Product development
Safe and secure at the same time
Manufacturers of automation components must take appropriate measures to ensure both the safety and security of their devices and to be protected in an increasingly networked world. The two worlds fit together more easily than is generally assumed.
The requirements placed on 'security' - i.e. ensuring the protection goals of confidentiality, integrity and availability - by the IT and automation worlds differ significantly: while the confidentiality of information has the highest priority in the office environment, the availability and integrity of data is the top priority in the production sector. On the one hand, this is an essential prerequisite for smooth production processes; on the other hand, an attack on the integrity of a safety system can result in serious accidents. For this reason, an addendum was added to chapter 7.4 'Hazard and risk analysis' in Edition 2.0 of the IEC 61508-1 standard. This states that a threat analysis should be carried out if a security threat is considered 'reasonably likely'. This means that manufacturers of safety systems in particular must address the issue of security. However, manufacturers of systems that do not implement safety-related functions should also be concerned with security in order to prevent attacks on production processes.
Lean security in demand
Currently, the security of production systems is often implemented using security components such as firewalls and VPN gateways. Industry 4.0 and IoT will increase the communication relationships between automation components and with external systems. This leads to an increase in the effort required to manage external security solutions. If wireless technologies are used, firewalls also offer only limited protection, as an attack could be carried out directly via the wireless interface and the lower protocol layers. To counteract these problems, security measures must be implemented directly in the systems.
Safety and security have clear parallels in terms of standardization and the approach to the engineering process. When it comes to implementation, many processes and experiences from the safety world can be directly transferred to the security world.
© MushroomThis is where the term 'security by design' or 'secure by design' comes into play: it describes a development approach in which the security properties of a system are already systematically considered during the design phase. This means that it is not left to chance or the judgment of individual developers to decide whether and to what extent security functions are implemented in a system. Instead, threat modeling is used to determine which threats a system is exposed to. From this, targeted measures can be derived to minimize the security risk.
In a broader sense, 'security by design' can also be understood as an approach in which the security of a product is considered holistically over the entire product life cycle. A frequently cited and well-documented example of this approach is the Security Development Lifecycle (SDL) process developed by Microsoft: at the beginning of the 2000s, negative headlines regarding security problems in Microsoft products became more frequent. This prompted the company to systematically address the issue of security, which led to the development of the SDL. Since then, many other software and device manufacturers have adopted a similar approach.
Security has therefore played a central role in traditional IT for a long time. However, the requirements cannot simply be transferred to automation due to the different priorities with regard to confidentiality and availability.
Starting point standards
IEC 62443 'Industrial communication networks - IT security for networks and systems', on the other hand, is an international series of standards, parts of which have already been adopted and comprehensively cover IT security in automation. The spectrum of topics ranges from risk analysis and best practices to the secure development of products. As a result, IEC 62443 currently offers the best guidance for system operators and device manufacturers to implement security effectively. The standard was originally defined by the ISA99 committee 'Industrial Automation and Control Systems Security' and adopted by the IEC standards committee. The individual parts of the standard are divided into four areas: General, Policies & Procedures, System and Component/Product, whereby the specific requirements are subdivided into groups - so-called 'Practices' (top left image).
Practice 1
Security management - places various requirements on the management of the development process. These include the need to have a general product lifecycle process in place, to appoint responsible persons and to train employees with regard to their role in the process and their security knowledge. Further requirements apply to the security of the development environment and the handling of subcomponents from third-party manufacturers.
Practice 2
Specification of security requirements - describes requirements for the specification of security requirements. For example, 'Product security context' specifies that the system context must be defined from a security perspective for the system to be developed. The context describes, for example, the physical security properties of the environment (e.g. the system must be operated in a closed control cabinet) and the properties of the network environment (e.g. the system must be secured by a firewall). The security context is an important input variable for threat modeling, which is also required by a requirement.
Practice 3
Secure by design - defines requirements for the design of the system. For example, recognized security techniques and design patterns such as 'Security By Design' should be used. These requirements thus implement the first interpretation of the term 'security by design'.
Practice 4
Secure implementation - the requirements here are intended to ensure that no security vulnerabilities arise due to errors in the implementation. This includes adhering to recognized coding guidelines, performing a static code analysis and carrying out a code review.
Practice 5
Security verification and validation testing - defines the type of security tests to be carried out. Requirements are also placed on the independence of the testers.
Practice 6
Management of security-related issues - defines requirements for dealing with security problems in the product. In addition to analyzing problems, this also includes receiving reports (e.g. from customers or security researchers) and notifying users of any security problems found.
Practice 7
Security update management - this sets out requirements for the management of security updates. This includes ensuring that an update actually fixes a vulnerability as intended and does not cause any new problems. It also requires the manufacturer to inform users whether security updates of dependent components (e.g. the operating system on which the product is used) can be installed without retroactive effect.
Practice 8
Security guidelines - defines requirements for the content of the user documentation. For example, it requires that information is provided on the necessary measures for hardening the system and what must be observed when decommissioning the device.
Utilize synergies
The 'Security Bridge' from Pilz protects controllers against attacks and unauthorized access to the network.
© MushroomWith its 47 individual requirements, IEC 62443-4-1 appears to be extremely complex to implement. This is particularly the case if product development has so far been carried out using the 'head to keyboard' approach - i.e. not on the basis of corresponding processes. In this case, the requirement SM-1: 'Development process' must be implemented first. It states that a general life cycle process must be documented and applied. However, if such a process exists and possibly takes into account the requirements from the area of functional safety in accordance with IEC 61508 or one of the derived industry-specific standards, requirements can be identified that are similar or identical and have therefore already been implemented.
Furthermore, requirement SM-5: 'Process scoping' defines that the process must be adapted to the respective development project on the basis of a security analysis. This means that individual requirements or sub-requirements do not have to be taken into account if, for example, a system has no external interfaces or if only language catalogs are updated or even discontinued components are replaced as part of a change project.
But where exactly can synergies be found in the implementation of IEC 61508 and IEC 62443-4-1? Here are three examples:
- Example 1: Employee training. The requirement SM-4: 'Security Expertise' states that a process must be in place to identify training needs and to train employees so that they can correctly implement their role and responsibilities in the security process. IEC 61508-1 formulates comparable requirements (albeit in more detail) in chapter 6 'Management of functional safety' in sections 6.2.12 to 6.2.15. Although the specific knowledge that needs to be taught for safety and security will differ, topics such as 'defensive programming' or the application of the MISRA (Motor Industry Software Reliability Association) programming standard known from the automotive sector are equally important for both areas, so that there are even synergies in terms of content.
- Example 2: Coding. Practice 4 - 'Secure Implementation' - of IEC 62443-4-1 defines two requirements:
- Requirement SI-1: 'Security implementation review' requires that a process for conducting code reviews is used to check various aspects at coding level. This is typically understood to mean the review of the source code by one or more persons. It also requires a static code analysis to be carried out using suitable software tools. Comparable requirements can be found in IEC 61508-3: Section 7.4.6 'Requirements for code implementation' requires that each software module must be tested. Reference is made to chapters C.5.14 'Formal inspections' and C.5.15 'Walk-through (software)' of IEC 61508-7. If you have already implemented these requirements for achieving functional safety in your development process, you no longer need to worry about how to organize and document such reviews and how to deal with any deviations found. Of course, it will remain unavoidable that people with security knowledge take part in the review. In Table A.9 'Software verification' of IEC 61508-3, static analysis is also recommended as a measure, whereby computer-aided execution is mentioned as an option in Chapter B.6.4 of IEC 61508-7.
- The requirement SI-2: 'Secure coding standards' defines that programming rules must be defined to prevent security errors and that the set of rules must be checked and updated periodically. A comparable requirement can also be found here in IEC 61508-3. Chapter 7.4.4.12 specifies that programming languages must be used in accordance with appropriate guidelines. With regard to the content of such rules, reference is made to IEC 61508-7. Chapter C.2.6 'Design and coding standards' contains corresponding information. One aspect of such a set of rules is to avoid programming errors. These represent a general quality problem and, in extreme cases, can have an impact on both safety and security. Typical programming errors such as memory overflow and failure to check input data pose a risk to safety. However, these are also the 'classics' among security programming errors. Therefore, an existing set of rules that was created to achieve functional safety is also a good start for security.
- Example 3: Handling problems. Practice 6 - 'Management of security-related issues' - defines how to deal with identified security problems. It requires that processes must be in place for receiving security reports (e.g. from customers or security researchers), for notifying affected users, for analyzing the reported problems and for avoiding similar errors in the future. Here, too, there are comparable requirements in Chapter 6 'Management of functional safety' of IEC 61508-1, so that a company that implements the requirements already has suitable processes that can possibly be applied to the handling of security problems without any changes.
The above examples show that processes that are suitable for fulfilling the requirements of IEC 61508 are also sufficient for implementing the requirements of IEC 62443-4-1 or only require minor extensions. The challenge of safe product development therefore lies less in the definition of suitable processes and more in the technical area. A manufacturer who wants to address the issue of security must ensure that all those involved in development have sufficient technical knowledge.
Task over the entire product life cycle
Security is a 'moving target': an automation component such as a PLC may be classified as 'secure' at the moment, but tomorrow the threat situation may change and with it the device's attack security. Consequently, measures against cyber threats must be constantly updated. The responsibility for this lies primarily with the system operators, because for them, data security also means investment protection. Conversely, machine manufacturers and component manufacturers are obliged to inform operators immediately of new security problems and provide updates for the software of their devices that can be used to eliminate vulnerabilities. This requires both sides to work closely together over the entire life cycle of the products.
Author:
Frank Eberle is a software developer in the Network Systems division at Pilz in Ostfildern.
You might also be interested in
Safety first
The development of cobots into a commodity product is closely linked to the issue of safety in robotics - a challenge that needs to be mastered efficiently.
read more...Locking with need for clarification - help with risk assessment
DIN EN ISO 1419 has already been available for five years. However, there are always uncertainties regarding the actual safety functions of a guard locking device, which the machine manufacturer must evaluate based on his risk assessment. Here is...
read more...Safe operation via radio - (how) does it work?
Many machine builders want to use tablets in addition to the existing machine operation. Demanded features such as WLAN, camera, multi-touch and much more are available here - but if safety functions are required, these devices reach their limits.
read more...Heavy-duty HRC requires new safety approaches
The topic of HRC is not just for 'lightweights'. In the field of heavy-duty robotics, solutions will also be in demand in the future that allow humans and robots to work together directly without the need for a safety fence. However, this requires...
read more...Secure hold in the slip ring
Transmitting safety-relevant data via slip rings is no trivial matter. Motion control experts from Kollmorgen have developed a TÜV-certified safety solution, including UL approval, together with slip ring manufacturer Stemmann-Technik.
read more...Validation neglected
EN ISO 13849 is decisive for the integration of safety-related control functions in machines. However, the part of the standard relating to validation is often neglected in practice - a major shortcoming.
read more...Dangerous movements well secured
How can dangerous movements be safeguarded? A challenge for the user, as there are a wide variety of functional and normative requirements. An overview.
read more...The intelligent safety switch
Safety modules and safety switches that communicate at I4.0 level simplify troubleshooting. However, the communication capability also has interesting potential for predictive maintenance and tamper protection.
read more...The vampire effect of quantification
There are always controversial discussions regarding the determination of risks for products and systems. But which approaches actually make sense in the context of safety and security? What approach does the new framework for safety and security -...
read more...