Funktionale Sicherheit IEC 61508 & IEC 62443

Funktionale Sicherheit IEC 61508 & IEC 62443 Seite 1

PROFIsafe trifft New York PROFIsafe Senior Safety Expert Siemens AG, DF FA AS E&C-PRM3 bernard.mysliwiec@siemens.com Seite 2

Roosevelt Island Picture on courtesy of Pomagalski Seite 3

What about Functional Safety and IT Security Both can be designated over the same term: Sicherheit in German Sécurité in French Both can have significant impacts on: Productivity Availibity of the plant or machine Costs People Seite 5

Main differences Safety protects people against machine or plant Malfunction of machine or plant safe reaction through limit monitoring Mostly dedicated to internal malfunction of systems high self diagnostic coverage Possible misuse of systems if reasonably possible to avoid dangerous situation during operation Security protects machine or plant against people Intentional misuse of system or applicative means stop the CPU, incorrect behaviour of functions Mostly dedicated to external malfunction of systems diagnostic coverage generally not implemented Focussed on misuse of systems create a dangerous or not specified situation Seite 6

Functional Safety Seite 7 7

Target of Functional Safety People Plants Earth Automation and functional safety to protect... Seite 8

Typical application areas Process: People, Plants, Earth Factory: People and machinery Batches Production lines Low demand High demand Reaction time 0,1...1s Reaction time 5...150ms Burners IEC 61511 VDI 2180 NE 97 TÜV IEC 62061/ISO 13849 NFPA79 IFA Mobility Seite 9

Example of dangerous machine Seite 10

Risk reduction according IEC 61508 Residual risk Acceptable risk Equipment Under Control risk Increasing Risk Required risk reduction Effective risk reduction Covered with E/E/PE systems Covered with other technologies (not electrical Mechanical, Hydraulical ) Covered with external means and measures. Seite 11

3-step method according to EN ISO 12100 START 1 2 3 Safe mechanical design Has the risk been adequately reduced? NO Technical measures Has the risk been adequately reduced? NO User information about residual risks YES YES Has the risk been adequately reduced? NO Renewed risk assessment YES END Seite 12

Determination of required PL acc. ISO 13849 Risk graph for determining the required PL r for safety function (s) Starting point for risk reduction estimation 1. S severity of injury S1 slight (normally reversible injury) S2 serious (normally irreversible injury or death) 2. F frequency and/or exposure to hazard F1 seldom-to-less-often and/or exposure time is short F2 frequent-to-continuous and/or exposure time is long 3. P possibility of avoiding hazard or limiting harm P1 possible under specific conditions P2 scarcely possible S1 S2 F1 F2 F1 F2 P1 P2 P1 P2 P1 P2 P1 P2 PL r a b c d e Seite 13

Determination of required SIL acc. IEC 62061 pinch one's finger door monitoring, switch OFF XY axis 3 5 4 3 12 SIL2 Extent of damage: Permanent, loss of fingers: Se 3 Frequency, duration >1 hour up to 1 day and occurrence probability high, Fr 5 and Pr4 Avoidance possible, rarely: Av 3 Seite 14

Structure of systems and Safety evaluation Sub-system integrity Sensor Safety PLC Actuator SIL claim limit: 2 / PL d PFH D1 = 2*10-7 / h SIL / PL adequation SIL claim limit: 3 / PL e SIL claim limit: 3 / PL e PFH D2 = 1*10-8 / h PFH D3 = 3*10-8 / h Remark: values only as example SIL CL SYS <= (SIL CL Sub-system ) lowest è SIL claim limit: 2 PL SYS <= (PL sub-system)lowest Probability of failure PL d PFH D = PFH D1 +...+ PFH Dn + P TE è PFH D = (20+1+3)*10-8 < 10-6 System reaches: SIL 2 / PL d Seite 15 P TE = Probability of Transmission Error

The way to a safe machine Machine Documentation Safety-Plan Riskanalysis Specific. Safety Plan, Verificationsplan Risk analysis Specification, Manuals Realisation Selectt devices Data sheets, Mounting Programm Wiring diagramms Softwaredocumentation Test Test reports Verification Validation CE Verification reports MD conform Documentation Seite 16

The vision Safety controller (F-Host) conventional, e.g. E-Stop Safety input / output Standard controller Task2: Integration into the standard controller Task1: Integration of Safety Communication DP/PA Seite 17 Limit switch Laser scanner Light curtains Robots Drives Standard input / output Same features like with standard devices, e.g. device/module replacement at runtime

PROFIsafe objectives Safety related communication to protect people A safety function is performed through a control system using specific safety related devices PROFIBUS, PROFINET, IO Link Black channel principle Correct transmission of safety related information Door position, E-Stop, limited speed Detection of alteration of telegrams To avoid malfunction of machine Systematic and random failures approach Seite 18

PROFIsafe in real life Linked machines / linked plants Production lines Wireles communication Controller ßà Controller Controller ßà Device (mobile panel) Remote and / or maintenance station Monitoring and Engineering functions Seite 19

PROFIsafe Islands Example Ropeways: Station <-> Cabine Production PC with Security Client Software Internet Firewall Service PC with Security Client Software Maintenance Firewall VPN Industrial Ethernet Backbone Local VPN VPN Remote S Security Gate Security Zone S Security Gate Security Zone PROFINET IO PROFINET IO Commissioning Local PROFIBUS DP PROFIBUS DP Remote Customer services PROFIsafe Island PROFIsafe Island Remote Seite 20

Safety & Security Seite 23 23

IEC 61508 Part 1 7.4.2.3 The hazards, hazardous events and hazardous situations of the EUC and the EUC control system shall be determined under all reasonably foreseeable circumstances (including fault conditions, reasonably foreseeable misuse and malevolent or unauthorised action). This shall include all relevant human factor issues, and shall give particular attention to abnormal or infrequent modes of operation of the EUC. If the hazard analysis identifies that malevolent or unauthorised action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out. NOTE 1 For reasonably foreseeable misuse see 3.1.14 of IEC 61508-4. NOTE 2 For guidance on hazard identification including guidance on representation and analysis of human factor issues, see reference [11] in the bibliography. NOTE 3 For guidance on security risks analysis, see IEC 62443 series. NOTE 4 Malevolent or unauthorised action covers security threats. NOTE 5 The hazard and risk analysis should also consider whether the activation of a safety function due to a demand or spurious action will give rise to a new hazard. In such a situation it may be necessary to develop a new safety function in order to deal with this hazard. Seite 24

New considerations ISA and IEC standard in work IEC 62443 Functional Security Management SL (Security Level) No security function but SL vectors One value in vector corresponds to one attack Plant specific evaluation Principles similar to IEC 61508 Functional Safety Management SIL (Safety Integrity Level) One safety function for one risk (harm) One SIL for one safety function Machine specific evaluation Seite 25

Risk reduction according IEC 61508 Residual risk Acceptable risk Equipment Under Control risk Increasing Risk Required risk reduction Effective risk reduction Covered with E/E/PE systems Covered with other technologies (not electrical Mechanical, Hydraulical ) Covered with external means and measures. Security measures not excluded! Seite 26

IEC TC44 Decision modified Machine safety Risk analysis including security threats Safety: OEM, Machine builder Security threats relevant for safety considerations Safety required F-Measures including security measures and requirements to the environment n Legal requirement Machine Directive Machine builder PL/SIL, * Basic security for new systems Risk analysis only during design phase Transition CE Mark or FAT Security Risk analysis Security: System integrator, Final user Security required Security-Measures and if necessary consequences for safety risk analysis n Free application ISA 99 / IEC 62443 Final user SL Risk analysis to be done periodically or as required Seite 27

IEC TC44 Plenary London September 2012, confirmed Clearwater 2014 Decision TC 44 considers that security threats identified by the machine manufacturer related to accessible interfaces of electrical devices should be recorded in the documentation accompanying the machine. A risk analysis of the security threats to the machine should be taken by the user who can then take measures to avoid them at the system level. This information should be taken into consideration by TC 44 convenors and will be conveyed to TC 65. Seite 29

Practical consequences: Safety related communication to protect people The machine manufacturer identifies accessible interfaces of electrical devices like USB, LAN, WLAN or others interfaces. The machine manufacturer identifies possible type of access (data display, modification/alteration, insertion) regarding type of data (user software, recepts, ) The machine manufacturer describes the results in the information for use of the machine. The device manufacturer describes the security level of these interfaces (SL vector) and internal or external measures to improve the SL (technical data, security handbook ). Final user decides which external measures are requested for his own plant Seite 30

Security: Principles similar to IEC 61508 ISA and IEC standard in work: IEC 62443 Functional Security Management SL (Security Level) No security function but SL vectors One value in vector corresponds to one attack Plant specific evaluation Seite 31

Practical work flow Practical work flow: Final user defines the target SL vector from plant specific risk analysis. Resulting measures are implemented from Final User or through designated OEM. Examples of possible measures Inherent secure (no sensible interfaces or no access) Only allowed people can access sensible interfaces (organisational measures, e.g. security guards) Activation of complementary security measures in devices Use of external protection measures Evaluation of achieved SL vector Final user has to perform this workflow cyclically Seite 32

Security Management Security Management Process Industrial IT Security Services Risk analysis with definition of mitigation measures Setting up of policies and coordination of organizational measures 1 Risk analysis Security Management Products & Systems Coordination of technical measures Regular / event-based repetition of the risk analysis 4 Validation & improvement 2 Policies, Organizational measures 3 Technical measures Security Management is essential for a well thought-out security concept. Seite 33

Security Levels Security levels provide a qualitative approach to addressing security for a zone SL 1 Protection against casual or coincidental violation SL 2 SL 3 SL 4 Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation Seite 34

Seven dimensions of the SL vector SLs are based on the seven foundational requirements (FRs) for security IAC Identification and authentication control UC Use control SI System integrity DC Data confidentiality RDF Restricted data flow TRE Timely response to events RA Resource availability Seite 35

Security Levels vectors: types SL-C CAPABILITY A particular component or system is capable of being configured by an asset owner or system integrator to protect against a given type of threat. SL-T TARGET The asset owner or system integrator has determined through a risk assessment that they need to protect this particular zone, system or component against this level of threat. SL-A ACHIEVED The asset owner, system integrator, product supplier and/or any combination of these has configured the zone, system or component to meet the particular security requirements defined for that SL. Seite 36

IEC TC44 Decision modified Machine safety Risk analysis including security threats relevant for safety considerations SILr / PLr Safety required n Machine Manufacturer: Related to effects: death F-Measures including security measures and requirements to the environment Security threats SIL/PL SL-C Security Risk analysis Delivery to final user CE Mark or FAT Device Manufacturer SL-C Vector for devices: PLCs, DCs, PDS/SR SL-T Security required n Final User Related to causes Security-Measures and if necessary consequences for safety risk analysis OEM SL-A Seite 37

A solution is a deployed control system to fulfill the protection requirements of a plant Plant environment Asset owner specifies Required protection level of the plant IEC 62443 ISA-99 System integrator deploys the control system to Solution Part 3-2 Zones and Conduits Product supplier develops Independent of plant environment Seite 39 PLCs HMIs PC devices Control system as a combination of Network devices Software Part 3-3 System requirements Series Series 4 Components

Asset owner IEC 62443 / ISA-99 General Policies and procedures System Component 1-1 Security Terminology, management concepts and models process of the asset owner 1-2 Master glossary of terms and Profile abbreviations of ISO 27000 1-3 System security compliance Patch management metrics process of the asset owner 2-1 Requirements for an IACS security management system Profile of ISO 27001 / 27002 2-3 Patch management in the IACS environment 2-4 Requirements for IACS solution suppliers 3-1 Security technologies for IACS 3-2 Security levels for zones and conduits 3-3 System security requirements and Security levels 4-1 Product development requirements Functional requirements for the the output of the risk 4-2 Technical assessment security requirements for IACS products of the asset owner Definitions Metrics Requirements placed on security organization and processes of the plant owner and suppliers Requirements to achieve a secure system Requirements to secure system components Functional requirements Processes / procedures Seite 40

System integrator IEC 62443 / ISA-99 General Policies and procedures System Component 1-1 Terminology, concepts and models 1-2 Master glossary of terms and Patch management abbreviationsprocess of the system integrator 1-3 System security compliance 1-3 System security compliance metrics metrics 2-1 Requirements for an IACS security management system Profile of ISO 27001 / 27002 2-3 Patch management in the IACS environment 3-1 Security technologies for IACS 3-2 Security levels for zones and conduits 3-3 System security requirements and Security levels 4-1 Product development requirements Functional requirements for the the output of the risk 4-2 Technical assessment security requirements for IACS products of the system integrator Security documentation, policies and procedures of the system integrator Definitions Metrics 2-4 Requirements for IACS solution suppliers Requirements placed on security organization and processes of the plant owner and suppliers Requirements to achieve a secure system Requirements to secure system components Functional requirements Processes / procedures Seite 41

Product supplier IEC 62443 / ISA-99 General Policies and procedures System Component 1-1 Terminology, concepts and models 1-2 Master glossary of terms and Patch management abbreviationsprocess of the system and component supplier 1-3 System security compliance metrics Security documentation, policies and procedures of the system and component supplier Definitions Metrics 2-1 Requirements for an IACS security management system Profile of ISO 27001 / 27002 2-3 Patch management in the IACS environment 2-4 Requirements for IACS solution suppliers Requirements placed on security organization and processes of the plant owner and suppliers 3-1 Development Security technologies process for of the IACS component supplier 3-2 Security levels for zones and conduits 3-3 System security requirements and Security levels Functional requirements placed on the Requirements system to a supplier secure system 4-1 Product development requirements 4-2 Technical security requirements for IACS products Functional requirements placed on the component supplier Requirements to secure system components Functional requirements Processes / procedures Seite 42

Thank You! Seite 44 44