LOGIIC recognized the importance of safety instrumented systems (SISs) in the oil and gas industry and the rapidly emerging vendor solutions that offered varying degrees of integration of safety functions with control networks (as opposed to isolation from them). As a result, the Consortium conducted a security evaluation and study of several SIS system architectures. The goals of the project were to determine what, if any, current or emerging cybersecurity issues exist within integrated control and SIS architectures, determine their impact, and develop recommendations to help reduce the cyber risk introduced by integrating SIS solutions. The project sought to identify applicable and relevant security concerns regarding SISs in several areas of interest, such as access control, functional integrity of safety operations, and integration with basic process control systems (BPCSs).
Approach
The LOGIIC SIS project’s approach to the comparison of different SIS integration architectures was to select commercially available vendor systems that were representative of the reference architectures defined in the functional requirements document. The evaluation schedule, MOU, and monitor configurations were customized and reviewed with the vendors and SME teams.
The elements of evaluation consisted of structured automated testing activities and unstructured systematic testing. Both approaches to testing the SIS systems were found to be advantageous. They allowed for the flexibility required to meet the nuances and uniqueness of each system under evaluation.
Findings
The assessment effort showed that there are vulnerabilities common across the technologies tested and vulnerabilities unique to certain architectures. Many of these observations were provided by automated testing designed to observe system impacts under network duress, complemented by tailored manual testing and confirmation of the observed vulnerabilities. The findings from individual vendor evaluations were reviewed with each respective vendor, and in subsequent meetings the vendors provided feedback and status on mitigating LOGIIC’s findings. The summary report findings have been briefed at numerous conferences, and much of the project documentation has been provided to the ISA99 standards committee for consideration in standards efforts.
Contact
Program Manager: Greg Wigton - Biography