Tag Archives: Functional Safety

Software failures are systematic. Stop all patching?

22 January 2017

In the past days I reviewed the draft of the NAMUR Worksheet NA 163 “IT Risk Assessment for Safety Instrument Systems”. In the age of the IIoT even Safety Instrument Systems (SIS) are equipped with embedded IT components and attached to the production or company network. With this, the safety systems become the target of IT threats, which may result in a malfunction of the SIS in the worst case.

Process safety engineers are often unaware of this new threats. IEC 61511 “Functional safety – Safety instrumented systems for the process industry sector” requires an IT risk assessment for SIS, but makes no recommendations about the details of the assessment.

The aim of Worksheet NA 163 is to provide a practicable risk assessment method to safety engineers, supplemented by a checklist on possible mitigation measures.

On Thursday I watched a video recording of a lecture on ‘Safety-Critcial Systems’ given by Martyn Thomas, Livery Company Professor of Information Technology at the Gresham College.

Software failures are systematic. Slide 18 of 'Safety-Critical Systems - when software is a matter of life and death' by Martyn Thomas CBE FREng, Livery Company Professor of Information Technology, Gresham College

Software failures are systematic. Slide 18 of ‘Safety-Critical Systems – when software is a matter of life and death’ by Martyn Thomas CBE FREng, Livery Company Professor of Information Technology, Gresham College

Professor Thomas makes clear, that “Software failures are systematic. They occur whenever the triggering conditions arise”. I highly recommend to watch the entire lecture because one can gain new insights on software testing and reliability. For a link to the video, the PowerPoint presentation and the Word transcript please see below.

NA 163 recommends to patch all SIS systems components including the supporting systems like the engineering stations or the HMI on a regular basis.

But will continuous patching really increase the reliability of the software components?

Will continuous patching really decrease the risk of a cyber-attack?

How many new systematic defects are built in a software system during continuous patching?

Remember the seemingly endless number of critical vulnerabilities fixed in Adobe Flash Player in the past years…

Let me be clear: I do not call to stop all patching. From my point of view we must focus on the right and important system components, vulnerabilities and patches. With this we can escape from the patch treadmill and focus on the really important issues, e.g. how to build and configure industrial control system networks that are less susceptible to cyber-attacks.

Have a good weekend!


Safety-Critical Systems – when software is a matter of life and death

Martyn Thomas CBE FREng, Livery Company Professor of Information Technology, Gresham College, 10 January 2017

Word Transcript | PowerPoint Presentation | YouTube Video

IIoT Security is the result of close collaboration between Vendors, Contractors, and Operators

18 December 2016

In the past days, I prepared a key-note speech for the kick-off meeting of a new working group in the Committee for Operating Safety of the German Federal Ministry for Work and Social Affairs.

IIOT: Impact of Digital World on Physical World

Impact of Digital World on Physical World in IIoT

The working group deals with the impact of the Industrial Internet of Things (IIoT) issues on functional safety. In the world of Cyber Physical Productions Systems (CPPS) or the IIoT this becomes very important. A CPPS is a system which combines physical objects (through sensors or actuators) and processes with digital (virtual) objects and processes across information networks and the internet. In the IIoT the digital word acts upon the physical world. With this we have to be prepare for safety issues.

Cyber Cyber Physical Production System Structure

Cyber Physical Production System Structure

Safety engineers have long lasting experience in managing the risk created by classic vulnerabilities of safety devices like power or compressed air malfunction, corrosion or operator errors.

With the embedded system and its connection to the internet thousands of easy exploitable IT vulnerabilities enter the safety domain.

The main difference is that these IT vulnerabilities are exploitable by

  • any internet user
  • from any location and
  • at any time.

If the safety device is not properly designed this may have a negative impact on the safety function, thus on people or the environment.

Inspection engineers have in general only few experience in managing the risks which arise from the IT vulnerabilities. Objectives of the working group are to create awareness for these new kind of IT risks and to provide working materials for support of the inspection engineers.

During preparation, I focused on the easy exploitable weakness CWE-16 (Configuration), in particular Default Passwords.  Lots of process control systems (PCS) are attached to the Internet. And lots of them are accessible with default passwords for the administrator and guest account. Although the vendors strongly recommend to change the passwords during startup, neither the engineering teams nor the operators performed their duties.

Vendors started to deal with the default password issue and introduced individual passwords for PCS. Rockwell for example uses the serial number of the system as individual password:

The Configuration pages (Device Identity, Network Configuration and Device Services) are password protected. By default they can be accessed with:

  • Username = administrator
  • Password = the adapter’s serial number (listed on the adapter’s home page)

Generally, this is a good idea. But if the engineering team does not remove the password from the systems homepage or change the password this will create no security. The same applies to the operators. At least before commissioning they must check whether basic security best practice is implemented. Since the power plants I found during my research are operated from some years now, the operators checked this definitely not.

With this it is required that Vendors, Vontractors, and Operators

  • introduce Security-by-Design and Cyber Risk Management in their design standards
  • introduce Security Gates in their design processes
  • enhance handover and acceptance procedures by security requirements

to make sure that at least basic security requirements are met, thus the safety of the systems is not compromised by IT vulnerabilities.

That’s it for today, and for this year. I will take a Christmas break.

A merry Christmas to you all
and the best wishes
for health, happiness and prosperity
in the New Year.

Christmas Trees