cybersecurity, iec 61508 and iec 61511 (iacs) - dke.de · cybersecurity, iec 61508 and iec 61511...

Rechnernetze undVerteilte Systeme

Cybersecurity, IEC 61508 and IEC 61511 (IACS)

Peter Bernard Ladkin

University of Bielefeld & Causalis

11 May 2017

Peter Bernard Ladkin (RVS/Causalis) Cybersecurity, IEC 61508 and IEC 61511 (IACS) 11 May 2017 1 / 19


IEC 61508 and IEC 61511

IEC 61508:2010 is a general standard for functional safety of systems with E/E/PEcomponents.

7 parts, of which the first three (general, HW & systems, SW) are normative.

IEC 61511:2016 is a functional safety standard for process plants, “derived” from IEC61508.

IEC 61508 does not cover commercial aviation, medical systems, or (de facto) rail, or ......



IEC 61508 and IEC 61511

A risk analysis is to be performed on the system(s).

Where the risk associated with a hazard is not “acceptable”, a safety function, intendedto avoid the hazard or mitigate its severity, is to be introduced to bring the risk to an“acceptable” level.

Malicious intrusion, either human or malware, can induce hazards, and/or inhibit theproper operation of safety functions.

Thus is cybersecurity an important component in functional safety.



IEC 61508-1 Section 1 Scope

Clause 1.2 In particular, this standard.........m) does not specify the requirements for the development, implementation, maintenanceand/or operation of security policies or security services needed to meet a security policythat may be required by the E/E/PE safety-related system;



IEC 61508-1 Section 7.4 Hazard and Risk Analysis

Clause 7.4.2.3 The hazards, hazardous events and hazardous situations of the EUC and theEUC control system shall be determined under all reasonably foreseeable circumstances(including fault conditions, reasonably foreseeable misuse and malevolent or unauthorisedaction). This shall include all relevant human factor issues, and shall give particular attentionto abnormal or infrequent modes of operation of the EUC. If the hazard analysis identifies thatmalevolent or unauthorised action, constituting a security threat, as being reasonablyforeseeable, then a security threats analysis should be carried out.



IEC 61508-1 Clause 7.4.2.3 Notes

NOTE 1 For reasonably foreseeable misuse see 3.1.14 of IEC 61508-4.NOTE 2 ........NOTE 3 For guidance on security risks analysis, see IEC 62443 series.NOTE 4 Malevolent or unauthorised action covers security threats.NOTE 5 .........



IEC 61508-1 Section 7.5 Overall Safety Requirements

Clause 7.5.2.2 If security threats have been identified, then a vulnerability analysisshould be undertaken in order to specify security requirements.

NOTE Guidance is given in IEC 62443 series.



In IEC 61508-2:2010

None.



In IEC 61508-3:2010

In Annex D: Safety manual for compliant items additional requirements for software elementsD.2.4 The following shall be included in the safety manual:.........m) Details of any security measures that may have been implemented against listed threatsand vulnerabilities..........



IEC 61511-1:2016Clause 8.2.4 A security risk assessment shall be carried out to identify the security vulnerabilities ofthe SIS. It shall result in:

a description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other deviceconnected to the SIS);

a description of identified threats that could exploit vulnerabilities and result in security events(including intentional attacks on the hardware, application programs and related software, as wellas unintended events resulting from human error);

a description of the potential consequences resulting from the security events and the likelihoodof these events occurring;

consideration of various phases such as design, implementation, commissioning, operation, andmaintenance;

the determination of requirements for additional risk reduction;

a description of, or references to information on, the measures taken to reduce or remove thethreats.



IEC 61511-1 Notes to Clause 8.2.4

NOTE 1 Guidance related to SIS security is provided in ISA TR84.00.09, ISO/IEC 27001:2013,and IEC 62443-2-1:2010.

NOTE 2 The information and control of boundary conditions needed for the security riskassessment are typically with owner/operating company of a facility, not with the supplier.Where this is the case, the obligation to comply with 8.2.4 can be with the owner/operatingcompany of the facility.

NOTE 3 The SIS security risk assessment can be included in an overall process automationsecurity risk assessment.

NOTE 4 The SIS security risk assessment can range in focus from an individual SIF to all SISswithin a company.



IEC 61511-1 Clause 11.2.12

The design of the SIS shall be such that it provides the necessary resilience against theidentified security risks (see 8.2.4).

NOTE Guidance related to SIS security is provided in ISA TR84.00.09 and IEC62443-2-1:2010.



IEC 61511-1 Clause 11.7.3.2

The maintenance/engineering interface shall provide the following functions with accesssecurity protection to each:

SIS mode of operation, program, data, means of disabling alarm communication, test, bypass,maintenance;

SIS diagnostic, voting and fault handling services;

add, delete, or modify application program;

data necessary to troubleshoot the SIS;

where bypasses are required they should be installed such that alarms and manual shutdownfacilities are not disabled.



IEC 61511-1 Clause 11.7.3.4

Enabling and disabling the read-write access shall be carried out only by a configurationmanagement process using the maintenance/engineering interface with appropriatedocumentation and security measures such as authentication and user secure channels.



IEC 61511-1 Clause 11.8.6

Forcing of inputs and outputs in PE SIS shall not be used as a part of application program(s),operating procedure(s) and maintenance (except as noted below).

Forcing of inputs and outputs without taking the SIS out of service shall not be allowed unlesssupplemented by procedures and access security. Any such forcing shall be announced or setoff an alarm, as appropriate.



Some Observed Security Violations at NPPs (Chatham House report

NPP operators plugging iPhones and tablets into USB ports to recharge

Remote maintenance activity loading malware through a VPN

Insiders introducing malware (deliberately or inadvertently)

Connectivity between business systems and control systems affecting control

SCADA (non-universal use of “data diodes”)

E/E/PE COTS replacing older mechanical/electrical systems

“air gaps” aren’t (e.g., Stuxnet)

undocumented Internet connections

compromised SW updates

default passwords left in place on COTS



The big questions

Given the list above of security issues, are the clauses in IEC 61508 and IEC 61511adequately prophylactic?

Are they going to stop people putting USB sticks into ports? Plugging their mobilephones in to charge them?

Do we go after such detail, in the knowledge that attacks are constantly evolving?

Or are there general principles that will “cover” the detail if applied rigorously?

Or both?



A bigger question?

Describe and document?

Take countermeasures?

What does description/documentation do to inhibit an attack?



Others

ISA Guidance first 2013 (referenced in IEC 61511).New edition ?2017?

UK HSE: very detailed operational guidance concerning kit, March 2017

German DKE: Guidance VDE-AR-E 2802-10-1. More abstract. No details. Separateconsiderations into security-for-safety and security-for-function; treat interactions andinterference appropriately.

Industrial Internet Consortium. ??


cybersecurity, iec 61508 and iec 61511 (iacs) - dke.de · cybersecurity, iec 61508 and iec 61511...

Documents