Safety vs.

Security
Safety vs. Security
Rick Kaun
Department Manager
Network Security Solutions
Matrikon

Bruce McHardy
Instrument and IT Supervisor
Teck

ABSTRACT
Safety systems in the industrial environment have evolved over the years to become increasingly
complex and are relied upon to function to a level of adequacy to protect employees, production,
and the environment surrounding a particular facility. The investment in these systems is great, but
the ramifications of their malfunction are even greater. The media has made it even easier for us to
understand the impact of safety on companies and on their surrounding communities, and with
incidents such as those that transpired in Texas City with a BP refinery explosion, and with the
Bhopal disaster, involving a chemical leak, the potential impact of our operations has become
greater than ever before.
The evolution of safety systems is largely accredited to our ability to connect our systems and to
automate notifications and alarm in the event of a safety breach. Safety systems have now become
automated, more sophisticated, and since being connected by networks, for example being TCP/IP
routable, they have also become more vulnerable to security infringements. At the same time,
connecting our systems has allowed them to become more efficient, and to become a more
dependable, de facto component of a facilitys infrastructure. Increasing regulations and standards
are a direct result of the importance being placed on safety systems, not just as a reactive alert
system to crisis, but as a more proactive and predictive way of avoiding disastrous situations. Much
like our telephone and internet connections, our safety systems have become something we expect
to function correctly, and something that we rely on to alert us if the need arises. We cannot expect
to become mindful that these systems may not be functioning correctly thanks to security issues.

WHY DOES SECURITY MATTER?

Security has moved from being a general topic of interest within the financial sector, and the
governmental departments, to an increasing concern within the industrial community. With the
emergence of security recommendations and regulatory compliance requirements throughout
different industries, people are wondering what events have sparked such an interest in security.
Failing to maintain a particular level of security can create easy targets for a range of intentions,
anywhere from international terrorism to a disgruntled former employee who wants to capitalize on
access to information.
Security of information is no longer the only concern security of data within an organization is
now under just as much scrutiny. Studies have shown that data volumes are doubling every 18
months, and according to a study conducted by Deloitte, the average total cost associated with a
data security breach can be anywhere from $225,000 to $35 million per reporting. Over half of the

Distributed with permission of author(s) by ISA 2010

Presented at 2010 Safety and Security Symposium; http://www.isa.org

security breaches that occur, whether intentional or unintentional, result from the mishandling of
sensitive business data to the wrong people, from within the organization itself.

HOW DO WE ENSURE OUR SAFETY SYSTEMS ARE SECURE?

Due to the connectivity of data sources to our safety systems, there are three major areas we need to
focus on to ensure that our safety systems are fully secure, from all significant points of
vulnerability. These three areas include your system architecture, your connectivity infrastructure,
and your security management. It all comes down to ensuring that systems are plugged in together
with the correct architecture, and that you have the right tools for the job both to set up your
security systems, as well as to maintain them.
One of the first things to do is to find out if your system architecture itself is secure. To do this, an
initial assessment would be a useful tool to figure out how your assets are configured, and how they
interact with each other. This will make it easier to identify vulnerabilities and to prioritize your
assets in order of criticality. If there is a security program in place, does it include all of the
appropriate assets and are best practices in play?
Furthermore, process control environments use incredibly complex networks that are often
undocumented or only partially documented. These networks have evolved over time through
varied technologies and hardware as a result of multiple disparate networks being migrated into a
single collection of networks, with unstructured IP addressing schemes, overlapping IP subnets,
varied cabling infrastructures and diverse operating system packages.
Moreover, critical infrastructures depend on control systems for their operation. Cyberspace is
considered the nervous system of todays critical infrastructure, and it has become increasingly
important for the process industry to address the possibilities of growing internet threats, cyber
attacks and regulatory compliance. In contrast with physical attacks, cyber attacks are not easily
identified, and may go unnoticed for long periods of time. However, the resources and tools for
cyber attacks are becoming more commonplace and readily available. Companies have internet
connections to the control systems to enable management, engineering, and others to monitor
processes and progress. Vulnerability to the intrusions and attacks has increased with access to the
control systems through the internet. As a result, solutions such as network lockdowns are
implemented to address those threats. Unfortunately, this knee-jerk reaction often conflicts with
the legitimate need for access to plant data for day-to-day business decisions.
A Security Vulnerability Assessment will reveal any vulnerability or weakness in your network,
server, and desktop infrastructure. The assessment will also establish the current state of your
network infrastructure and form the foundation for the development of regulatory compliance or
security / reliability and safety programs. A security vulnerability assessment is a highly detailed
network audit that can be performed from a high level overview to the most in depth level of
investigation and can act as a guideline to improving control of security and usage policies.
When asked about cyber security, most people will think about technology such as firewalls and
antivirus. Security technology is usually the primary area of money and time. But it is even more
important to consider the people that use / manage the systems, and the processes that they use. It is
in governance and operations that excellence is achieved. It is entirely possible to have the most
technically secure safety system, but if the people do not participate or support the security

Distributed with permission of author(s) by ISA 2010

Presented at 2010 Safety and Security Symposium; http://www.isa.org

processes it is useless. Think of security as a 3 leg table where all are required to prevent it from
falling down. A security vulnerability assessment should approach security with these 3 distinct
pillars: People, Processes, and Technology. This comprehensive approach delivers a thorough
assessment of your initiatives including policy review, training programs, and technological and
physical concerns.
Technology is the foundation for security and it is necessary to have the right systems installed.
Companies should ensure they have good firewalls, antivirus, patch management, tape backup,
remote access, authentication, and physical security in place.
When we talk about People in the context of security it refers to the employees, contractors and any
visitor to the organization. In order for a security program to be successful, it is necessary for the
participants and stakeholders to have the necessary awareness, training, documentation and roles.
Everyone needs to understand appropriate system use and why it is important, and technical people
also need to know how to identify and address security risks. It is recommended from an
organizational perspective to have a dedicated security group with the authority and executive
support to enforce security violations. But, it is more important to have a security awareness
program for employees to share the importance of security and how they can participate. If
organizations do not focus on their people, security policies will not be followed, staff will not
understand security issues, and technical staff will not manage systems effectively.
The third aspect of security is Process. When discussed in the context of security, process refers to
the policies, procedures and action plans. Regardless how hard you try, there will always be
residual security risks and potential incidents. The measure of your preparedness and of the
validity of your security program will determine how well you contain the incident and how
quickly you recover from it. It is necessary to have documents in place like an appropriate use
policy, backup policy, and wireless policy to define how company assets should be used and
deployed. Policies determine the rules of using a system; define procedural countermeasures for
potential security risks, and any best practices. Procedures are step-by-step instructions on how to
perform or execute a plan without being the expert on the system. Both policies and procedures are
required for a good security program. Processes or procedures are also vital in outlining the overall
security mentality and approach your organization wishes to implement. As your business evolves,
so too will your environment. By having clearly defined expectations of future programs and
applications you can evolve your business while maintaining the highest possible level of security.
Finally, a security vulnerability assessment should be scalable to meet specific organization
requirements and should include, but not be limited to: ongoing policy reviews, exhaustive system
by system site audits, front-end engineering and technical implementation.

Distributed with permission of author(s) by ISA 2010

Presented at 2010 Safety and Security Symposium; http://www.isa.org

Figure 1: Security Vulnerability Assessment

With the integration of process control systems, and particularly, our safety systems, we also need
to examine the way in which data is transferred and shared. What tools are we using to connect our
systems and how is the data being pulled and combined with other sources? Certification programs,
such as the Achilles Certification by Wurldtech, work with compliance organizations and standards
bodies to create certification programs that encompass the necessary security requirements for all
software, including OPC software used to create interoperability among systems. It is important to
ensure that every step of your process is secure, starting with the data that feeds the rest of your
business. If your data itself is not secure, this will have a domino effect on the rest of the process
from that point onward.
A Secure Process Environment (SPE) design creates a layered network that segregates all process
equipment from the Business LAN, creating a network that is dedicated to Process Equipment,
while allowing the movement of data that is necessary for business decision making. The design
incorporates a method of rejecting all communications from the Business LAN to the Process LAN,
but still allows the movement of data to exist.
Problems such as Software Virus, Trojan Horses and Worms are controlled without the
requirement of loading Anti-Virus software on process systems. This provides Anti-Virus
protection for those industrial systems that are not certified for running with anti-viral software.
This design also removes the requirement of ensuring all systems are loaded with Security patches
to remove vulnerabilities to attack. As always it is still recommended to load all service packs and
Security patches on all systems as required but the problems associated with not doing so is
reduced significantly. The loading of Security and Service packs on process systems is often not a
Process Engineers primary concern and these patches are often left till all other tasks are
completed. A Security Controlled Network layer, the Process DMZ LAN, is constructed between
the Business LAN and the new Process LAN. This network provides an area for security control.
Both the Business LAN and the Process LAN are able to communicate with systems on the Process
DMZ LAN. This design provides a security focus in a small and limited area of the networks,
reducing administration costs. All security programming on the Firewall and the process LAN
Router is now focused only on rejecting or authorizing communications to the Process DMZ LAN
and not to Process equipment. The security focus is now directed to a limited number of servers
and not to all equipment on the Process LAN.

Distributed with permission of author(s) by ISA 2010

Presented at 2010 Safety and Security Symposium; http://www.isa.org

Figure 2: Secure Process Environment (SPE) Design

MANAGING A SECURITY PROGRAM

Once all of the security systems are in place, the next step is to determine how your security levels
will be maintained. Security threats and vulnerabilities change daily, with the introduction of new
worms and viruses, change in staff, etc. and it is critical to have a program in place that will
manage your security and ensure that it remains relevant. The only way to create a solution to this
problem is to look at a system that automates the security program, by way of any relevant
compliance initiative or maintenance of any particular normal state. There are many benefits to
creating an automated security management system.
In terms of efficiency, the ability to orchestrate workflow and automate systems into real-time
deliverables allows companies to manage their security program on an on-going basis as opposed to
ensure the reliability of safety systems. On-going programs are much more secure as well. For
example, if you are not using a real-time system with automatic updates the only source of
information (and frequency) would be for local staff to look at the data, sort through all of the
documentation, realize that there is a security problem, and then begin to address it. By this time,
there is already a risk to your network, your critical assets and your safety systems. By moving to a
real-time automated system, you can be alerted when there is a change to your protected systems
and supporting systems that is misaligned with your normal expectations and then generate work
processes to update and re-align your compliance program.

Distributed with permission of author(s) by ISA 2010

Presented at 2010 Safety and Security Symposium; http://www.isa.org

CONCLUSION
The overall impact of implementing a comprehensive security program in the process control
environment is far reaching, and typically includes:

Improving employee safety, satisfaction and morale

Reducing loss of production and revenue from intrusion incidents
Improving data integrity, resulting in correct operator actions
Preventing unauthorized disclosure of information
Preventing unauthorized denial of services
Preventing regulatory fines on environmental information not being recorded and within
limits
Preventing loss of major tangible assets or resources
Improving public opinion and investor support
Protecting intellectual property and trade secrets
Preventing harm to the organizations mission, reputation or interest

By understanding the complexity and breadth of an effective security program in the process
control environment, we can see the direct correlation between security and its role in the
maintenance of appropriate safety levels. The volume of information that is moving around a
facility at any given time makes it imperative that security controls are put in place and maintained.
Furthermore, the traditional focus of variety of process industries has been safety and productivity.
However, recent threats to North American critical infrastructure have prompted a tightening of
security measures across the different industry sectors. Reducing control system vulnerabilities
against physical and cyber attack is necessary to ensure the safety, reliability, integrity and
availability of these systems.

Distributed with permission of author(s) by ISA 2010

Presented at 2010 Safety and Security Symposium; http://www.isa.org