Taking Responsibility for Safety and Security

The term ‘security’ alone causes a media storm – one glance at newspapers and online news sites is all it takes and everyone is in the thick of the discussion around cyber security. Automation and communication technology are not spared from this. This can sometimes create the impression that issues surrounding IT security are a new phenomenon. The experts of PI have concerned themselves for many years with the issue of secure operation of communication technology components, which by nature have always been tightly networked. Also new to the discussion is that the areas of safety and security are moving closer together.

This necessitates a delimitation between the two areas to start (not least because the same word is used for both in the German language). Plainly stated: while safety protects people from machinery or equipment, it is exactly the other way around with security. Machinery and equipment must be protected from an intervention that causes it to stop or puts it into a dangerous state.

At first glance, it seems problematic that IT security and functional safety are handled separately. In general, these are two different areas of expertise and their standards are therefore developed in different committees. Safety is addressed in standards and provisions such as the Machinery Directive of the European Union MRL 2006/42/EC, standards such as IEC/EN 62061 and ISO 13489 (for production automation) and IEC 61511 (for process automation), all subordinate to the basic standard IEC 61508. Security, on the other hand, is addressed in IEC 62443.

PI members have been involved in the standards development process for many years, so that the connections between safety and security have already been made by corresponding decisions of IEC TC44 and a clear procedure for addressing the two areas has therefore been defined. The machine manufacturer ensures that its machine meets the requirements of the Machinery Directive. The security requirements are defined by the specific risk analysis conducted by the user from which suitable measures can then be derived.

The delimitation is of help to users because it also clearly points out the responsibility. While the responsibility for the safety of the machine clearly lies with the machinery or equipment supplier, the owner must assume responsibility for the secure communication between machines, even across production locations.

Safety by PI

In the area of safety, fifteen years ago PI laid the critical cornerstone for automation of safety-related machinery and equipment with the first PROFIsafe specification. The PROFIsafe solution is based on the “black channel” principle. Because of the close connection between safety-related and standard automation, safety-related and standard data are carried together on the same communication medium. This reduces the costs of devices and engineering and of operation of safety-related machinery and equipment.

The core of the principle is that safety-related information is packaged in a safe “PROFIsafe container”. At an Emergency Stop, for example, the signal status of the safety sensor or Emergency Off pushbutton is transmitted via a PROFIsafe frame to the safety controller where it is processed and then forwarded, for example, to a drive. After arrival of this frame in the drive unit, the requested safety reaction is triggered. Thus, for example, the drive is reliably switched to torque-free state with the STO (Safe Torque Off) safety function. In parallel with the safety-related traffic of the PROFIsafe frames, standard data are also exchanged over the same medium with the drive unit concerned and other devices, and the communication in the network meanwhile continues. Furthermore, new safety functions, such as Safely Limited Speed (SLS) can be implemented that allow new operating modes of machines, thereby improving their ergonomics and possible operation significantly. This has a further positive effect on safety.

Thanks to the high profile of the PI organization (PROFIBUS & PROFINET International) and its member companies, PROFIsafe succeeded quickly on the market and became the clear market leader. Both the number of device manufacturers and – more importantly – the number of applications with PROFIsafe is exceptional in comparison with other safety communication solutions. In the last year alone, a growth of 50% was recorded.

The black channel principle is now included in the IEC standards as the state of the art. PROFIsafe meets all requirements of these safety standards. Experts from many well-known companies in the PROFIsafe working group of PI analyzed additional error scenarios and mathematical error calculations and developed solutions for these so that PROFIsafe currently offers the highest possible level of safety-related communication. Among other things, machinery and equipment up to PL e as per ISO 13849-1 or SIL3 as per IEC/EN 62061 or IEC 61508 can be realized with PROFIsafe. PROFIsafe is used in many sectors, such as amusement rides, aerial railways, passenger transportation, synchrotrons (CERN), and many more.

Making use of existing solutions

DSC_0042 (Custom)
Picture courtesy of Pomagalski

An interesting aspect of the PROFIsafe concept is that it also offers possibilities for connecting the requirements of safety and security together. Numerous systems, specifically many automation concepts of aerial railways for example, are proving this. This sector uses all of the applications defined by PI. First, the safe PROFIsafe communication between the bottom and top stations or the car that is used in a safety function. Second, the safe communication with higher-level operator control and monitoring systems. Finally, the remote diagnostics and maintenance of the system by its manufacturer. Errors that can occur again and again are, for example, denial of service through remote television cameras or malfunction due to frequency collision. Likewise, in the case of remote diagnostics, falsified non-safety-related data can lead to incorrect instructions to operating personnel. While these errors are not automatically willful in nature, they do show how carefully the risks have to be assessed. For aerial railways, for example, the automation system is threatened, so to speak, at two places. First, the owner controls the system itself using a wireless connection. Second, the manufacturer engages directly in the system for maintenance or troubleshooting. In such applications each controller of these two are areas are safeguarded using PROFIsafe. The radio transmission takes place in the “black channel” without a special security certificate. PROFIsafe has been approved for radio transmission from the start. Thanks to radio link hop planning and a minimum signal field strength, availability is also ensured for prevention of spurious tripping.

Robustness is a precondition for security

PI gave thought early on to the problem of security not only technologically but also organizationally. For example, years ago PI developed a Security Guideline for PROFINET, which was completely revised at the end of 2013. This guideline addresses the topic of risk assessment, for example. Only on the basis of an analysis of this type can appropriate security measures be derived that are also economically feasible. The probability of a damage event and its possible consequences are evaluated for this, based on protection goals, weak points, and possible threats. The guideline is supplemented by a series of proven best-practice solutions.

Another point that is still underestimated is that use of robust devices is an essential precondition for security in automation. Behind this is the fact that in large networks, in particular, plant availability counts. Denial of service attacks, for example, exploit this by sending an enormous number of requests to the respective devices or servers in order to overload them. It is thus of great help if devices can always react as intended even with high network loads. For this reason, PI has developed the Security Level 1 Tester for the certification of PROFINET devices, which is free of charge for member companies. It can be used to simulate network load scenarios up to the level of denial of service attacks in advance. The network load-related test is already being required by various end users such as the automotive industry. This test is already integrated in the certification of devices according to the new PROFINET Specification Version 2.3 and must therefore be passed in order for a device to be certified. Users that purchase such a certified device can rely on having a correspondingly robust device.

The utilized PROFIsafe components recognize such cases by the time-out monitoring and put the system components concerned into safe state so that no safety problem can actually arise. The distributed architectures can be structured according to the risk analysis such that system components can continue to be operated without loss of production.

Outlook: Security cannot be solved with a single device, standard, or certification. However, it is useful to describe conceptual and organizational weaknesses in guideline documents so that targeted countermeasures can be taken. A majority of cyber attacks can be defended if the measures recommended by experts are also taken. It is also critical to recognize that no security measure is permanent. Rather, the problem of security is constantly changing and measures must be adapted to current developments. More than 1400 member companies of PI worldwide are committed to bringing their expertise to the development of secure and reliable communication solutions.

Additional use cases for PROFIsafe can be found:

More details about PROFIsafe can be found in the Marketing Flyer: PROFIsafe and System Description: PROFIsafe Technology and Application.

Several videos are available: