Safety & Security 2015 Funktionale Sicherheit IEC 61508 & IEC 62443 Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 1 Safety & Security 2015 Bernard Mysliwiec PROFIsafe trifft New York PROFIsafe Bernard Mysliwiec Senior Safety Expert Siemens AG, DF FA AS E&C-PRM3 [email protected] Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 2 Safety & Security 2015 Bernard Mysliwiec Roosevelt Island Picture on courtesy of Pomagalski Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 3 Safety & Security 2015 Bernard Mysliwiec What about Functional Safety and IT Security Both can be designated over the same term: • Sicherheit in German • Sécurité in French • … Both can have significant impacts on: • Productivity • Availibity of the plant or machine • Costs • People Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 5 Safety & Security 2015 Bernard Mysliwiec Main differences Safety protects people against machine or plant • Malfunction of machine or plant • safe reaction through limit monitoring • Mostly dedicated to internal malfunction of systems • high self diagnostic coverage • Possible misuse of systems if reasonably possible • to avoid dangerous situation during operation Security protects machine or plant against people • Intentional misuse of system or applicative means • stop the CPU, incorrect behaviour of functions • Mostly dedicated to external malfunction of systems • diagnostic coverage generally not implemented • Focussed on misuse of systems • create a dangerous or not specified situation Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 6 Safety & Security 2015 Bernard Mysliwiec Functional Safety Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 7 Safety & Security 2015 7 Bernard Mysliwiec Target of Functional Safety People Plants Earth Automation and functional safety to protect ... Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 8 Safety & Security 2015 Bernard Mysliwiec Typical application areas Process: Factory: People, Plants, Earth People and machinery Batches Low demand Reaction time 0,1 ...1s IEC 61511 VDI 2180 NE 97 Burners TÜV Production lines High demand Reaction time 5...150ms IEC 62061/ISO 13849 NFPA79 IFA Mobility Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 9 Safety & Security 2015 Bernard Mysliwiec Example of dangerous machine Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 10 Safety & Security 2015 Bernard Mysliwiec Risk reduction according IEC 61508 Residual risk Acceptable risk Equipment Under Control risk Increasing Risk Required risk reduction Effective risk reduction Covered with E/E/PE systems Covered with other technologies (not electrical Mechanical, Hydraulical…) Covered with external means and measures. Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 11 Safety & Security 2015 Bernard Mysliwiec 3-step method according to EN ISO 12100 START 1 Safe mechanical design Has the risk been adequately reduced? YES NO 2 Technical measures Has the risk been adequately reduced? YES NO 3 User information about residual risks Has the risk been adequately reduced? YES NO Renewed risk assessment END Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 12 Safety & Security 2015 Bernard Mysliwiec Determination of required PL acc. ISO 13849 Risk graph for determining the required PLr for safety function (s) PLr P1 a P2 P1 b P2 c F1 Starting point for risk reduction estimation S1 F2 P1 F1 S2 P2 P1 d P2 e F2 1. S severity of injury • S1 slight (normally reversible injury) • S2 serious (normally irreversible injury or death) 2. F frequency and/or exposure to hazard • F1 seldom-to-less-often and/or exposure time is short • F2 frequent-to-continuous and/or exposure time is long 3. P possibility of avoiding hazard or limiting harm • P1 possible under specific conditions • P2 scarcely possible Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 13 Safety & Security 2015 Bernard Mysliwiec Determination of required SIL acc. IEC 62061 pinch one's finger Extent of damage: Permanent, loss of fingers: Se 3 3 5 4 3 12 door monitoring, switch OFF XY axis Frequency, duration >1 hour up to 1 day and occurrence probability high, Fr 5 and Pr 4 SIL2 Avoidance possible, rarely: Av 3 Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 14 Safety & Security 2015 Bernard Mysliwiec Structure of systems and Safety evaluation Sub-system integrity Sensor Safety PLC Actuator n SIL claim limit: 2 / PL d n SIL claim limit: 3 / PL e n SIL claim limit: 3 / PL e n PFHD1 = 2*10-7 / h n PFHD2 = 1*10-8 / h n PFHD3 = 3*10-8 / h Remark: values only as example SIL / PL adequation SIL CL SYS <= (SIL CL Sub-system)lowest è SIL claim limit: 2 PL SYS <= (PL sub-system)lowest PL d Probability of failure PFHD = PFHD1 + ...+ PFHDn + PTE è PFHD = (20+1+3)*10-8 < 10-6 PTE = Probability of Transmission Error System reaches: SIL 2 / PL d Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 15 Safety & Security 2015 Bernard Mysliwiec The way to a safe machine Machine Documentation Safety-Plan Safety Plan, Verificationsplan… Riskanalysis Risk analysis Specific. Specification, Manuals Realisation Selectt devices Data sheets,… Mounting Wiring diagramms Programm Softwaredocumentation Test Test reports Verification Verification reports CE Validation MD conform Documentation Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 16 Safety & Security 2015 Bernard Mysliwiec The vision … Safety controller (F-Host) conventional, Standard controller e.g. E-Stop Task2: Integration into the standard controller Safety input / output Task1: Integration of Safety Communication DP/PA Drives Limit switch Laser Light scanner curtains Standard input / output Robots Same features like with standard devices, e.g. device/module replacement at runtime Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 17 Safety & Security 2015 Bernard Mysliwiec PROFIsafe objectives Safety related communication to protect people • A safety function is performed through a control system using specific safety related devices • PROFIBUS, PROFINET, IO Link… • Black channel principle • Correct transmission of safety related information • Door position, E-Stop, limited speed… Detection of alteration of telegrams • To avoid malfunction of machine • Systematic and random failures approach Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 18 Safety & Security 2015 Bernard Mysliwiec PROFIsafe in real life Linked machines / linked plants • Production lines Wireles communication • Controller ßà Controller • Controller ßà Device (mobile panel) Remote and / or maintenance station • Monitoring and Engineering functions Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 19 Safety & Security 2015 Bernard Mysliwiec PROFIsafe Islands Example Ropeways: Station <-> Cabine Firewall Production PC with Security Client Software Firewall VPN Maintenance Local Service PC with Security Client Software Internet VPN VPN Remote Industrial Ethernet Backbone Security Gate S Security Gate S Security Zone Security Zone PROFINET IO PROFINET IO Commissioning Local PROFIBUS DP PROFIBUS DP Remote Customer services PROFIsafe Island PROFIsafe Island Remote Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 20 Safety & Security 2015 Bernard Mysliwiec Safety & Security Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 23 Safety & Security 2015 23 Bernard Mysliwiec IEC 61508 Part 1 7.4.2.3 The hazards, hazardous events and hazardous situations of the EUC and the EUC control system shall be determined under all reasonably foreseeable circumstances (including fault conditions, reasonably foreseeable misuse and malevolent or unauthorised action). This shall include all relevant human factor issues, and shall give particular attention to abnormal or infrequent modes of operation of the EUC. If the hazard analysis identifies that malevolent or unauthorised action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out. • • • • • • NOTE 1 For reasonably foreseeable misuse see 3.1.14 of IEC 61508-4. NOTE 2 For guidance on hazard identification including guidance on representation and analysis of human factor issues, see reference [11] in the bibliography. NOTE 3 For guidance on security risks analysis, see IEC 62443 series. NOTE 4 Malevolent or unauthorised action covers security threats. NOTE 5 The hazard and risk analysis should also consider whether the activation of a safety function due to a demand or spurious action will give rise to a new hazard. In such a situation it may be necessary to develop a new safety function in order to deal with this hazard. Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 24 Safety & Security 2015 Bernard Mysliwiec New considerations ISA and IEC standard in work IEC 62443 • Functional Security Management • SL (Security Level) • No security function but SL vectors • One value in vector corresponds to one attack • Plant specific evaluation Principles similar to IEC 61508 • Functional Safety Management • SIL (Safety Integrity Level) • One safety function for one risk (harm) • One SIL for one safety function • Machine specific evaluation Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 25 Safety & Security 2015 Bernard Mysliwiec Risk reduction according IEC 61508 Residual risk Acceptable risk Equipment Under Control risk Increasing Risk Required risk reduction Effective risk reduction Covered with E/E/PE systems Covered with other technologies (not electrical Mechanical, Hydraulical…) Covered with external means and measures. Security measures not excluded! Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 26 Safety & Security 2015 Bernard Mysliwiec IEC TC44 Decision modified Machine safety Risk analysis including security threats relevant for safety considerations Safety required Safety: OEM, Machine builder n F-Measures including security measures and requirements to the environment Security threats Legal requirement Machine Directive Machine builder PL/SIL, * Basic security for new systems Risk analysis only during design phase Transition CE Mark or FAT Security Risk analysis Security required Security: System integrator, Final user n Free application ISA 99 / IEC 62443 Final user SL Risk analysis to be done periodically or as required Security-Measures and if necessary consequences for safety risk analysis Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 27 Safety & Security 2015 Bernard Mysliwiec IEC TC44 Plenary London September 2012, confirmed Clearwater 2014 Decision TC 44 considers that security threats identified by the machine manufacturer related to accessible interfaces of electrical devices should be recorded in the documentation accompanying the machine. A risk analysis of the security threats to the machine should be taken by the user who can then take measures to avoid them at the system level. This information should be taken into consideration by TC 44 convenors and will be conveyed to TC 65. Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 29 Safety & Security 2015 Bernard Mysliwiec Practical consequences: Safety related communication to protect people • The machine manufacturer identifies accessible interfaces of electrical devices like USB, LAN, WLAN or others interfaces. • The machine manufacturer identifies possible type of access (data display, modification/alteration, insertion) regarding type of data (user software, recepts,…) • The machine manufacturer describes the results in the ‘information for use’ of the machine. • The device manufacturer describes the security level of these interfaces (SL vector) and internal or external measures to improve the SL (technical data, security handbook…). • Final user decides which external measures are requested for his own plant Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 30 Safety & Security 2015 Bernard Mysliwiec Security: Principles similar to IEC 61508 ISA and IEC standard in work: IEC 62443 • Functional Security Management • SL (Security Level) • No security function but SL vectors • One value in vector corresponds to one attack • Plant specific evaluation Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 31 Safety & Security 2015 Bernard Mysliwiec Practical work flow Practical work flow: • Final user defines the target SL vector from plant specific risk analysis. • Resulting measures are implemented from Final User or through designated OEM. • Examples of possible measures • Inherent secure (no sensible interfaces or no access) • Only allowed people can access sensible interfaces (organisational measures, e.g. security guards) • Activation of complementary security measures in devices • Use of external protection measures • Evaluation of achieved SL vector • Final user has to perform this workflow cyclically Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 32 Safety & Security 2015 Bernard Mysliwiec Security Management Security Management Process Industrial IT Security Services § Risk analysis with definition of mitigation measures Security Management Products & Systems 1 § Setting up of policies and coordination of organizational measures § Coordination of technical measures § Regular / event-based repetition of the risk analysis Risk analysis 4 2 Validation & improvement Policies, Organizational measures 3 Technical measures Security Management is essential for a well thought-out security concept. Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 33 Safety & Security 2015 Bernard Mysliwiec Security Levels Security levels provide a qualitative approach to addressing security for a zone SL 1 Protection against casual or coincidental violation SL 2 Protection against intentional violation using simple means with low resources, generic skills and low motivation SL 3 Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation SL 4 Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 34 Safety & Security 2015 Bernard Mysliwiec Seven dimensions of the SL vector SLs are based on the seven foundational requirements (FRs) for security IAC Identification and authentication control UC Use control SI System integrity DC Data confidentiality RDF Restricted data flow TRE Timely response to events RA Resource availability Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 35 Safety & Security 2015 Bernard Mysliwiec Security Levels vectors: types SL-C CAPABILITY A particular component or system is capable of being configured by an asset owner or system integrator to protect against a given type of threat. SL-T TARGET The asset owner or system integrator has determined through a risk assessment that they need to protect this particular zone, system or component against this level of threat. SL-A ACHIEVED The asset owner, system integrator, product supplier and/or any combination of these has configured the zone, system or component to meet the particular security requirements defined for that SL. Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 36 Safety & Security 2015 Bernard Mysliwiec IEC TC44 Decision modified Machine safety Risk analysis including security threats relevant for safety considerations Machine Manufacturer: Safety required SILr / PLr n Related to effects: death… F-Measures including security measures and requirements to the environment Security threats SIL/PL Delivery to final user SL-C Security Risk analysis SL-T Security required Security-Measures and if necessary consequences for safety risk analysis CE Mark or FAT Device Manufacturer SL-C Vector for devices: PLCs, DCs, PDS/SR… n Final User Related to causes … OEM SL-A Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 37 Safety & Security 2015 Bernard Mysliwiec A solution is a deployed control system to fulfill the protection requirements of a plant Plant environment Asset owner System integrator specifies Required protection level of the plant deploys the control system to Part 3-2 Zones and Conduits Solution Control Product supplier system as a combination of develops Independent of plant environment PLCs HMIs PC devices IEC 62443 ISA-99 Network devices Software Part 3-3 System requirements Series 4 Series 4 Components Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 39 Safety & Security 2015 Bernard Mysliwiec Asset owner IEC 62443 / ISA-99 General 1-1 Terminology, concepts and Security management models process of the asset owner 1-2 Master glossary of terms and abbreviations Profile of ISO 27000 1-3 System security compliance metrics process Patch management of the asset owner Definitions Metrics Policies and procedures System Component 2-1 Requirements for an IACS security management system 3-1 Security technologies for IACS 4-1 Product development requirements Profile of ISO 27001 / 27002 2-3 Patch management in the IACS environment 3-2 Security levels for zones and conduits Functional requirements for the the output of the risk 4-2 Technical security requirements assessment for IACS products of the asset owner 3-3 System security requirements and Security levels 2-4 Requirements for IACS solution suppliers Requirements placed on security organization and processes of the plant owner and suppliers Requirements to achieve a secure system Requirements to secure system components Functional requirements Processes / procedures Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 40 Safety & Security 2015 Bernard Mysliwiec System integrator IEC 62443 / ISA-99 General 1-1 Terminology, concepts and models Policies and procedures System Component 2-1 Requirements for an IACS security management system 3-1 Security technologies for IACS 4-1 Product development requirements 1-2 Master glossary of terms and Profile of ISO 27001 / 27002 1-3 System security compliance 1-3 System security compliance metrics metrics 2-3 Patch management in the IACS environment Patch management abbreviationsprocess of the system integrator Security documentation, policies and procedures of the system integrator Definitions Metrics 3-2 Security levels for zones and conduits Functional requirements for the the output of the risk 4-2 Technical security requirements assessment for IACS products of the system integrator 3-3 System security requirements and Security levels 2-4 Requirements for IACS solution suppliers Requirements placed on security organization and processes of the plant owner and suppliers Requirements to achieve a secure system Requirements to secure system components Functional requirements Processes / procedures Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 41 Safety & Security 2015 Bernard Mysliwiec Product supplier IEC 62443 / ISA-99 General 1-1 Terminology, concepts and models 1-2 Master glossary of terms and abbreviationsprocess Patch management of the system and component supplier 1-3 System security compliance metrics Security documentation, policies and procedures of the system and component supplier Definitions Metrics Policies and procedures System Component 2-1 Requirements for an IACS security management system 3-1 Security technologies IACS Development process for of the 4-1 Product development requirements Profile of ISO 27001 / 27002 2-3 Patch management in the IACS environment component supplier 3-2 Security levels for zones and conduits 4-2 Technical security requirements for IACS products 3-3 System security requirements and Security levels Functional requirements placed on the component supplier 2-4 Requirements for IACS solution suppliers Requirements placed on security organization and processes of the plant owner and suppliers Functional requirements placed on the Requirements to asupplier secure system system Requirements to secure system components Functional requirements Processes / procedures Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 42 Safety & Security 2015 Bernard Mysliwiec Thank You! Frei verwendbar © Siemens AG 2015. Alle Rechte vorbehalten. Seite 44 Safety & Security 2015 44 Bernard Mysliwiec
© Copyright 2024 ExpyDoc
