Thursday, February 12, 2015

Cyber Security - Read beyond the headlines!

Lately I have been attending a number of data security events to update my knowledge about the area, and also to see how it relates to process control and process safety. Over the past two decade much process control software have moved to standard of-the-shelf commercial hardware and operating systems. This has brought with it exposure to the cyber threats, which before were only a concern of the corporate IT department, and hence people in charge of maintenance of process control software are faced with similar threats to the process control systems as the office systems has for many decades.

I a recent event I picked up a report from one company about IT security in 2014. On the front page was the picture to the left, which I think quite well describe the current situation. The hard sphere in the middle is the corporate IT systems or process control systems. The spikes are the defenses implemented to protect these systems against the many threats from the outside. The picture clearly indicate, that the defenses are not perfect. There are places - properly many where threats can hit the systems.

But let us take a closer look at what is actually written in a report such as the one I have read, and what it could mean for process control and process safety systems.

In the area of data loss the report comes with the following statements:

  1. In 25% of  healthcare and insurance institutions examined, HIPAA-protected health information was sent outside the of the organization.
  2. In 33% of financial institutions scanned, credit card information was sent outside of the organization.
My first question is in these two situations how often was the transfer of information part of a legitimate business transaction, e.g. transfer of information to a customer? Secondly what was the frequency of such transfers in the institutions examined or scanned? What does examined or scanned mean?

What does this mean for process control and process safety systems? I think it means, that we should be careful with permanent electronic communication paths form and to these systems. I would be more concerned about the to path. However, the from path could give competitors information about your control strategies.

Another of the five areas discussed in the report is what is called high-risk applications.  About these the following statements are made:

  1. In 86% of organizations at least one high-risk application was used.
  2. In 85% of organizations Dropbox was found.
Again my first question is how often was a high-risk application used? And was there a legitimate business case for using it? Such as fx using a remote administration tool through an SSH-tunnel from an employees home in order to avoid a trip to company during off-hours. And about Dropbox: Was it found because used it to share private photos with co-workers? What was the frequency of Dropbox used in the organizations, which were using it? Was there a business case for using it, e.g. more secure than a USB-stik?

In the area of malware the following statements are made:

  1. In 84% of organizations a malicious file was downloaded.
  2. Every minute a host accesses a malicious website.
  3. Every 10 minutes a host downloads malware.
  4. 30% of hosts do not have updated software versions.
  5. 70% of organizations had at least one bot detected.
 Again my first question would be about the frequency of download of malicious files? The frequencies under point 2 and 3 are completely meaningless without information about the number of hosts involved in the study. And who downloads malware in the middle of the night? Point 4 is rather positive, since it means that 70% of the computers in this "research" have the latest updated software versions installed. Similarly, it is encouraging the defenses in 70% of the involved organizations actually worked.

Obviously one should not be downloading any files directly to process control or process safety systems. I think the report I picked up at that data security conference recently is attempting to paint a very black picture of the security situation, and that simple procedures and education of employees can deal with at most of the issue considered so far.

The real problem for the people attempting to make process control and process safety systems secure is the explosion in the number of unknown malware, i.e. malware that no-one have seen before. From 2012 to 2013 the number of new pieces of malware more than doubles. This is malware, which your defense systems don't yet have a defense against. Here I would think the best would be to limit the number of paths into the system, and only have paths available when needed, e.g. by using SSH-tunneling.

Even in the area of unknown malware the report comes with statements such as these:

  1. 2.2 pieces of unknown malware hit an organization every hour.
  2. 33% of organizations downloaded at least one infected file with unknown malware.
  3. 35% of files infected with unknown malware are PDFs.
The first piece of data is useful, since we can use it to discover how many organization are involved in the study. The report states that in 2013 83,000,000 pieces of unknown malware were created. That is about 227,000 each day or about 9,500 each hour. Hence the "research" involve between 4,000 and 5,000 organizations.

I find it a bit amusing, that IT-people have to create statements, such as the onces exemplified here to get the attention of management. It is somehow equivalent to having fires, explosions or leaks  to get management attention to process safety. I don't think that is a good road to take. What do you think?

Sunday, February 08, 2015

Functional Safety and Functional Modelling - Is there a synergy?

Functional Safety is the international norm for how a single safety function is designed, implemented and maintained. Functional modelling is an AI tools for building models of engineered systems, which allows one to reason about the behavior of the system. On the surface one might think the two are related, but they are not!

However, the question is weather the application of functional models during the design, operation and maintenance of process safety systems would allow a deeper insight?

The IEC 61508 Standard

The IEC 61508 standard is the defacto norm for how a safety function in new or modernized process plants are designed, tested, operated and maintained. On the website of the International Electrotechnical Commission Functional Safety is explained based on the following definition of safety:

Safety is freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment

IEC provide the following two definitions of functional safety:
  • Functional safety is the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs, or
  • Functional safety is the detection of a potentially dangerous condition resulting in the activation of a protective or corrective device or mechanism to prevent hazardous events arising or providing mitigation to reduce the fight consequence of the hazardous event.
They also provide the following two examples of what is functional safety:

  • The detection of smoke by sensors and the ensuring intelligent activation of a fire suppression system, and
  • The activation of a level switch in a tank containing a flammable liquid, when a potentially dangerous level has been reached, which causes a valve to be closed to prevent further liquid entering the tank and thereby preventing the liquid in the tank from overflowing
They also provide examples of what is not functional safety:
  • A fire resistant door or insulation to withstand high temperatures are measures that are passive in nature and can protect against the same hazards as are controlled by functional safety concepts but are not instances of functional safety
From this I conclude, that functional safety systems in the eyes of the standard IEC 61508 (and its process industry companion IEC 61511) are systems, which perform an action to prevent something occurring in a process, such as a power plant, a refinery or a chemical plant, from having a negative impact on the process (the artifact). However, since passive safety features often are important fx in mitigating the impact of a process safety event, then I think process safety overall would benefit from tools, which allows one to consider both active and passive safety functions.

Be careful where to read about things!

Just out of curiosity let us look at what the Wikipedia page "Functional Safety" say about Functional Safety: 
  • Functional Safety is the part of the overall safety of a system or piece of equipment that depends on the system or equipment operating correctly in response to its inputs, including the safe management of likely operator errors, hardware failures and environmental changes.
This definition - to me - makes very little sense. I can understand that functional safety is part of overall safety. Maybe even that it is related to the system or equipment operating correctly in response to its inputs. But I don’t understand the limitation to safe management of likely operator errors. What about unlikely operator errors? Does likely also apply to the hardware failures and environmental changes? This shows the danger of not being very critical of which internet resources one use in a professional capacity.

The Wikipedia website goes on to state that the objective of functional safety is:
  • Freedom from unacceptable risk of physical injury or of damage to the health of people either directly or indirectly (through damage to property or to the environment). (A)
That is simply a statement of what safety in general is all about. Nothing specific to functional in that objective. Further under the objective headline the following is stated:
  • Functional Safety is intrinsically end-to-end in scope in that it has to treat the function of a component or subsystem as part of the function of the whole system. This means that whilst Functional Safety standards focus on Electrical, Electronic and Programmable Systems (E/E/PS), the end-to-end scope means that in practice Functional Safety methods have to extend to the non-E/E/PS parts of the system that the E/E/PS actuates, controls or monitors.
Following these - in my view - rather muddy definitions Wikipedia goes on to describe how functional safety is achieved. It states that functional safety is achieved through a five point process, which include: identifying, 
assessing, designing, verifying and auditing.
Wikipedia unfortunately don't describe these steps to a reasonable extent before the site goes on to describe how functional safety is certified and finally list a fairly large number of standard said to be related to functional safety.

The concept of functional safety

I think it would be beneficial if there were a clearer distinction between function safety as a concept and a standard for designing, implementing and maintaining a functional safety function such as IEC 61508 or IEC 61511.

Functional modelling, such Multilevel Flow Modelling (MFM), which has been used to study loss of cooling in nuclear power plants, allows the designer to reason about possible causes and consequences of a functional safety function deviating from its design intent.

The Functional Safety Life Cycle

Further searching shows, that there is something  called the functional safety life cycle. The figure below is borrowed from Rockwell Automation

This figure from more clearly show the 5 steps involved in the establishment and maintenance of functional safety systems or rather function. The first step is not unexpectedly assessment of the risks and hazards to be dealt with. The second step is the specification of the safety requirements, and the third is the dual steps of designing the safety system and verifying the design against the requirements from step 2. The fourth step is the installation or construction of the system and validation, that it is working as required. Finally, the fifth step is maintenance and improvement - continuously, i.e. by at appropriate times repeating steps 1 to 4. However, unfortunately, as evident from the figure, the focus is on machinery applications.

Another source of information about functional safety is The 61508 Association , which is concerned with the effective achievement of compliance with the IEC 61508 Functional Safety standard. On the associations website a clear definition of a functional safety system may be found:
  • a functional safety system detects a potentially dangerous condition and causes corrective or preventative action to be taken
This also makes it clear, that functional safety is the tasks involved in the identification, design, installation and maintenance of such systems. And as is pointed out further down the page the only difference between a process control system and a functional safety system is the reference to danger in the above definition.

Back on the IEC 61508 website it is stated about functional safety that: "It is fundamental to the enabling of complex technology used for safety-related systems. It provides the assurance that the safety-related systems will offer the necessary risk reduction required to achieve safety for the equipment."

So essentially we have a standard way of establishing safety functions, such as the one described at the start of this page. So the standard is simply a norm for how things should be done in order to be in compliance. But is it enough to be in compliance?

The IEC 61508 is the international standard for electrical, electronic and programmable electronic safety related systems. It sets out the requirements for ensuring that systems are designed, implemented, operated and maintained to provide the required safety integrity level (SIL). Four SILs are defined according to the risks involved in the system application, with SIL4 being used to protect against the highest risks. The standard specifies a process that can be followed by all links in the supply chain so that information about the system can be communicated using common terminology and system parameters.

SIL are ways of defining how much extra protection the functional safety systems is to provide compared with the base process system including the normal control functions as seen here:

The above table is from the website of the IEC 61508 Association. The IEC 61508 standard has eight parts:
  • Functional safety, 
  • General requirements, 
  • Requirements for E/E/PE safety related systems, 
  • Software requirements, 
  • Definitions and abbreviations, 
  • Examples and methods for the determination of safety integrity levels, 
  • Guidelines on the application of IEC 61508-2 and IEC 61508-3 and 
  • Overview of techniques and measures.
The standard is the basis for a number of industry specific standards, such as
  • IEC 61511 Process industries
  • IEC 61513 Nuclear power plants
  • IEC 62061 Machinery sector
It should be noted, that the standard also include guidelines related to the competence of those involved in the safety lifecycle and on the management of this life cycle. I wonder if these guidelines are a consequence of the more flat organisational structures used in which management no longer are able to judge the competencies of the people, whom they employ without specific field related help. Similarly the general duties of management have to be supplemented with guidelines specific to the management of the safety lifecycle. What has happened to the general skills of manager?

An interesting reference in this connection is The Safety Lifecycle Workbook. A cursory reading indicate, the there is more focus on documenting that you have done all the work according to a specific standard or norm, than ensuring the management and operation is continuously improved from day to day in an ongoing learning process. The focus appear to keep the lawyers at bay!

Each functional safety system appear to be designed to protect against a particular initiating event to avoid one or more possible consequences of that event. Such an approach could mis complex process safety events, such as material or energy balances experiencing large deviations.


To me it seems very clear that the functional in functional safety, functional safety competency, functional safety system and functional safety management have unfortunately very little relation to the subject of functional modelling in general and multilevel flow modelling in particular.

However, I am quite certain that the safety life cycle would benefit from the use of functional modelling, such as e.g. multilevel flow modelling (MFM) during design, operation, and maintenance. The functional models would allow the qualitative simulations to uncover why a goal is missed and what the possible consequence may be.

Functional models, such as MFM, would in my opinion allow exploitation of defense in depth strategies in a systematic way.

References for further reading:

  1. IEC Functional Safety website This reference has clear definitions and FAQ pages for both the current and previous edition of the standard.
  2. Wikipedia: Functional Safety website This reference is poorly written and not structured for a person unfamiliar with the topic.
  3. B. Stone (2013): “How to navigate the ISO Functional Safety Standards”, The Journal, Rockwell Automation, September. Online publication available at This reference is focused on machinery safety, which have there own series of standards.
  4. The 61508 Association website
  5. C. Miller and J.M: Salazar (2010): “The Safety Lifecycle Workbook”, Emerson Process Management. This reference gives good picture of the huge amount of documentation needed during the safety lifecycle steps.