Home >Safety & security: Two sides of the same coin
Safety & security: Two sides of the same coin
05 March 2018
In the future, safety needs to both guarantee protection for humans and machinery, and also maintain the necessary degree of flexibility and availability in the smart factory. That calls for a holistic approach to safety & security, so says David Collier, machinery safety specialist at Pilz Automation Technology
Digital data and its efficient exchange will define the production process of the future. If all communication is decentralised, the demand for secure communication will rise. That encompasses aspects of machinery safety on the one hand, and requirements such as data and IT security on the other.
The term safety denotes the functional safety of machinery or, put another way, the protection of people and the environment against threats that can arise from machinery. One option for the worst case is simply to interrupt the energy supply straight away and bring the machine to a hard stop. The traditional way of providing scope for this is by means of special safety wiring and components such as safety relays. Because this approach is very much hardware-based and therefore static, it is not particularly suitable for intelligent manufacturing processes where plant layouts continually need to be changed.
An alternative is offered by dynamic safety concepts based on an integrated view of changing automation processes and functional safety requirements. This changes the view of safety itself; it is regarded less as a hardware characteristic and more as a cross-device function. But the dynamic approach can only be implemented efficiently if functional safety is built into automation projects from the moment they are planned.
Security concerns the protection of a plant or machine from unauthorised access from outside as well as the protection of sensitive data from corruption, loss and unauthorised access from within. This includes explicit attacks as well as unintentional security incidents.
The background situation for security is that unlike functional safety, security mechanisms need to adapt continually to new threats, for instance by taking ad hoc updates to afford protection against new viruses, worms, Trojans and the like.
In order to respond flexibly to the prevailing threat scenario, there must also be a comprehensive security strategy comprising multiple layers to underpin the protection of safety applications: the core comprises the automation components. This is followed by the network via which these components can communicate with other networks or with an ERP (enterprise resource planning) system, for example. The outermost layer represents the factory, which is shielded from the outside world by a special firewall concept, which creates a so-called demilitarised zone.
Confidentiality vs. availability
The demands that the spheres of IT and automation place on security vary considerably. While the confidentiality of information enjoys top priority in the office environment, in the production sphere data availability comes top of the list because this is a key prerequisite for smooth production processes. The international standard IEC 62443 is designed to bring both security worlds together.
For networking, the recipe for success is “defence in depth”. The “zones and conduits” security model is defined in the standard IEC 62443. It envisages dividing an automation network up into different zones in which devices are allowed to communicate with each other. Exchanges of data with devices in other zones are only possible via a single conduit that is guarded by a secure router or a firewall and blocks all irrelevant information.
Another protective measure for safety applications involves arming the safety systems against cyber attacks. The communication data in question has already been subject to multiple safety checks upon transmission and an assortment of methods are used so that manipulation attempts can be identified far sooner by the safe end devices than with other methods of communication. But that alone is not enough. Pilz therefore also continues to work on the security aspect of its products. Aspects such as threat scenarios, strengths and weaknesses of protocols or encryption methods are taken into consideration from the outset.
But even the best security measures are worthless if they are not put into practice or – worse still – are deliberately defeated because they take up too much time or due to a lack of understanding and ignorance. So technical measures alone do not suffice – they must be backed up by organisational measures underpinned by training.
For implementation, many processes and experiences from the safety sphere are directly applicable to the security sphere. The field of safety is already characterised by considerable security of investment and legal certainty. That is partly due to the need to comply with norms and standards. Terms such as Safety Integrity Level (SIL) are clearly defined worldwide, and standard classification into hazard classes and risk estimations is possible. But it is becoming increasingly important to consider the needs of the user and limit complexity from the very outset when developing solutions. Simplicity means (operator) safety.
The traditional way of providing functional machinery safety is by means of special safety wiring and components such as safety relays.
As this approach is very much hardware-based and therefore static, it is not particularly suitable for intelligent manufacturing processes
Dynamic safety concepts are based on an integrated view of changing automation processes and functional safety requirements.