Cybersecurity Architecture for Remote Safety Management

Remote Safety Management could have a wide range of interpretations. Safety management can cover
two parts with different approaches.
The first is overall safety management (OSM) based on KPI, Dashboard, reports and documents. The
data presented represents strategic information for management or tactical information for triggering
actions. This information can be presented in real time as an IPL (Independent Protection layer)
Management, with data representing the bypass of safety system, critical operations in progress,
increased risk of a process by operational condition indicated by the risk management system, etc. OSM
can include access to historical data, safety file documentation, data books and other engineering
systems.
The second safety management issue is related to accessing the Industrial Control System (ICS),
composed of the Basic Process Control System (BPCS) and Instrumented Safety Systems (SIS). BPCS
is responsible for production performance, product quality, productivity and profitability. The SIS is the
last preventive protection layer: if something goes wrong with this system the plant will be vulnerable to
an accident. There are other layers, but those are for mitigating the consequences of an event. The
reasons for remotely accessing to the ICS may be due to the maintenance of the ICS or the
consequence of an action triggered by the OSM.
The methodologies for accessing the digital OSM and ICS systems are very different. OSM inherits the
characteristics of a corporate information application, so it has a native cybersecurity process. For
OSM, the typical priority is Confidentiality, Integrity and Availability, where the loss of availability reflects
an operational disruption. For ICS, availability is critical and can result in production losses or even in
an accident.
Accessing OSM is simple and straightforward, based on user authentication as per his role. However,
as for the ICS, due to its operational characteristic, it is necessary to apply for a work permit (WP).
Local operators also need to be information that ICS is being accessed remotely. And finally, for the SIS
it is appropriate to add the monitoring of the local team.
The lifecycle of OSM assets is different from the ICS assets. OSM is based on the edge of Information
Technology (IT). The application and infrastructure of computers and networks are based on assets less
than 5 years old, designed to work in Cloud Computing. ICS is designed to operate on mission-critical,
non-stop for 5, 8 or even 15 years of operation. There are thousands of devices over 15 years old using
the technology available when it was designed and working together with new devices designed for the
Internet of Things (IoT) with certified protections for cyber security. To access the ICS, it is necessary to
analyze each scenario in relation to the technology era and its integration with other systems. There
may be equipment, such as controllers and network devices, with known vulnerabilities that will need to
operate in this way because it is not possible to update them with the plant in operation.
The cybersecurity protection layers for accessing an ICS must be different depending on ICS
technology. Different access rules for BCPS and SIS must also be created.
In the ICS, operational easiness is contradictory to cybersecurity; how much easy and flexible the
system be, more vulnerable it can become. The 10-year-old BCPS projects promoted the unification
and integration of systems like a dream. Many industrial plants have a maintenance network with
access to all process interlock equipment (including SIS), as well as asset management systems (AMS)
with access to the configuration of all the plant's measuring instruments. Inappropriate and irresponsible
access to any of these networks can be catastrophic in the operational and process security
perspective.
There are three ways to solve this situation. Update systems with efficient protection and segregation;
Put on layers of protection against cyber attacks; Monitor and prohibit remote access.
The option to prohibit a remote access may seem simple, but it is not without effort and cost. If an
access monitoring tool is not installed, there is no guarantee that the system will not be accessed.
Access can be for justifiable reasons such as asset management of ICS, remote maintenance of BCPS
or SIS by the manufacturer, update of security path's and others.