2:15 - 3:45: Cyber Security
Directed Hazards Analysis and Mitigation
Bryan L. Singer, Kenexis Security; Graham Speake, BP
Beyond Defense-in-Depth: Industrial Infrastructure Design for Safety and Security
Bradford H. Hegrat, CISSP, Rockwell Automation, user co-author TBD
Safety versus Security: What’s one without the other?
Rick Kaun, Matrikon, user co-author TBD
3:45 – 4:00: Break, Exhibits, and Networking
4:00 – 5:00: Safety and Security Panel
The day’s authors and presenters will serve on a panel and answer questions from the audience.
Conference Abstracts
Integrated Functional Safety and Alarm Management
As industrial best practices and standards have evolved, we have become better at managing safety. ISA84 and the related standards for process safety requires documentation of the safety basis for the process and provides for the active day-to-day management of process safety. This type of effort generates additional requirements around operator alarms and response to alarms. ISA18.2 is a new standard for 2009 that spells out requirements around alarm management systems. Part of the standard recognizes that all alarms, both from the DCS and the SIS, must be presented to the operator in a consistent manner. Implementing both ISA84 and ISA18.2 together provides a unique opportunity to leverage effort and ensure consistency. Alternately, understanding the nature of ISA84 documentation and how to mine it for information needed to support an integrated approach can reduce the effort required. This paper will discuss a successful approach at managing an overall safety program from functional safety studies to alarm rationalization.
Bridget Fitzpatrick, Mustang Automation and Control, user TBD
Get a life(cycle)! Connecting Alarm Management and Safety Instrumented Systems
Alarms and operator response are one of the first layers of defense in preventing a plant upset from escalating into an abnormal situation. The new ISA 18.2 standard on alarm management recommends following a lifecycle approach similar to the existing ISA84/IEC 61511 standard on functional safety. This presentation will highlight where these lifecycles interact and overlap, as well as how to address them holistically. Specific examples within ISA 18 will illustrate where the output of one lifecycle is used as input to the other, such as when the results of a process hazards analysis (PHA) are used as an input to alarm rationalization. The presentation will also provide recommendations on how to integrate the safety and alarm management lifecycles.
Authors: Donald Dunn, ARAMCO; Nicholas Sands, DuPont; Todd Stauffer, exida
How ISA 18.8 Life Cycle Model Addresses the Operating Problems Typical of Poor Alarm Management
It is now widely understood that poor alarm management in industrial processes can lead to operator overload, loss of critical process awareness, and ultimately to production losses, equipment failures, personal injury, and worse; and sometimes at best, to excessive activations of the safety system. Classical problems leading to overload are redundant alarms, repeating alarms, alarms not applicable to the current plant state, and alarm floods due to major process events. ISA18 outlines the work processes necessary to identify, design, implement, and maintain alarm systems that tackle problems such as these. Ways to solve these problems are becoming known in the industry. But incomplete application of the techniques, and incomplete application of the ISA Life Cycle stages can lead to incomplete solutions, missed alarms due to overly aggressive application, operator confusion, and alarm system degradation, resulting in the ultimate loss of the engineering and operating team investment in the alarm management system. This paper takes a problem-oriented view. It begins with the discussion of specific operating problems caused by poor alarm systems, which can lead to operator overload, production and equipment loss, etc. It cross references these operating problems to the metrics and methods that expose them, and tracks the operating problems to their most frequent causes within the alarm system. Finally, it illustrates how the ISA18 Life Cycle stages provide the framework for effective solutions. The paper points out several cases of design tradeoffs in which overly aggressive use of a given solution to one operating problem can exacerbate other operating problems. In a simple case, for example, overly aggressive deadband setting to reduce the chattering of particular alarms can result in stale alarms, and could result in lack of alarms triggering some times when they are needed. Alarm philosophy, careful design, implementation, and maintenance are the hallmarks of the ISA18 standard. Admittedly, this is a thumbnail sketch of the problems and solutions involved in alarm management. But it serves to illustrate that by following the ISA Life Cycle stages, effective alarm systems can be built from scratch or created out of poor ones, as well as be managed and maintained effectively throughout the life of the process.
Doug Metzger
Back to top
IEC/ISA 61511 Compliance through Certified or Proven In Use Equipment
This paper will evaluate differences between the selection of certified and proven in use equipment as well as review requirements that should be considered when using either method. The paper will show that certification alone is not sufficient; the manufacturer is not using the equipment. The paper will also highlight how claiming proven in use requires an adequate data recording system and may not be so straightforward.
Authors: Iwan van Beurden and William Goble, exida, user TBD
Back to top
Non-SIS IPL Testing Frequency
The widespread adoption of the IEC/ISA 61511 standard for safety instrumented systems along with the utilization of Layer of Protection Analysis (LOPA) has focused a lot of attention on assuring the mechanical integrity of instrumented safeguards in the process industries. Regulations in most industrialized countries now require the implementation of mechanical integrity programs that include identification of safety critical instrumentation and regular testing. While the approach for safety instrumented functions, as per IEC/ISA 61511 is well established, similar testing requirements for non-SIS independent protection layers such as safety critical alarms and manual protective functions is not as well defined. This paper reviews the design guidelines for non-SIS IPLs and proposes an extension of those standards using IEC/ISA 61511 style analysis to determine the most appropriate testing intervals for those functions. In addition, the paper presents a table of “typical” test intervals for common instruments that will allow the discussed performance targets to be achieved.
Authors: Marszal, Matthew Kuhn, and Robert N. Garand, Kenexis; Yasser Ali Khalil, Zadco
Back to top
Challenges of Layers of Protection Analysis (LOPA)
This paper will discuss the challenges of Layers of Protection Analysis (LOPA) during use by a major petroleum company. LOPA is a Process Hazard Analysis (PHA) tool that allows the risk associated with various hazardous events to be determined by utilizing the severity and the likelihood of these events being initiated. This paper discusses techniques for facilitating the LOPA process to maintain a high level consistency and team synergy.
Author: Glenn Rany, Invensys, user TBD
Back to top
Quantitative Security Measures for Cyber & Safety Security Assurance
ISA (International Society of Automation) and others are struggling mightily to develop quantitative cyber & safety security assurance metrics. All metrics proposed to date are at best qualitative and highly subjective. They are certainly without mathematical rigor; and clearly, they do not conform to the guidelines recommended by Andrew Jaquith in his book "Security Metrics - Replacing Fear, Uncertainty and Doubt." Papers by Kube, Langer and Singer presented in the 2008 S4 Conference address the difficulty in developing quantitative metrics. This paper follows the Jaquith model which requires that good metrics must be capable of being consistently measured (without subjective criteria), the measurement of these metrics must be collectable by automated systems, the metrics must be expressed as cardinal number or percentage using at least one unit of measure, and they must be meaningful to the asset owner. The approach begins by defining four levels of security assurance: Level 4 is assigned if failure of the security protection mechanism results in loss of life or the total failure of the IACS operating capability; Level 3 is assigned if failure of the security protection mechanism results in total failure of the IACS operating capability; and Level 2 and Level 1 are reserved for all other situations. This paper will focus attention on Level 4 security assurance because it stresses the coupling between cyber security and safety. ISA99’s approach, described in this paper, offers the mathematical formulas for quantifying security assurance for the system and for the components of the system under consideration (SuC). These formulas do not rely on minimizing the risk-based based formula R = (1-Pe)*C*Po. Rather, a consequence-based analysis is used to establish weighting coefficients for contributing security mechanisms that are used in the proposed formulas. Thus, we can build a “score card” to collect measurements of the security metrics which can then be used to assess the implemented security assurance of the system under consideration.
Authors: Dennis K. Holstein, Sr. OPUS Consulting Group
Back to top
The Lemnos Project – Interoperable Security for Control Systems in the Energy Sector
Lemnos is a US DOE National SCADA Test Bed project begun in 2007 to develop and test a framework for interoperability Security of IP-based security devices and appliances. It is ideal for securing the transmission and distribution sections of the Smart Grid, and useful for the oil and gas sector as well. Included in the project are partners Sandia National Labs, Schweitzer Engineering Laboratories, TVA, and Enernex. Following up on the Lemnos interoperability demo at the ISA 2009 Expo, this presentation will focus on the goals of the project in 2010, such as standardization of Internet protocols Syslog and LDAP for interoperability.
Authors: Dave Teumim, CISSP, Teumim Technical, LLC, et al
Back to top
CYA for the CIA (Confidentiality, Integrity, and Availability) in Manufacturing
The news continues to scare you with all of the evil hacker stories and the IT people continue to load anti-virus updates and operating system patches that slow your production equipment down and require a reboot. What are you suppose to do because you need to make your widgets? Understand that the attackers and threats are real, and not all of them are outside on the Internet. It is still true that most of your problems originate from the inside. Know that your IT team is most likely comprised of people who only know Windows and how to plug-n-play. Follow the principles of KISS, dual control, and security in depth. Call in the experts to help out because your IT shop most likely doesn't have the knowledge and expertise. In the physical world, you segregate your production lines away from unauthorized personnel. Provide the same protection in the cyber world. Only allow who you need through and limit what they can access. Manufacturing stations are probably PCs running Microsoft Windows with an application and connected to a LAN. Remember that these PCs are time bombs just waiting to go off. They need to be locked down so that they can only do their intended function. Lastly, data is integral to the proper functioning and testing of the widget and the production line. Protect it. This presentation will show you how to do this so you can cover your tush.
Author: Ron Ogle, Thompson Inc.
Back to top
Directed Hazards Analysis and Mitigation
A primary driver behind the convergence of safety and security disciplines is the recognition that cyber security faults and failures can result in dangerous failures and hazards on the shop floor. The challenge, however, is identifying and quantifying these threats. Current disciplines for PHA and HAZOPS today are effective and efficient at identifying potential hazards, but if the probability of hardware or other non-deterministic failures causing these events is insufficient to meet SIL requirements, then many threats are left on the table today. Cyber security failures include both deterministic and non-deterministic threats, in other words it is possible for general system failures or for intentional attackers to specifically create hazardous scenarios. This paper addresses how to model directed threats through multiple assessment and risk analysis exercises such as threat tree modeling, combinatorial sequence attack modeling, and analysis of existing PHA and other documents to expose shop floor cyber security threats and adequately address them. This paper will include a brief walkthrough demonstration against a sample chemical process to compare and contrast safety and security risk and mitigation approaches.
Authors: Bryan L. Singer, Kenexis Security; Graham Speake, BP
Back to top
Beyond Defense-in-Depth: Industrial Infrastructure Design for Safety and Security
Historically, there is a challenge for many asset owners in understanding whether or not their infrastructure is properly engineered and deployed. Design elements to consider include capacity, performance, availability, and security perspective. Industrial infrastructures are often perceived as a simple means to an end, but there is no single element in any process that can cause more headaches, downtime, and lost revenue than under-engineered or poorly implemented infrastructure. Denial of service, network failure, improper physical media, insufficient capacity, and poor security design are all issues that manifest as application failures, process stoppages, and loss of efficiency. Add to these possible issues safety systems that are increasingly integrated in industrial networks or connected to controllers that are, and the consequences can be not only process inefficiencies but loss of safety as well. Current safety disciplines often do not account for such scenarios. This presentation will focus on the importance of proper design of industrial networks, selecting network topologies, and how to extend the view and consideration of possible shop floor and safety failures to account for unexpected network faults, performance and capacity bandwidth limitations, and even intentional directed cyber security threats. Presented will be case studies exemplifying the proper use of secure and stable infrastructure design methodology when considering the increasingly connected shop floor, and frequent network faults and failures and the resulting potential impact to controllers or SIS.
Authors: Bradford H. Hegrat, CISSP, Rockwell Automation, user co-author TBD
Back to top
Safety versus Security: What’s one without the other?
Safety systems in industrial facilities have evolved over the years to become increasingly complex and essential; they are relied upon to protect employees, production, and the environment. They are coming to be seen as more than just a way to automatically react to a crisis and more as a proactive and predictive way of avoiding disastrous situations. As their importance increases, safety systems are governed by more, and more stringent, regulations and standards. This paper discusses lessons learned from working with a number of clients in both regulated and non-regulated industries as they worked towards more secure and reliable process control networks.
Authors: Rick Kaun, Matrikon, user co-author TBD
Back to top
.jpg)
Astor Crowne Plaza 