Implementing functional safety and security use separate processes, but they share similar conceptual approaches and methods. In fact, they overlap in a few cases like critical infrastructure. These overlaps have triggered several standardization activities in order to help interested groups find solutions related to this complex issue.
The introduction of functional safety in the manufacturing industry in recent decades represents an important step toward machine safety as well as a paradigm shift. Fieldbus technology has opened up additional opportunities for functional safety in machinery and equipment. With its ability to transmit safety-related messages together with standard messages on the same bus cable, the PROFIsafe communication technology of PROFIBUS & PROFINET International (PI) establishes an efficient and cost-saving “single channel” technology for functional safety for PROFIBUS and PROFINET.
Today, machines are expected to communicate with one another as well as with the outside world, which entails new types of risks. Examples of malicious interference resulting in disruption of the safe operation of machinery and motor vehicles have been featured in the news.
Real World Example
Two different safety functions can be configured for the same hardware component with the combination of a laser scanner, controller, control panel, and drive system:
- A: Protective field – When the machine operator gets too close to the danger zone, the drives immediately undergo a safe operating stop (SOS)
- B: Warning field – A trained operator can operate the machine in setup mode with safe limited speed (SLS)
Defined roles emerge from the safety perspective:
- The technology provider, e.g. PI with PROFIsafe
- The device manufacturer
- The machine manufacturer
The requirements of functional safety apply across all phases and to all parties involved:
- Functional safety management
- Selection of suitable devices and structures with corresponding diagnostic capabilities
- Selection of reliable components
This is to prevent injuries or death resulting from controller malfunctions. The rating criteria (SIL, PL) are first validated qualitatively and then quantitatively.
The requirements for IT Security are hardly different in that they apply across all phases and to all parties involved:
- IT security management
- Selection of suitable devices and structures
This is to prevent changes in machine behavior as a result of malicious attacks. The rating criteria (SL, FRs) are only qualitative.
Examination of the safety and security aspects of various applications calls for new measures, which have already been described in the PROFIsafe environment specification. The plant is divided into PROFIsafe islands (zones), which are connected via PROFINET and PROFIBUS (conduits). This enables the necessary interventions (including safety-related interventions).
Among others, IEC TC 44, the IEC technical committee responsible for safety of machinery, is in the process of drafting a standard (IEC 63074). As in the case of functional safety, the standard will explain the basic principles. It will also explain how external attacks can put people at risk. Security requirements needed for protection of safety functions will be derived from this. These requirements are distributed among all life phases of the machinery and equipment and include:
- Organizational measures
- Passive and active technical measures
Possible reactions are also described:
- Ability to exclude security risk through the control concept
- Minimization of consequences of an attack
- Acceptance of these consequences
- Head off security risk via a further instance
Above all, the results in each step must be documented so that the effectiveness of previously used measures can be checked against new attack scenarios in the necessary recurring analysis. The possible target of these attacks must also be assessed. Different measures are needed for attacks on equipment than for attacks directed at the machine manufacturer, control components, or technology providers.
The draft standard retains the core concept that requires organizational or automatic monitoring of the environment of the safety function. Even if it can be assumed that espionage poses no safety risk for equipment, functional safety must be considered for all attacks that might change the behavior of the machine (sabotage). This starts with falsification of information during data transmission (false information about the status of equipment, which can lead to a dangerous situation in which the machine moves when it is supposed to be stationary).
In addition, accessible limit values can be changed by unauthorized operators and lead to damage. This is the case when safe speed limits are entered for constant speed. It is already evident that measures classified as ‘safety’ measures, such as password protection and 4-eyes principle, can actually be classified as ‘security’ measures. Functional safety allows safety functions to be defined that can actively react to a ‘security’ attack.
Technology must be used. Security measures must be integrated and maintained in the recurring security risk analyses. It is the aim of TC 44 to stay in contact with users of the standards, and this approach has been presented to numerous machine manufacturers and industries with similar requirements or technical environment. The positive responses are spurring the working group to continue working in this direction, and some manufacturers are already feeling better supported today.
Author: Bernard Mysliwiec, Mysafeautomation