Building Defendable

Cybersecurity for
Safety Systems

As project team leaders begin to design and implement a safety instrumented system (SIS)
and a basic process control system (BPCS), they must assess their goals. Decision makers
must choose how the two systems will form an architecture that securely delivers the
capabilities required for engineering, safety, and operations.

1
 Cybersecurity relies, in part, on multiple layers of protection surrounding each and both systems. In the following
architecture diagrams, layers of protection are represented as colored circles around the systems. Layers of protection can

Choosing an SIS and include tactics such as user-account management, a comprehensive approach to prevent inadvertent malware infections,
and embedded lock functionality in logic solvers.

BPCS architecture
Selection of the safety instrumented system (SIS) and basic process control system (BPCS) PERIPHERALS

architecture sets the stage for a safe and secure automation process and environment and impacts IT INFRASTRUCTURE
Separate (or air-gapped)
the lifecycle of the system. Industry-accepted cybersecurity standards suggest that the systems HISTORIAN BPCS architecture
must be logically independent no matter the degree to which they are physically linked.
AIR GAP As the name indicates, a separate (or air-gapped)
International Society of Automation (ISA) guidelines require that safety-critical assets be logically
ENGINEERING
architecture means the SIS is not connected to the
or physically zoned away from non-safety-critical assets. In addition, the guidelines from the User AMS
STATION
SIS HMI
BPCS — at any level. No automated method exists
Association of Automation Technology in Process Industries (NAMUR) define three zones that must EXTENDED
SIS
to move data between the systems.
be logically separated. SENSORS
LOGIC SOLVER
FINAL INCLUDING I/O Completely separate architectures are declining in use
ELEMENTS

because they lack efficient and secure data exchange

CORE SIS
required for proper plant operation.

PERIPHERALS

PERIPHERALS
EXTENDED SIS
Interfaced SIS architecture
IT INFRASTRUCTURE

The interfaced architecture, most often chosen

HISTORIAN BPCS
when an SIS is added to a legacy BPCS, shares
NAMUR defines three zones that
data between the SIS and the BPCS via physical/
CORE SIS must be logically separated.
network connections using standard industrial
ENGINEERING
AMS SIS HMI
protocols such as Modbus TCP. While there is STATION

larger separation between BPCS and extended 1 2 3 4 5 EXTENDED

SIS, this architecture typically requires more SIS
SENSORS
entry points to the core SIS than the integrated LOGIC SOLVER
Asset owners can choose the form of separation between
the systems that meets their specific cybersecurity
Architecture options architecture, as indicated by the numbers in
FINAL
ELEMENTS
INCLUDING I/O

the illustration. CORE SIS

requirements to form a defendable safety system
Three SIS/BPCS architectures provide different
architecture. Because these decisions affect the project
degrees of connection between systems and
engineering and facility lifecycle, teams should begin
related security options.
selecting the architecture at the start of the project design
phase and include their choice in the bid specification. Separate (or air-gapped)
PERIPHERALS
Although SIS/BPCS architecture selection impacts the Interfaced
IT INFRASTRUCTURE
Integrated SIS architecture
cybersecurity posture of the system as well as the effort
required to maintain it, the most important protections Integrated (or integrated but separate)
The integrated architecture isolates the SIS and can
HISTORIAN AMS
against cyber-threats are the inherent cybersecurity EXTENDED provide a single entry point between the BPCS and
ENGINEERING
features of the SIS itself and the practices surrounding SIS STATION core SIS, rather than multiple points for the interfaced
system operations. BPCS SIS HMI architecture. The extended SIS (with non-safety-critical
BPCS GATEWAY components) is closer to the BPCS, but the core SIS is
separated from the BPCS more than typical interfaced
“While all three integration approaches have their merits, the integrated-but-separate
architectures. The systems — sometimes referred to
approach will ultimately become the architecture of choice for many end users, since it offers SENSORS
LOGIC SOLVER jointly as an Integrated Control and Safety System (ICSS)
the most potential to minimize common cybersecurity threats between the systems.” FINAL INCLUDING I/O
ELEMENTS
— share protection layers and rely on out-of-the-box
Source: ARC 2016 report for Process Safety Systems Global Market Research Study CORE SIS connection points.

2 emerson.com/deltavcybersecurity 3
 Each architecture can be hardened and, to some degree, can fit the unique organizational requirements based on
cybersecurity policies, risk assessments, and knowledgeable personnel. Because no facility has unlimited resources,
Evaluating architectures teams need to choose an architecture keeping in mind how much work will be required in building and maintaining it.
The following three elements factor into the short- and long-term cybersecurity strategy for SIS.

BPCS BPCS BPCS

SEPARATE INTERFACED INTEGRATED

System entry points SIS configuration and maintenance is achieved
through a dedicated engineering station kept offline
Entry points to the core SIS vary according or disconnected from external networks. Access to this
to the architecture. station needs to be limited to SIS engineers only
to prevent malware infections, remote access,
misuse by trusted insiders, or access via USB ports.
Although it is generally assumed that only one SIS entry
point is present via the BPCS connection, several entry
points could exist to the core SIS. These entry points
— such as workstations on the safety network as well
as interfaces to a historian or an asset management
system — must be defended with custom cybersecurity
countermeasures.
Potentially the strongest of the three architectures,
the integrated approach has only a single point
of entry to the safety-critical components of the SIS.
The core SIS is isolated even from the extended SIS to
reduce the surface of attack. The single point of entry for
the core SIS is protected via a unified defense-in-depth
approach while maintaining functional segmentation to
operate independently.

Layers of defense
Layers of defense around each system
contain protection mechanisms to diminish
cyber-threats that could pose compromises such
as unauthorized access. To varying degrees,
layers for each architecture assist or detract
from the daily task of process control.
The SIS and BPCS each require their own layers
of defense that need design and maintenance.
The team must discern how to communicate between
them without sacrificing security. Security might be
compromised by using removable media or a temporary
connection to a compromised laptop that eventually
would be connected to the safety network.
Implementing separate layers for each system increases
complexity of design, maintenance, and engineered
pathways between the systems, which are often based on
unsecured protocols such as Modbus TCP. Any changes
made to the systems or to the outer protective layers
could impact the connectivity between the BPCS and SIS.
The integrated system can share a set of
defense-in-depth layers for many common
defense systems: antivirus, whitelisting, firewalls,
and more — to simplify management for the
asset owner. In addition, the SIS uses its own
defense measures that provide extra protection
to safety-critical components.

Lifecycle maintenance
The more tasks needed to maintain a defendable
system, the more personnel time and expertise
will be required. The goal is to have the strongest
defendable architecture maintained by the most
efficient methods.
Maintaining cybersecurity and keeping two systems
current requires system administrators to design and
maintain two solutions, one per system. Maintenance
of safety sensors and final elements must be scheduled
periodically and performed manually as smart devices
are prevented from self-diagnosing and communicating
issues to maintenance personnel. The manual nature of
the tasks is the major flaw of this architecture option.
Although communication occurs across connected
paths, maintenance teams must deal with engineered
connections that might be impacted by changes to the
cybersecurity architecture. Updating virus definitions
must be completed on multiple systems, might include
different vendors, and run the risk of conflicting with
existing connectivity. Duplication of efforts to maintain
the independence between the SIS and BPCS can result in
multiple vendor systems, increased downtime, and more
potential for errors.
Maintenance is simpler because the SIS is wrapped in
layers of defense that also defend the BPCS. For example,
although the SIS has some additional built-in protections
specifically for the SIS, anti-malware solutions are
provided for the ICSS as one system – which simplifies
updates. Integrated diagnostics also provide lifecycle
maintenance simplicity because SIS-related alerts
from smart devices can be sent easily via the BPCS to
maintenance personnel to signal potential sensor or
final element issues.

4 emerson.com/deltavcybersecurity 5
 Engineering savings
The integrated SIS approach helps an organization reduce engineering costs
by eliminating tasks, reducing overlap in responsibilities, avoiding rework, and
preparing the organization for digital transformation and a mobile workforce.
Savings arise from reductions in or even elimination of engineering activities such
as data mapping. In fact, no data mapping is required in the integrated approach.
Engineers do not need to track the relationship between SIS data and BPCS, thus
reducing costly data-entry errors during start-up and streamlining maintenance later.
No handshaking logic is required either. To monitor the health of the communication
link in interfaced systems, it is common to implement watchdog applications, which
are not needed in an integrated approach due to the coordinated diagnostics.
Efficient project engineering is further enhanced through a common engineering
environment where the integrated SIS and BPCS generally employ the same
engineering workstations and tools with the same look-and-feel. The common
environment available in integrated SIS architecture means that engineers
working on the systems will have a similar experience and will require less training
time. Project engineers also save time by working in the SIS and BPCS common
environment as they, for example, assign unique user privileges for the BPCS and SIS.
Installation, testing, and commissioning
in the integrated environment
After some of the initial engineering is complete, additional time is saved in
installation. The integrated architecture employed by the DeltaV solution means
that system cabinets and field enclosures for the DCS and SIS are similar, which
facilitates faster design and installation. An integrated approach might require
fewer components; for example, there is no need for HART multiplexers for routing
HART information from field devices — which not only increases hardware
cost and complexity, but also creates additional connection points that will
require oversight.
As the project moves to factory acceptance testing (FAT), tasks are simplified due
to the inherent communications between the systems — the configuration on any
side can be updated easily as testing proceeds.

SIS SHARED ELEMENTS

Eliminating weak links
BPCS
SEPARATE ELEMENTS • Systems configured from a
common engineering environment
• Core SIS hardware
• Data and alarms displayed on
and firmware
In an interfaced system, when a change is required to the SIS or BPCS, any related mapping the same operator interface
• Safety network SEPARATE ELEMENTS
• Alarm handling
in the engineered interface between the BPCS and SIS might also need to be changed. • Dedicated engineering
• BPCS hardware
• Time synchronization
If the initial project team is not available to perform the change and ensure its stations
• Coordinated user security and firmware
• Independent cybersecurity
cybersecurity readiness, newer personnel must reinvent the wheel to make changes— • Device health monitoring • BPCS network
layer for SIS
potentially extending downtime and ultimately running the risk of introducing • Workstaions • Independent cybersecurity
more security vulnerabilities. • Data and device configuration layer for BPCS
• Defense-in-depth strategy
Integrated architecture systems such as the DeltaV ™ distributed control system (DCS)
and DeltaV SIS can detect the source of any changes, detect corruption in
packets, and automatically perform some validation
on data moving from the BPCS to SIS (and vice
versa) to ensure that changes are authentic. In
the interfaced architecture approach, a similar Finally, commissioning. The integrated environment optimizes accuracy and
validation can be created on an engineered link coordination among the commissioning teams because the process and device data
between two different systems, but it requires are shared electronically and therefore data are consistent across the SIS and BPCS.
complicated and time-consuming effort Common commissioning tools are used for both SIS and BPCS.
eliminated by the integrated approach. Assigning privileges to team members is simplified in the DeltaV integrated
architecture. This eases cybersecurity concerns because, although similar,
the locks for the SIS and the BPCS are different and the privileges are given
separately for each module and can be segregated by module type or node,
thus giving personnel greater flexibility and ability to segregate duties.

6 emerson.com/deltavcybersecurity 7
 Simpler and safer operations
Procedures and culture play key roles in maintaining safe operations. When operations can be
more simply accomplished, safety is strengthened. The integrated approach promotes streamlined
operations and maintenance, creating a strong and secure environment. In the long term, the
integrated control and safety system (ICSS) approach provides benefits beyond time and cost
savings by increasing operational efficiencies across the facility.
Reduced training curve
Ideally, facilities have separate resources to work on the BPCS and SIS. But the reality
is that some organizations have the same instrument technicians maintain both SIS
and DCS field devices. In some industries or facilities, operators interact with both
systems too – monitoring both the process and safety systems in a central control room.
Often, the system administrators (persons maintaining backups, user accounts, patch
management, etc.) are the same for both DCS and SIS regardless of whether DCS and SIS
are integrated, interfaced, or isolated from each other.
Thanks to the common engineering environment of a modern ICSS, configuration
and daily operation training applies to both the process control and safety functions.
Although independent reviews should remain in place in accordance with best
engineering practices, the integrated approach facilitates a better use
of scarce resources.
Seamless process interface
The integrated approach allows the BPCS and SIS to share workstations — ensuring that process and
equipment information is available wherever needed. While safety functions typically do not require
operator intervention (the SIS will automatically take the plant to a safe state), there are still benefits
for having a common operator workstation.
A single operator can monitor consolidated alarms and events to facilitate coordination during an
abnormal situation. For example, in certain processes (e.g., boilers), the process control and the
safety application (Burner Management System) are interrelated. Combining both in the same
console facilitates daily operation and response to an abnormal situation.
Integration can increase operational awareness and decision support for an operator. For example,
to increase awareness a gas detector can be made visible to all operators rather than just the safety
personnel. To ensure safety, configuration can allow all operators to view the SIS data, but only the
personnel with the appropriate privileges can interact with the SIS via secure mechanisms.
8 emerson.com/deltavcybersecurity
Streamlined process changes and cybersecurity updates
While project teams recognize the importance of a properly functioning SIS, they sometimes
incorrectly assume that once the SIS is initially configured and installed, it will function for
the lifecycle of the equipment with no need to change or adjust. But things change – even the SIS.
Over the lifetime of the plant, the SIS might change with process improvements or site expansions.
The ICSS also needs software version updates. On a properly designed ICSS, the BPCS and SIS can be
upgraded independently to accommodate schedules. In addition, the SIS needs to be periodically
proof tested – an integrated architecture facilitates the proof-testing process through efficient data
access to SIS records.
Integrated diagnostics
Diagnostics are common to the BPCS and the SIS and are, therefore, more familiar to the operators
and engineers working on both systems. When personnel are familiar with the process and
its controls, they are better able to address safety or reliability issues, improve production,
and increase process availability.
Built-in security around bypasses
Bypasses on a safety system are necessary for maintenance purposes. While the process
and paperwork for bypass approval is typically done outside the SIS, the SIS must properly
manage them.
The DeltaV SIS can handle bypass permits, preventing multiple bypasses on the same safety function
and automatically removing bypasses if necessary.
With an integrated safety system such as the DeltaV system, bypass notifications are easily accessible
on the ICSS workstations and do not require modifying the BPCS interface. Multiple users can be notified
in the event of a bypass being set and even receive a notification in a mobile device.
9
 Cybersecurity threats are more prevalent than ever. An air gap between the SIS and BPCS is not
sufficient protection. Comprehensive cybersecurity features make the DeltaV ™ SIS a defendable
safety system deployed in either an interfaced or integrated architecture.

DeltaV DCS and SIS integration creates a strong

cybersecure posture through coordinated layers
of defense around each system.
The integrated architecture also delivers
benefits such as reduced engineering
and smoother operation.

Stronger
Together

Begin building the foundation for a cybersecure future today.

Take the next step. Learn more at www.emerson.com/deltavcybersecurity

Emerson
North America, Latin America:
+1 800 833 8314 or ©2020, Emerson. All rights reserved.
+1 512 832 3774 The Emerson logo is a trademark and service mark of Emerson Electric Co.
The DeltaV logo is a mark of one of the Emerson family of companies.
Asia Pacific: All other marks are the property of their respective owners.
+65 6777 8211 The contents of this publication are presented for informational purposes only,
and while diligent efforts were made to ensure their accuracy, they are not to be
Europe, Middle East: construed as warranties or guarantees, express or implied, regarding the products
+41 41 768 6111 or services described herein or their use or applicability. All sales are governed by our
terms and conditions, which are available on request. We reserve the right to modify
www.emerson.com/deltavcybersecurity or improve the designs or specifications of our products at any time without notice.

10