiple industries. Furthermore, we have examined the functional safety and cybersecurity life cycles, including their similarities and discrepancies.

We now have a strong foundation to dive more deeply into practical SIS cybersecurity. The next chapter will explore the need to protect safety processes against emerging cyber threats and will provide examples of recent security incidents that have primarily targeted SIS.

• NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security:

  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

• U.S. Nuclear Regulatory Commission, Regulatory Guide:

  https://www.nrc.gov/docs/ML0903/ML090340159.pdf

• Cyber Security Programs for Nuclear Power Reactors:

  https://www.federalregister.gov/documents/2023/02/13/2023-02941/cyber-security-programs-for-nuclear-power-reactors#:~:text=RG%205.71%2C%20Revision%201%20is,computer%20and%20communication%20systems%20and

• North American Electric Reliability Corporation, Cyber Security Standards CIP-002-1 through CIP 009-1:

  https://www.nerc.com/pa/Stand/Pages/Cyber-Security-Permanent.aspx

• ANSI/ISA-61511-1-2018, Functional Safety – Safety Instrumented Systems for the Process Industry Sector – Part 1: Framework, definitions, system, hardware and application programming requirements:

  https://www.isa.org/products/ansi-isa-61511-1-2018-iec-61511-1-2016-amd1-2017-c

• ISA-TR84.00.09-2017, Cybersecurity Related to the Functional Safety Lifecycle:

  https://www.isa.org/products/isa-tr84-00-09-2017-cybersecurity-related-to-the-f

• ISA-62443-2-1-2009, Security for Industrial Automation and Control Systems Part 2-1: Establishing an Industrial Automation and Control Systems Security Program:

  https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat

• Final Elements in Safety Instrumented Systems, IEC 61511 Compliant Systems and IEC 61508 Compliant Products: https://www.exida.com/Books/final-elements-in-safety-instrumented-systems
• ISA - Safety Instrumented System Design: Techniques and Design Verification: https://www.isa.org/products/safety-instrumented-system-design-techniques-a-1
• ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod) - Functional Safety: Safety Instrumented Systems for the Process Industry Sector - Part 1: Framework, Definitions, System, Hardware and Software Requirements:

  https://webstore.ansi.org/preview-pages/ISA/preview_ANSI+ISA+84.00.01-2004+Part+1.pdf

• ISA-62443-1-1-2007 Security for Industrial Automation and Control Systems Part 1-1:Terminology, Concepts, and Models:

  https://www.isa.org/products/isa-62443-1-1-2007-security-for-industrial-automat

• IEC 61508; Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC, 1998, 2000:

  https://webstore.iec.ch/publication/5515

• IEC 61511-1:2016 Functional safety - Safety instrumented systems for the process industry sector - Part 1: Framework, definitions, system, hardware and application programming requirements: https://webstore.iec.ch/publication/24241
• ISO 26262-1:2018, Road vehicles – Functional safety – Part 1 Vocabulary:

  https://www.iso.org/obp/ui/en/#iso:std:iso:26262:-1:ed-2:v1:en

• IEC 62304 (IEC 62304:2006), Medical device software — Software lifecycle processes:

  https://www.iso.org/obp/ui/en/#iso:std:iec:62304:ed-1:v1:en