At the recent ABB Automation and Power World 2013 (APW2013), it was pointed out during a panel interview of Process Automation experts that in many languages around the world, a single word has a shared meaning for both security and safety; in traditional Chinese: 安全, Spanish: seguridad, French: sécurité, German: sicherheit, Russian: безопасность, Swedish: säkerhet, and at least 36 others¹.

From this, one might draw the conclusion, that in many cultures, these two English words are indistinguishable, or perhaps should be. By contrast, in process businesses around the globe, the two subjects are frequently treated as completely separate topics and specialties. Historically, safety has related to protecting the process and people through the use of mechanical intervention, automated systems, and training. Security has generally been the subject of preventing unauthorized access to facilities and corporate intellectual property using physical barriers, automated systems, protection personnel, and in more recent years, cyber protection methods. In most cases, the individual items in either area were probably sourced from separate suppliers.

But now in the 21^st century, should we really be thinking in terms of combined or integrated safety and security, and perhaps as important, looking to single sourcing an overall safety and security solution? We normally try to keep this blog from being a direct advertisement for ABB products, but on this subject, I am going to take an exception.

In the APW2013 Technology & Solutions Center, attendees were able to get a vision of the possibility to accomplish this blanket approach. On the traditional safety side, one could find everything from mechanical safety connected to robotics area entry protection and a variety of machine safety products available from the Low Voltage business unit, to integrated process safety with System 800xA High Integrity SIL2/3 integrated safety automation and the operator effectiveness features of the System 800xA Operator Workplace that can place safety procedures, material safety datasheets and other important safety documentation at the fingertips of plant personnel with just the right-click of a mouse. Integrated Fire & Gas safety solutions common in the Oil & Gas industries are also available. Even the Software Pavilion had examples of safety with the Ventyx eSom electronic mobile procedures capability related to lockout-tagout electrical and maintenance safety procedures. And should your needs include low and medium voltage switchgear, or high voltage products, ABB can deliver a full range of solutions with best-in-class safety designs.

In the traditional security environment, attendees were able to find cyber security products from Industrial Defender, one of ABB’s newest partners along with new wireless infrastructure and network management products from one of ABB’s newest acquisitions, Tropos with designs targeted at offering the best in secure, wireless networking. Security video solutions are now available with the integration of VideONet into System 800xA.  And that same automation platform with its core integration capability may be used to provide a single portal to integrate best-in-class third party building security/automation solutions to complete your full facility perimeter security needs. 

Safety and security may be two different words in the English language, but when we look at all of the great examples of the synergy between the two from the ABB Automation and Power World 2013 Technology & Solutions Center, we might be able to agree that they really are the same. 

______________

¹ According to translations done with Google Translate

So, at long last, we have come to the conclusion of the wonderful article on Security for Industrial Automation and Control Systems.

The security of computer systems in general, and of manufacturing and control systems in particular, becomes increasingly critical as different networks are connected and systems are integrated in a collaborative manufacturing environment. Users of manufacturing and control systems need to pay correspondingly increased attention to these issues. Similar to process and safety improvements, security needs to be a continuous activity. While the reality is that no security can be 100% effective, careful planning and implementation of security measures, based on a systematic risk assessment, can bring security up to a level that is adequate for any particular application and installation.

I hope you have enjoyed this series of postings and if you would like to download the entire paper, please go to the ABB Knowledge Center on Control Global (here is the link).

We would appreciate your comments or questions on this white paper, so let us know your thoughts.

This is the tenth of our series of postings on security for Industrial Automation and Control Systems.  Note:  The customary disclaimers apply.  See CAUTION note in the first posting (September 12).

************** Here is the tenth installment *******************

The automation system and all related security equipment should be kept up to date with relevant software updates, including updates to operating systems, security related software, automation system software, libraries, and applications.

For an automation system that is not connected to external networks, software updates are typically done via CD or DVD. Care should be taken to verify that the CD/DVDs are of proper origin and do not contain viruses.

In cases where the automation system is connected to an external network, updates can alternatively be downloaded via the external network. The following is an example of a process that could be used.

• The system administrator for the automation system installation, or a central engineering department, makes the updates available on a dedicated distribution server on the office or corporate network, by installing them from CD/DVD or by downloading them from a trust server, e.g. on the Internet.
• The authenticity of the origin and integrity of the content should be verified, e.g. by means of certificates and digital signatures, and all files should be scanned for viruses before they are made available on the distribution server. Preferably the files should then be protected with a digital signature.
• The files are then pulled from the distribution server through the interconnection by a system engineer or administrator working from an engineering workplace inside the automation system network zone.
• Antivirus software installed on nodes in the automation system could be configured for automatic updates of virus signature files from a dedicated distribution server in the IS or corporate network, where they are made available in the same way as other SW updates.

Also firewalls and intrusion detection systems need to have their software and rule-bases regularly updated. In the configuration described in the “Connecting to a corporate network” section of the Network Part 2 post, this gets a bit more complex. The following is an example of a process that could be used (refer to Figure 5 above):

• The person who is responsible for managing the security installation regularly either creates rules or downloads them together with relevant software updates from some secure source. The rule set and software updates should then be protected with a digital signature and made available on a distribution server, on the corporate network.
• The updates are then pulled from the distribution server through the interconnection by the security system manager working from the security management system in the demilitarized zone (see Figure 5).
• After having verified the digital signatures of the updates, the security system manager updates the firewalls and IDS systems through the security management network.

*************************

We hope you will find this series of blog postings interesting and we look forward to hearing your comments and questions.