ISA99 Working Group 7 has a draft document out entitled “Recommendations to align safety and security for industrial automation control systems“.

The document begins by noting the failed efforts to find a “mathematical coupling” between Safety Integrity Level (SIL) calculations and the Security Levels being developed by ISA99. This failure was not due to lack of effort. ISA99 struggled with this for years because the idea is so appealing.

The key part of the document is Section 1.2.

TG1 adopted Leveson’s technical approach[8] which uses the mitigation potential of the hazard as an estimator of, or surrogate for, likelihood for two reasons:

1) The potential for eliminating or controlling the hazard in the design or operations has a direct bearing on the likelihood of the hazard occurring.

2) Mitigation potential of the hazard can be determined before architecture or design is defined.

This is very similar to the Bryan Singer session at S4x15 and related to the Ralph Langner ICSage session (video will be up next week).  The basic concept is to identify the really bad things that can happen in a factory, pipeline, process, and then put in controls that cannot be hacked. These controls are not additional firewalls, application white listing, or other security products. They could be something as simple as a visual inspection before an action is taken or a safety control that cannot be altered via a network and doesn’t rely on data that can be maliciously altered via a cyber attack.

Safety engineering has done this for years with various forms of hazards analysis, but it did not take into consideration a malicious attacker. The good news is the number of really bad things that can happen in a process is smaller than you might think.

The document touches on the LOGIIC study of Safety Integrated Systems (SIS) with Control Systems. Some of the big vendors are pushing this integration, and the report lacked the courage to recommend against this integration. The report did admit that “greater integration may introduce greater risk“.

If you are interested in the Safety/Security approach moving forward in ISA99/IEC62443 it would be worthwhile to spend some time with the Leveson’s: Engineering a Safer World: Systems Thinking Applied to Safety (Engineering Systems).