Safety and security for wireless control systems means managing risks to tolerable levels and using similar four-level SIL/SL-rating methods to categorize the level of risk reduction required. In addition, both have similar objectives—protect people, property and the environment.
They also follow similar methodologies—using risk analysis to justify time, effort and investment. However, one key difference is safety risk analysis is based on severity and likelihood, while security assumes it’s simply a matter of when. In other words, security assumes the probability/likelihood of an incident is one.
There’s another similarity between safety and security. Just as IEC 61511 and associated technical reports from ISA-84 define how to implement IEC 61508, “Functional safety of electrical/electronic/programmable electronic safety-related systems,” for process industries, similar documents are being prepared for cybersecurity. Both IEC 61508 and IEC 62443 are “horizontal” standards, meaning they apply across industries. IEC 61508 is used for safety standards in process, rail, automotive, etc.
Similar work is starting for cybersecurity. IEC TC65 WG10 and ISA-99 take a slightly different approach in applying cybersecurity by industry than the process safety industry. The 2023 IEC TS 62443-1-5, “Scheme for IEC 62443 security profiles” document, describes application specific requirements for IEC 62443 used by interested parties (organizations or groups/sectors) to contextually map a defined set of requirements specified in the IEC 62443 series as the basis for obtaining compliance certificates.
Though it may not follow the same one-to-five recommendations as IEC 62443, ISA-99 formed working group 14, “Security profiles for electric energy OT control systems,” in October 2022 for transmission and distribution applications, with the initial priority on the control center and substations, which are where all the intelligent electronic devices or relays are located. These devices are most susceptible to attack, resulting in an impact on the electric distribution critical infrastructure.
One challenge to dealing with safety and security is each field tends to be highly specialized. Safety experts understand the process being protected and their associated controls, while security experts better understand networks and system communications. These different areas of expertise—and how they manage to reconcile conflicts—are more concerning as new cybersecurity regulations are developed.
The most basic requirement is to combine their knowledge early in the design process—at the first principle/foundational risk assessment stage. By working together, each group gains a better understanding of how their decisions impact the work of the others. However, despite best efforts, there will be conflicts.
What do we do when they clash? There are standards in development by ISA-84 and IEC TC65 WG20, though they take different approaches to the problem. Both groups use first principles at the design and risk-assessment stages. Unfortunately, information available during the analysis won’t foresee every scenario where safety and security clash. For this reason, every organization must have a default “in case of unforeseen conflict or incident” clause.
This is especially true for the unforeseen, “middle of the night” scenario. In this situation, urgency means operators can’t call and pass the buck, so they must rely on procedure. The available options are:
- Safety first: rely on zones and procedures to protect balance of system, including isolating devices from the rest of the system to keep the problem from spreading.
- Security first: rely on the safety system to provide required protection, likely resulting in an unscheduled outage/reduction or loss in operational capacity.
- Operator expertise: notify the operator, and revert to procedures and manual operation, assuming the operator can interact with the system and is able to continue to run the facility. If the system is properly designed, the operator should have been notified already and performed this step.
If it comes down to something going bump in the night, I’d pick safety over security and rely on my properly designed zone and conduit/defense, in-depth security system to contain the incident. What is your default call?
