Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
AgendaIntroductionImportance of Safety & Cyber SecurityImportance of Safety & Alarm Management Conclusion
2
Introduction
Modern SIS & BPCS utilize more intelligent and connected devices:+ Open architectures provide vulnerabilities to cyber
attacks+ Recent incidents have highlighted this problem
Operators can be overwhelmed during process upsets and/or emergency situations+ Accidents have been attributed to alarm floods
confusing operators+ Diagnostics often provides a large amount of information
that end up being treated as “alarms” when they should be alerts/advisory
3
SIS, BPCS and Operator Response to Alarm are Layers of Protection
What is IACS Security?
Prevention of intentional or unintentional interference with the proper operation of industrial automation and control systems via the use of: + computers, networks, operating systems, applications + other programmable configurable components of the system
Goes by many names: + SCADA Security+ PCN Security+ Industrial Automation and Control System Security+ Control System Cyber Security+ Industrial Network Security+ Electronic Security for Industrial Automation
and Control Systems
5
Functional Safety & CyberThe final task in the assessment or FEED phase is to document the system-level cyber security requirements Scope and purpose of the system Physical and environmental security requirements General cyber security requirements Zone and Conduit specific requirements
6
Groupings of Requirements
Access Control requirements + Identification and authentication
of users+ User roles and privileges+ User administration
Confidentiality, Integrity and Availability requirements
Monitoring and reporting requirements
ISA 62443-3-3 “System security requirements and security levels” is the standard that provides the overall system level cyber security requirements for IACS (Industrial automation and control system).Additional guidance is provided by ISATR84.00.09 “Cybersecurity Related to the Functional Safety Lifecycle”
Changes in IEC61511-1 - 2016
IEC61511-1 2016 now requires end users to ensure that adequate steps have been taken to protect the SIS from cyber attacks: Perform a Risk Assessment Document potential threats that could exploit
vulnerabilities Understand the risks posed by these threats
(i.e. Consequence & Likelihood) Consideration of all lifecycle phases and
requirements for additional risk reduction
7
What Are IACS Vulnerabilities?
Commercial Off-the Shelf Technology (COTS) and protocols+ Integration of technology such as MS
Windows, SQL, and TCP/IP means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems
Enterprise Integration+ Enterprise integration (using plant, corporate
and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for
Remote Access+ 24/7 access for engineering, operations or
technical support means more insecure or rogue connections to control system
Public Information+ Manuals on how to use control system are
publicly available passwords
8
Pathways into the Control Network
Infected Laptops
Mis-Configured Firewalls
Control LAN
Plant Network
Office LAN
Internet
Unauthorized Connections
External PLC Networks
Infected Remote Support
RS-232 Links
Modems
9
Why is IACS Security Important for SIS?
SIS/Control/SCADA systems control “real-world” devices and processes
Failure or unpredictable operation of a SIS/Control/SCADA system can lead to serious consequences: + Production loss / service interruption+ Off spec / dangerous product+ Environmental releases+ Sickness / injury / death
IACS equipment has been shown to be more sensitive to excessive network traffic
10
Why Is This Important?
Modern SIS systems and BPCS communicate via a Process Control Network
Use of Ethernet and open standard protocols provide vulnerabilities
Compromising an SIS via a cyber incursion could have drastic effects due to loss of safety functions
11
Management Agenda
Don’t be nostalgic – Understand the history
Understand the economic drivers of:+ Commercial Off-The-Shelf
Technology+ Remote Access+ Network Systems
Prevent the SIS from being compromised to avoid potential disastrous outcomes
Functional Safety & Alarm Management How Your SIS Can be Affected!
12
Risk
SIS
Zero High
Alarm BPCS Mechanical
SIL 1(RRF = 15)(RRF = 10)
SIL 2(RRF = 667)
Process
Safety & Alarm Management
What is the main purpose of having an effective alarm management system?a) Ensure safe operationsb) Prevent unplanned shutdowns, damage to equipment,
and process safety incidentsc) As a tool to help the operator perform their roled) To ensure compliance with standards (ISA-18.2) and
regulations (OSHA PSM)
13
Can prevent safety incidents and help the operator keep the process within normal operating limits (optimized production)
What is the purpose of an Alarm?
To make operators aware of abnormal situations
To help operators diagnose the source of an upset
To guide them to an appropriate response in order to prevent an impending (likely) consequence
14
Each alarm is important. If there is no response, or the response is ineffective, then something bad (the consequence) will occur
Shutdown
Abnormal
Normal
Alarm
Effective Response
Ineffective Response
Common Alarm Management Issues Alarm Overload
(Too many alarms for the operator, which compromises the BPCS/Alarm protection layer, increasing demands on the SIS, leading to increased risk)
Alarm Floods Nuisance Alarms
+ Chattering Alarms+ Standing / Stale Alarms+ Bad Actors / Frequently Occurring+ Redundant Alarms+ Alarms which have no response
Alarms with the Wrong Priority
15
The presence of these issues diminishes the usefulness of the alarm system
ISA-18.2 Standard
16
Recognized as “Good Engineering Practice” by insurance companies and regulatory agencies (OSHA)
Alarm Management Lifecycle
Audit
Management of Change
Monitoring & Assessment
Philosophy
Identification
Rationalization
Detailed Design
Implementation
Operation
Maintenance
What is an Alarm? (ISA-18.2)
An audible and/or visual means of indicating to the operator an equipment malfunction, process deviation or other abnormal condition requiring a (timely) response. (ISA-18.2/ IEC 62682)
Notifications
17
Alarm Rationalization helps to ensure alarms meet these criteria
Type of Event Operator Action Required
No Operator Action Required (Informational)
Abnormal Alarm Alerts
Expected Prompt Message
Events
Prompts
AlarmsAlerts
Key Design Principles
Every alarm MUST have a defined response
Adequate time MUST be allowed for the operator to implement a defined response
Every alarm that is presented to the operator MUST be useful, relevant and unique
Operators MUST not get more alarms than they can reasonably respond to
Alarms MUST be prioritized and understandable
18
If Operator Response (Action) Can Not Be Defined → Not an alarm*
*Ref EEMUA 191 (2013)
Safety Alarms Safety Alarm (Safety Related Alarm)
An alarm that is classified as critical to process safety or to the protection of human life or the environment. (ISA-18.2-2016)
SpecificationDefine what is considered a Safety Alarm for your site+ Prevention vs. Mitigation+ Loss of Key Utility (power, air…)+ SIS Diagnostic Fault+ SIS Trip Failure+ Defined as an IPL+ Loss of Containment+ Toxic Gas Detection
19
SAFEGUARDS
IPLs
SAFETY ALARMS
Key Requirements for Safety Alarms
Alarm Rationalization (including classification)
Measure Alarm System Performance & Address Issues
Operator Training / Alarm Response Procedures
20
New standard :ISA-84.91.03 “Functional Safety: Safety Controls, Alarms, and Interlocks for the Process Sector” will define requirements
Alarm Rationalization Determine whether alarm is justified &
necessary (based on criteria in alarm philosophy document)
Document alarm purpose / objective (cause, consequence, corrective action, response time)
Document design (limit, priority, classification…)
Record Results in a Master Alarm Database (MADB)
21
Goal is to create the minimum set of alarms needed to keep the plant safe and within normal operating limits.
Alarm Rationalization
Reduces alarm load on the operator Maintains demand rate defined for the SIS Reduces the chance to miss critical alarms Removes nuisance alarms (chattering, fleeting or stale alarms) Eliminates redundant alarms (avoids the risk of confusion) Operator response is quicker, more consistent, and more effective Increases system integrity (improve operator trust of alarm system) Alarms are prioritized for correct action Optimizes the risk reduction of alarms used as a safety layer of protection
22
Alarm Response Procedures / Operator Training
To respond effectively, the operator needs to understand the alarm’s basis+ What happened? (Likely cause(s) for the alarm)+ What will happen if I don’t respond?
(Consequences of Inaction)+ What should I do? (Operator Action)+ How can I verify its not a false alarm?
(Confirmation)+ How much time do I have to respond?
23
Monitoring & Assessment of Alarm System Performance
Must evaluate alarm performance and proactively address issues (overload, nuisance alarms)
Each activation of Safety Alarms must be reviewed / investigated
24
ConclusionIncluding Cyber Security and Alarm Rationalization when considering SIS applications will enhance performance and improve safety Performing a Cyber risk assessment when
performing PHAs will save time and money later on when assessment and implementation will become more costly
Identifying alarms during PHAs, as potential protection layers, will ensure prioritization and enable a master alarm database to be created early on
SIS designers will have to consider these requirements for implementation
25