Professional Documents
Culture Documents
Cybersecurity for
Safety Systems
As project team leaders begin to design and implement a safety instrumented system (SIS)
and a basic process control system (BPCS), they must assess their goals. Decision makers
must choose how the two systems will form an architecture that securely delivers the
capabilities required for engineering, safety, and operations.
1
Cybersecurity relies, in part, on multiple layers of protection surrounding each and both systems. In the following
architecture diagrams, layers of protection are represented as colored circles around the systems. Layers of protection can
Choosing an SIS and include tactics such as user-account management, a comprehensive approach to prevent inadvertent malware infections,
and embedded lock functionality in logic solvers.
BPCS architecture
Selection of the safety instrumented system (SIS) and basic process control system (BPCS) PERIPHERALS
architecture sets the stage for a safe and secure automation process and environment and impacts IT INFRASTRUCTURE
Separate (or air-gapped)
the lifecycle of the system. Industry-accepted cybersecurity standards suggest that the systems HISTORIAN BPCS architecture
must be logically independent no matter the degree to which they are physically linked.
AIR GAP As the name indicates, a separate (or air-gapped)
International Society of Automation (ISA) guidelines require that safety-critical assets be logically
ENGINEERING
architecture means the SIS is not connected to the
or physically zoned away from non-safety-critical assets. In addition, the guidelines from the User AMS
STATION
SIS HMI
BPCS — at any level. No automated method exists
Association of Automation Technology in Process Industries (NAMUR) define three zones that must EXTENDED
SIS
to move data between the systems.
be logically separated. SENSORS
LOGIC SOLVER
FINAL INCLUDING I/O Completely separate architectures are declining in use
ELEMENTS
PERIPHERALS
PERIPHERALS
EXTENDED SIS
Interfaced SIS architecture
IT INFRASTRUCTURE
2 emerson.com/deltavcybersecurity 3
Each architecture can be hardened and, to some degree, can fit the unique organizational requirements based on
cybersecurity policies, risk assessments, and knowledgeable personnel. Because no facility has unlimited resources,
Evaluating architectures teams need to choose an architecture keeping in mind how much work will be required in building and maintaining it.
The following three elements factor into the short- and long-term cybersecurity strategy for SIS.
System entry points SIS configuration and maintenance is achieved Although it is generally assumed that only one SIS entry Potentially the strongest of the three architectures,
through a dedicated engineering station kept offline point is present via the BPCS connection, several entry the integrated approach has only a single point
Entry points to the core SIS vary according or disconnected from external networks. Access to this points could exist to the core SIS. These entry points of entry to the safety-critical components of the SIS.
to the architecture. station needs to be limited to SIS engineers only — such as workstations on the safety network as well The core SIS is isolated even from the extended SIS to
to prevent malware infections, remote access, as interfaces to a historian or an asset management reduce the surface of attack. The single point of entry for
misuse by trusted insiders, or access via USB ports. system — must be defended with custom cybersecurity the core SIS is protected via a unified defense-in-depth
countermeasures. approach while maintaining functional segmentation to
operate independently.
Layers of defense
The SIS and BPCS each require their own layers Implementing separate layers for each system increases The integrated system can share a set of
of defense that need design and maintenance. complexity of design, maintenance, and engineered defense-in-depth layers for many common
Layers of defense around each system
contain protection mechanisms to diminish The team must discern how to communicate between pathways between the systems, which are often based on defense systems: antivirus, whitelisting, firewalls,
cyber-threats that could pose compromises such them without sacrificing security. Security might be unsecured protocols such as Modbus TCP. Any changes and more — to simplify management for the
as unauthorized access. To varying degrees, compromised by using removable media or a temporary made to the systems or to the outer protective layers asset owner. In addition, the SIS uses its own
layers for each architecture assist or detract connection to a compromised laptop that eventually could impact the connectivity between the BPCS and SIS. defense measures that provide extra protection
from the daily task of process control. would be connected to the safety network. to safety-critical components.
Lifecycle maintenance
Maintaining cybersecurity and keeping two systems Although communication occurs across connected Maintenance is simpler because the SIS is wrapped in
current requires system administrators to design and paths, maintenance teams must deal with engineered layers of defense that also defend the BPCS. For example,
The more tasks needed to maintain a defendable maintain two solutions, one per system. Maintenance connections that might be impacted by changes to the although the SIS has some additional built-in protections
system, the more personnel time and expertise
of safety sensors and final elements must be scheduled cybersecurity architecture. Updating virus definitions specifically for the SIS, anti-malware solutions are
will be required. The goal is to have the strongest
periodically and performed manually as smart devices must be completed on multiple systems, might include provided for the ICSS as one system – which simplifies
defendable architecture maintained by the most
are prevented from self-diagnosing and communicating different vendors, and run the risk of conflicting with updates. Integrated diagnostics also provide lifecycle
efficient methods.
issues to maintenance personnel. The manual nature of existing connectivity. Duplication of efforts to maintain maintenance simplicity because SIS-related alerts
the tasks is the major flaw of this architecture option. the independence between the SIS and BPCS can result in from smart devices can be sent easily via the BPCS to
multiple vendor systems, increased downtime, and more maintenance personnel to signal potential sensor or
potential for errors. final element issues.
4 emerson.com/deltavcybersecurity 5
Engineering savings Installation, testing, and commissioning
in the integrated environment
The integrated SIS approach helps an organization reduce engineering costs
by eliminating tasks, reducing overlap in responsibilities, avoiding rework, and After some of the initial engineering is complete, additional time is saved in
preparing the organization for digital transformation and a mobile workforce. installation. The integrated architecture employed by the DeltaV solution means
Savings arise from reductions in or even elimination of engineering activities such that system cabinets and field enclosures for the DCS and SIS are similar, which
as data mapping. In fact, no data mapping is required in the integrated approach. facilitates faster design and installation. An integrated approach might require
Engineers do not need to track the relationship between SIS data and BPCS, thus fewer components; for example, there is no need for HART multiplexers for routing
reducing costly data-entry errors during start-up and streamlining maintenance later. HART information from field devices — which not only increases hardware
No handshaking logic is required either. To monitor the health of the communication cost and complexity, but also creates additional connection points that will
link in interfaced systems, it is common to implement watchdog applications, which require oversight.
are not needed in an integrated approach due to the coordinated diagnostics. As the project moves to factory acceptance testing (FAT), tasks are simplified due
Efficient project engineering is further enhanced through a common engineering to the inherent communications between the systems — the configuration on any
environment where the integrated SIS and BPCS generally employ the same side can be updated easily as testing proceeds.
engineering workstations and tools with the same look-and-feel. The common
environment available in integrated SIS architecture means that engineers
working on the systems will have a similar experience and will require less training
time. Project engineers also save time by working in the SIS and BPCS common
environment as they, for example, assign unique user privileges for the BPCS and SIS.
6 emerson.com/deltavcybersecurity 7
Simpler and safer operations Streamlined process changes and cybersecurity updates
While project teams recognize the importance of a properly functioning SIS, they sometimes
Procedures and culture play key roles in maintaining safe operations. When operations can be incorrectly assume that once the SIS is initially configured and installed, it will function for
more simply accomplished, safety is strengthened. The integrated approach promotes streamlined the lifecycle of the equipment with no need to change or adjust. But things change – even the SIS.
operations and maintenance, creating a strong and secure environment. In the long term, the Over the lifetime of the plant, the SIS might change with process improvements or site expansions.
integrated control and safety system (ICSS) approach provides benefits beyond time and cost The ICSS also needs software version updates. On a properly designed ICSS, the BPCS and SIS can be
savings by increasing operational efficiencies across the facility. upgraded independently to accommodate schedules. In addition, the SIS needs to be periodically
proof tested – an integrated architecture facilitates the proof-testing process through efficient data
access to SIS records.
Reduced training curve
Ideally, facilities have separate resources to work on the BPCS and SIS. But the reality
is that some organizations have the same instrument technicians maintain both SIS
and DCS field devices. In some industries or facilities, operators interact with both
systems too – monitoring both the process and safety systems in a central control room.
Often, the system administrators (persons maintaining backups, user accounts, patch
management, etc.) are the same for both DCS and SIS regardless of whether DCS and SIS
are integrated, interfaced, or isolated from each other.
A single operator can monitor consolidated alarms and events to facilitate coordination during an
abnormal situation. For example, in certain processes (e.g., boilers), the process control and the Built-in security around bypasses
safety application (Burner Management System) are interrelated. Combining both in the same
console facilitates daily operation and response to an abnormal situation. Bypasses on a safety system are necessary for maintenance purposes. While the process
and paperwork for bypass approval is typically done outside the SIS, the SIS must properly
Integration can increase operational awareness and decision support for an operator. For example, manage them.
to increase awareness a gas detector can be made visible to all operators rather than just the safety The DeltaV SIS can handle bypass permits, preventing multiple bypasses on the same safety function
personnel. To ensure safety, configuration can allow all operators to view the SIS data, but only the and automatically removing bypasses if necessary.
personnel with the appropriate privileges can interact with the SIS via secure mechanisms. With an integrated safety system such as the DeltaV system, bypass notifications are easily accessible
on the ICSS workstations and do not require modifying the BPCS interface. Multiple users can be notified
in the event of a bypass being set and even receive a notification in a mobile device.
8 emerson.com/deltavcybersecurity 9
Cybersecurity threats are more prevalent than ever. An air gap between the SIS and BPCS is not
sufficient protection. Comprehensive cybersecurity features make the DeltaV ™ SIS a defendable
safety system deployed in either an interfaced or integrated architecture.
Stronger
Together
Emerson
North America, Latin America:
+1 800 833 8314 or ©2020, Emerson. All rights reserved.
+1 512 832 3774 The Emerson logo is a trademark and service mark of Emerson Electric Co.
The DeltaV logo is a mark of one of the Emerson family of companies.
Asia Pacific: All other marks are the property of their respective owners.
+65 6777 8211 The contents of this publication are presented for informational purposes only,
and while diligent efforts were made to ensure their accuracy, they are not to be
Europe, Middle East: construed as warranties or guarantees, express or implied, regarding the products
+41 41 768 6111 or services described herein or their use or applicability. All sales are governed by our
terms and conditions, which are available on request. We reserve the right to modify
www.emerson.com/deltavcybersecurity or improve the designs or specifications of our products at any time without notice.
10