[SystemSafety] "Protected" Environments

Peter Bernard Ladkin ladkin at causalis.com
Fri Nov 9 06:45:00 CET 2018 

Folks,

The IEC is about to publish guidance on safety+security in industrial automated control systems
(IACS). The document is IEC TR 63069 and will be published in January 2019. It is supposed to be
guidance in the use of IEC 61508 and IEC 62443 together in designing/evaluating IACS.

A number of us have been following the progress of this document for a few years. The final result
is quite vague, largely because it contains lots of undefined terms and phrases, and its central
guidance seems to many of us to be unattainable in the current state of the art.

There are other problems, for example it contains a table of "multiply-defined terms" in IEC 61508
and the IEC 62443 series. There are twelve such terms. One may wonder why they are deemed "multiply
defined", since some are defined in one document but not in the other (surely those should be
"singly defined terms"?) In fact, the project Harbsafe in which I work has been through IEC 61508,
IEC 62443 series (as it was in January 2017 - other parts have been published since), as well as
Guide 51 (guidance in what must be in all standards which have safety aspects; namely adequate risk
analysis) and Draft Guide 120 (as it was; it has now been published: guidance in what must be in all
standards which have cybersecurity aspects). There are in fact 68 multiply-defined terms.

This fact was fed in through the usual IEC procedures as comment on a draft of 63069. I believe it
was filtered out.

That says a lot about the intellectual standard of this work.

The central premise/guidance is that it is for cybersecurity specialists to establish a "security
environment" (a key term, not well defined) in the IACS, within which environment safety engineers
can go about analysing and designing their safety functions under the assumption that cybersecurity
is assured. Let me call this CP.

So, for example, you have your control computer sitting in building A and the controlled system in
building B (often the case with turbines and generators and so on, so that when they self-destruct
the damage is limited). The cables transmitting sensor information to the controller and control
information to the equipment actuators run between the buildings, and there might be a repeater or
two. Since a "security environment" is presumed to have been established, engineers designing the
protocols and commissioning the equipment with which this communication is effected can assume
everything they deal with is cybersecure. So, for example, there might be a need for CRC, but there
is no need for message encryption under this assumption.

If there is no need for message encryption, then an employee with access can run a MITM attack
from/through one of the repeaters.

Duuuh.

Unfortunately, this has consequences. Such thinking may well affect how cybersecurity is handled in
the next edition of IEC 61508.

Hence my question. Does anyone know of an actual civilian safety-related system which is equipped
with such an impenetrable "security environment"?

The reason for my question is as follows. Standards are supposed to reflect the state of the art. If
there isn't such a system (actually, if there aren't lots of them), then this proposed architecture
is pie-in-the-sky and accordingly shouldn't be reflected in a standards document.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20181109/3baaaa58/attachment.sig>

More information about the systemsafety mailing list