Get best of the week

When Information and Functional Security Meets

Standardized Security Approach


Every day the need for universal technical and software solutions designed to ensure the safety of technological processes, industries and mechanisms is growing. In solutions that meet the requirements of information and functional security. Modern automation systems are already actively integrating into the IT world, and it is obvious that this process will require new approaches to implement current “hybrid” security systems.



The combination of technological processes and IT systems implies solving information security problems or, in other words, cybersecurity, for example, network protection (another word?) Between office and production networks.

Potential threats faced by industrial management systems:

  • Malware infection over the Internet and internal networks.
  • .
  • , .
  • .
  • .
  • , IP.
  • -.
  • , ..

World leading cyberthreat protection software developers claim that every third cyber attack in the world is directed directly against manufacturing companies. Experts say that the number of such attacks from year to year will only grow. At risk are automation systems of technological processes and production, as well as systems that ensure the functional safety of such processes, including at especially hazardous production facilities. Thus, the areas of functional and cybersecurity are increasingly intersecting, which requires the development of a common concept and security strategy to counter impending threats. A recent Triton virus incident recorded at a petrochemical plant in Saudi Arabia in June 2017,which made it possible to remotely control automated and instrumented safety systems “Safety Instrumented System (SIS)”, only confirms the need to implement such systems in the field of safety of automated systems and processes.

By and large, cybersecurity protects the process and the end product from threats, intentional or accidental, aimed at the integrity and availability of confidential data. Protection against cyberthreats involves the use of appropriate preventive and reactive measures (technical and / or organizational). Ignoring the basic principles of cybersecurity can have a negative effect on the process and, as a consequence, on the final product, which is especially critical for the pharmaceutical and automotive industries. For this reason, the standard GOST R IEC 61511-1 requires a risk assessment of cyber threats to identify vulnerabilities in the information and production security system.Provided that appropriate risk assessments are performed, it becomes possible to bring industrial safety in line with the requirements of current technical standards, documents and recommendations of NAMUR (International Association of Automation Technology Users in Industry).

Another important cybersecurity issue is the “human factor”. In more than half of cases, the cause of information security incidents is the unlawful or erroneous actions of company employees, and in cases of large-scale cyber attacks on industrial enterprises, there is a high probability of a criminal component. For these reasons, the presence of information and cybersecurity specialists in companies has become mandatory today, along with specialists directly involved in the production of finished products. In addition, all persons involved in the design and selection of equipment should know the basics of information and functional security of automation equipment.To protect information and data, you can add a recommendation to conclude confidentiality agreements with employees and partners (suppliers, equipment manufacturers, contractors, etc.).

The concept of functional safety can be represented as the reliability of the systems, devices and tools that ensure the reduction of risks in production processes for the safety of people and enterprises in general. If the automated control system responsible for functional safety diagnoses a critical or emergency state of the technological process, it generates a control action in accordance with the inherent algorithm to prevent threats. The requirements for control systems for security systems are described in detail in special standards GOST ISO 13849-1 and GOST R IEC 61508/61511/62061. Depending on the level of risk, measures are identified to reduce the degree of risk. Risk mitigation measures are divided into appropriate levels: protection effectiveness level (PL) or safety integrity level (SIL).

There is a definition of the term “human factor” in the field of functional safety - “possible predictable misuse”. The term is very often used, for example, to describe situations where safety systems are bypassed by operators by forcing the limit switch on a safety fence.


The concept of cybersecurity and functional security

Continuing the idea of ​​approaches to the implementation of cybersecurity and functional security, we can say that when considering the issues of these two security areas, it is first of all necessary to take into account the risks and threats identified during the analysis and assessment stage. Here, a significant difference in approaches to solving the problems of analysis and risk assessment is obvious. For example, design engineers and designers take into account in their work standard, well-known security threats, according to the requirements of technical regulations (mechanical, electrical, thermal, etc.). In turn, the cybersecurity expert is faced with threats that are constantly changing because cybercriminals are constantly on the lookout for vulnerabilities.

NAMUR, as an international organization, makes recommendations on assessing the cybersecurity risks of emergency protection systems and equipment. At its core, recommendations are the first attempt at a pragmatic approach to solving common problems of functional and information security. NAMUR describes a cybersecurity risk assessment methodology based on the international standard GOST R IEC 62443 and uses risk assessment as a starting point for providing basic protection of systems and equipment against cyberthreats. As an example of the implementation of recommendations, one scheme is used that reflects the typical systems of the NAMUR organization members. The first stage of the recommendations is divided into three consecutive steps, which allows us to evaluate the practicality of the method for studying the security of systems and equipment.The fourth step is monitoring the implementation of the necessary risk reduction measures, documenting the requirements of general and cybersecurity. These actions must be implemented in the second stage for each individual analyzed element and safety system equipment.


Security requirements for systems according to GOST R IEC 62443

From the point of view of hardware and software, the analyzed security system can be divided into three conditional zones:

  • Zone A. The main devices and safety systems comply with the requirements of GOST R IEC 61511-1, which includes a logical system, input / output modules, as well as actuators and sensors. Zone A also includes connections, cables, and switches that are used to communicate with devices in Zone A.
  • B. , , . , , / ..
  • , , , « ». ( 3).

The common goal of all three zones is to guarantee the functional integrity of the devices and the security system in the event of possible exposure to environmental conditions and / or factors.

To ensure the life cycle of cybersecurity, manufacturers, system integrators and operators rely on the information security management system in accordance with GOST R ISO / IEC 27000. A similar management system exists in the field of functional safety in the form of the FSM (Functional Safety Management) manual. This manual, in its essence, reflects the requirements of the standard GOST R IEC 61508. Despite the different areas of application, there is much in common between the manuals, and we should talk about the possibility of combining functional and cybersecurity in one system.

Phoenix Contact Solutionsfor functional and information security tasks, they can increase the efficiency and reliability of any production due to a wide range of certified security devices, for example, sensors, relays, controllers and routers. And the expert knowledge of the partners of the Phoenix Contact company provides the opportunity to provide services for the design of PAZ systems, to provide a risk assessment and to perform functional safety calculations.



You will find more information on the website .

More articles:


All Articles