Examining the safety and cybersecurity lifecycle
This section will cover the safety and cybersecurity lifecycle, exploring different functional safety phases as well as common practices to reduce risk.
Safety lifecycle
Recent safety standards pertaining to SIS have a core concept of the Safety Lifecycle (SLC). This engineering process is built to ensure a comprehensive level of safety from analysis to implementation, covering the operational and maintenance phases of the system. By adhering to the SLC’s rules and regulations, industrial automation systems are ensured to be able to efficiently reduce the industrial process risk.
In addition, the SLC offers the following baselines:
- A routine, steady architecture for the definition, planning, establishment, and upkeep of an SIS
- A solid foundation for Risk Assessment Methodology (RAM) techniques
- An SIS management system, and the Key Performance Indicators (KPIs) expected of each safety instrumented function
The following diagram illustrates the required steps and phases that can be found as part of the SIS SLC:
Figure 1.10 – ISA-84.00.01-2004 SIS SLC
The preceding diagram provides a high-level overview of the SLC’s main phases that we will cover briefly here:
- Analysis phase
This phase systematically identifies hazards, assesses risks, and defines the safety requirements of the system in order to design and implement effective security instruments (SIFs) that can minimize the risks associated with the system.
Furthermore, this phase also involves developing a safety concept and safety functions to determine the necessary safety integrity measures and reduce the risk of hazards to an acceptable level. In certain cases, hazards will be found to be within an acceptable range, and as such, no further mitigation is required.
Therefore, no SIF is warranted. However, in other instances, a risk mitigation measure is needed, and its effectiveness is determined by its Safety Integrity Level (SIL).
- Implementation phase
Once the SIFs have been identified and documented, work can commence on the design. This includes the selection of suitable vendors for the sensor, logic solver, and final element, as well as the determination of whether to include redundancy for high safety integrity, to minimize false trips, or both. Subsequently, after the selection of products and their associated components, the design should review the safety philosophy and any known constraints as identified and provided in the Safety Requirements Specification (SRS). As the SIS is designed to not be activated, it is essential that it be inspected and evaluated thoroughly at predetermined intervals.
- Operation phase
The operation phase is the final phase of the SIS functional SLC. During this phase, the SIS is fully operational and is used for its intended purpose. This phase includes activities such as the ongoing monitoring, maintenance, and verification of system effectiveness. The goals of this phase are to ensure that the SIS continues to perform its intended function and to identify and address any potential issues that could negatively impact safety. This phase is critical for maintaining the safety of the system and ensuring its continued reliability.
If there are any modifications to be carried out, these must strictly follow the MoC protocol of the organization and a Stage 5 Functional Safety Assessment (FSA5) should be conducted. Regular audits must also be part of this essential lifecycle phase.
As part of this phase, questions related to design and maintenance, the management of change processes, and so on must be addressed within the Pre-Startup Safety Review (PSSR). Examples of these questions include but are not limited to the following:
- Does the system comply with all the specifications outlined in the SRS?
- Have the SIL targets and Mean Time to Failure (MTTF) targets been achieved for all SIFs?
- Are all the requirements of the SIS SLC being effectively completed?
- Is all equipment configured in accordance with the manufacturer’s safety manual?
- Has a Hazard and Risk Analysis (H&RA) been carried out and have any recommendations been implemented?
- Have the recommendations from any Functional Safety Assessment (FSA) been resolved?
- Has a cybersecurity evaluation been conducted?
- Is there an established schedule for periodic inspections and tests for each SIF?
- Have the maintenance procedures been established and validated?
- Is there an established procedure for managing changes?
- Is there a security patch management strategy enforced?
- Are the operation and maintenance teams trained, certified, and qualified for the work?
Only once the aforementioned questions have been addressed adequately can we move on to the startup and operation can continue.
As depicted in Figure 1.9, the FSAs, as part of the management of functional safety and functional safety assessment and auditing, are conducted throughout the lifecycle phases:
- FSA1: The aim of performing a Functional Safety Assessment (FSA1), once the analysis step has been concluded and the SRS has been created, is to detect any possible safety risks.
- FSA2: Once the SIS’s detailed design and engineering have been finished, it is necessary to carry out a Functional Safety Assessment (FSA2).
- FSA3: Prior to SIS startup and after installation, commissioning, and Site Acceptance Test (SAT), a systematic – and mandatory – SIL validation shall be conducted to fulfill functional safety standard requirements.
- FSA4: System operation and maintenance must be conducted by personnel who are qualified and have demonstrable experience from past projects.
This is an essential requirement. Regular Stage 4 Functional Safety Assessments (FSA4s) must be performed to verify the following:
- The alignment of ongoing activities with the initial design assumptions
- Full compliance with the safety management and verification requirements stipulated in IEC 61511
- FSA5: FSA5 shall be carried out before the modifications. Once the modification activity is complete, another FSA5 shall be required to assess and confirm that the necessary modification is meeting the safety integrity requirements.
Cybersecurity lifecycle
The cybersecurity lifecycle shares strong similarities with the SLC in terms of risk reduction, yet they differ from one another due to their separate design by different communities, each with its own terminologies, contexts, and ways of working.
IT security professionals prioritize dealing with immediate threats, whereas process safety engineers are chiefly concerned with much longer lifespans of up to 10 years. Historically, the role of IT within industrial networks has been focused primarily on data (historian replication in IT) access, support for communication interfaces, or access to tools.
Many forward-focused organizations are now attempting to change the culture and bring these two communities closer together through the formation of new operating models, with the aim of enhancing collaboration and jointly confronting the increasing cyber risk that threatens organizations globally.
With the industry approaching the cybersecurity lifecycle in so many different ways, we will focus solely on industrial standards such as IEC 62443 and NIST, as these include ICS practical guidance. We will explore these further in later sections of this book.
Important note
It is important to emphasize that compliance and security are not the same. The proposed standards provide guidance and advice regarding certain security controls that have been adopted for general use in ICS environments. Nevertheless, no standard is capable of accounting for all the specifications of your company’s business processes. Therefore, it is essential to be cautious when implementing these standards for ICS security projects and to remember that adhering to standards does not guarantee your security.
