Because the core SIS and extended SIS physically are separated from peripherals, interfaced systems offer adequate protection to meet ISA and NAMUR standards. However, just as in separated systems, SIS hardware and software need to be protected. Users must ensure the core SIS is not compromised via connections to the extended SIS.
To achieve this protection, interfaced systems require that defense-in-depth security layers be duplicated on multiple systems. In some cases, the multiple cybersecurity instances that must be monitored can increase the workload necessary to sustain adequate security. It is also up to the end user to ensure the link between the BPCS and SIS is configured so the system is not exposed to risk.
Another option for engineering separated systems is integrated SIS (Figure 4). In this approach, the SIS is integrated to the BPCS, but there is a logical and physical separation between the core SIS and extended SIS. Typically, this separation comes with proprietary protocols using embedded cybersecurity out of the box. This eliminates many of the security risks that come from manually engineering a connection between the SIS and BPCS.
Integrated SIS requires the same levels of defense-in-depth protection as separated systems, but because some of the security layers protect both the BPCS and SIS, an integrated SIS can reduce the time and effort spent monitoring, updating and maintaining security layers. This approach offers protection that goes beyond common security layers. Integrated SIS also has additional and specific security layers designed to protect the core SIS.
Eliminating complicated engineered interfaces between core and extended SIS with an integrated environment can lead to simpler and faster factory acceptance testing (FAT), helping to bring projects online faster and with less rework.
Managing entry points
Carefully considering defense-in-depth layers is critical to delivering a cybersecure SIS, but it’s not enough. To ensure adequate security for an SIS network, organizations also must limit entry points into the safety-critical functions and provide mitigations for any risks that impact said entry points.
The more entry points available into an SIS’ safety-critical functions, the more opportunities exist for cyber attacks to exploit possible vulnerabilities in the security layers. While it may be possible to adequately defend five entry points against intrusion, it is much easier and less resource-intensive to defend only one.
Entry points – Interfaced systems
NAMUR offers clear guidance for zoned SIS architecture in an interfaced format (Figure 1). In the diagram, the core SIS, extended SIS and control system architecture are isolated properly in their own zones. The engineered connections between architecture elements in the three zones—engineering stations, BPCS, plant information management systems, asset management systems and more—can create multiple potential connection points to the core SIS.
These connection points do not inherently present a security risk; the assumption is they will be secured with adequate defense-in-depth. Each door needs to be secured, potentially resulting in five or more sets of security hardware and software to manage.
Entry points – Integrated systems
Integrated SIS architectures can offer a design that limits entry points. The best integrated safety instrumented systems feature one component acting as a gatekeeper/proxy for all traffic going to and from the safety-critical functions. The result is one entry point that needs to be defended, likely using the same defense-in-depth layers that protect the BPCS and some additional protection layers more specific to the core SIS. Such a design can reduce maintenance and monitoring while providing the same or even greater level of standard SIS separation than other architectures.
There is often an assumption that more physical separation between SIS and BPCS means more inherent security. However, as in the case of air-gapped systems, more physical separation may lead to increased maintenance and monitoring overhead to ensure adequate defense-in-depth. The added overhead limits air-gapping’s value for organizations looking to optimize performance and production while trying to achieve cybersecurity standards.
Integrated and interfaced systems can achieve high levels of connectivity, while offering flexibility in implementation of defense-in-depth cybersecurity structures. Because both architectures offer the highest levels of security, implementation teams looking to maintain a defensible SIS over the lifecycle of the system often discover they have more choices for a BPCS and SIS that fit unique organizational goals.
Sergio Diaz and Alexandre Peixoto are DeltaV product managers, Emerson. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, [email protected].
MORE ANSWERS
Keywords: Safety instrumented system, SIS, basic process control system
Choosing an architecture is the first priority for a safety instrumented system (SIS).
An SIS can be separated, interfaced, or integrated.
A secure SIS uses defense-in-depth to better protect the system from internal and external threats.
Consider this
What type of SIS system do you use and what have the benefits and challenges been?
See additional cybersecurity facility stories including:
Case study: Eight steps to managing building cyberphysical risks
Case study: Eight steps to managing building cyberphysical risks
Four ways to sharpen the technology that runs buildings in 2020
Four ways to sharpen building system technologies