IT and the networking of a wide variety of systems with each other – the Internet of Things – is one of the central topics of our time – not only from a developer’s point of view, but also with regard to IT security or the cyber security of production facilities. However, in addition to the many positive effects of the new achievements in digitalisation, the negative developments are also becoming clearer: hacker attacks on networked systems are occurring again and again, so that the legislator has now also included cyber security in some laws relevant to operators and manufacturers.
Overview of the legal basis for the analysis
A variety of guidelines and recommendations can be consulted as a legal basis for analysing the cyber security of a production facility, machine or production site. In the following, we present those approaches that we frequently use in our work.
For operational areas that fall under the Hazardous Incident Ordinance, § 3 (General Operator Obligations) of the 12th BImSchV also requires a consideration of IT security. The focus here is on process control and instrumentation and control equipment. The environmental administrations of the individual federal states are responsible for implementation. For NRW, the LANUVhas specified the requirements for the presentation of IT security in the safety report and in the licensing documents for plant safety in an orientation paper.
It can be assumed that authorities in NRW will from now on use the orientation paper as a template when assessing safety reports and licensing documents. The orientation paper explicitly mentions the following topics that must be presented in the safety report:
- Network architecture and zone models
- Asset lists
- IT risk analysis / IT risk assessment
The IT Security Act, for which the Federal Ministry of the Interior is responsible, focuses primarily on protecting the security of supply and so-called critical infrastructures. The law only applies to “facilities” that serve at least 500,000 people. The BSI-KritisV is a holistic approach for companies and thus includes all company divisions.
The Commission for Plant Safety (KAS) is an independent body advising the German Federal Government or the responsible Federal Ministry on issues relating to the safety of plants within the meaning of the Federal Immission Control Act (BImSchG). The guideline KAS-51 “Measures against tampering by unauthorised persons”, specifies basic measures, among other things. This includes, for example, the definition of responsibilities as well as access management and access monitoring. The security analysis required by the KAS-51 guideline consists of the threat analysis, the hazard analysis and the IT risk assessment. The latter can be carried out according to IEC 62443, DIN ISO/IEC 27001 or NA 163, among others. Annex 2 of the guide KAS-51 deals with protection against cyber-physical attacks and covers topics such as IT security as a management task and responding to new vulnerabilities and threats. All topics listed in Appendix 2 are implemented through control questions. The review by the authority ultimately focuses on the security analysis and the quality of implementation. If sufficient protection is determined, a separate safety review pursuant to § 10a of the Ordinance on Safety Reviews (Sicherheitsüberprüfungsfeststellungsverordnung, SÜFV) is not required. The safety report serves as proof of legal certainty for the plant operator.
As a result of the concretisation of the IEC 61508 and IEC 61511 standards, VDI/VDE 2180, the guideline for functional safety in the process industry, was renewed in April 2019. Cyber security is a new focus: “In the management of functional safety, IT security aspects must be taken into account in planning, procurement, validation, operation, modifications and decommissioning.” The new version goes on to say: “Through the use of IT-based technologies and the increasing networking of systems, automation systems including the associated programming and configuration devices can become the target of cyber threats. […] An IT risk assessment must be carried out in order to assess the risk potential and determine suitable countermeasures.” (Sheet 1, p. 38 ff.) The IT security assessment for PLT security devices can be carried out independently or together with the general IT risk assessment. Components that are affected are hardware, software, data, connections, processes and people. VDI/VDE 2180 also states on the following pages that NA 163 contains methods for carrying out an IT risk analysis as well as a catalogue of measures which, together with VDI/VDE 2180, can lead to a suitable IT security concept.
Since the above-mentioned approaches to an IT risk analysis are often very time-consuming and personnel-intensive, NAMUR worksheet 163 is intended to help ensure compliance with laws and regulations even if the security analysis is carried out by non-IT specialists (e.g. PCT engineer). The time requirement should be limited by the worksheet to a maximum of one day per system. In NA 163, it is recommended to write the IT risk assessment according to IEC 62443. The basic parameters are generally valid: SIL 1 to 3, a low requirement rate and a zoned structure of the network. The IT risk assessment of PLT safety installations according to NA 163 is ultimately carried out in five steps:
- Identification of the system under consideration
- High-level IT risk assessment
- Division of the system under consideration into zones and connections
- Detailed IT risk assessment
Thanks to the many years of experience of the weyer gruppe in process engineering and functional safety, as well as the versatile industry knowledge of Dipl.-Ing. Thomas Käfer, M.Sc. (sworn expert for information processing systems and applications), we can offer you an interdisciplinary team as support in the field of cyber security of production plants for operating areas of plants relevant to incidents.
- Recording and division of the operating areas / facilities into manageable units (sectioning) for analysis of the necessary measures
- IT risk assessment (e.g. according to NA 163 / IEC 62443 / DIN ISO 27001)
- Derivation and prioritisationof measures
- Support with the implementationof measures
- Incorporation into the overall safety concept of the facility: connection to classic process safety or functional safety with the requirements and measures resulting from the IT assessment
- Advice to equipment manufacturerson cyber security
- Penetration test, or pentest(ing) for short: We undertake a comprehensive security check of all system components and applications of a network (computers, machines, production facilities, etc.) using the methods that an attacker or hacker would use to penetrate a system. You can find more information here.
- Digital forensics or IT forensics: According to the BSI, IT forensics is “the strictly methodical analysis of data on data carriers and in computer networks for the [gerichtlichen] clarification of incidents, including the possibilities of strategic preparation, especially from the perspective of the system operator of an IT system”. Since data and system states cannot be viewed directly within court proceedings, the court usually falls back on the expert opinion of an expert or the report of an expert witness. In this area, we work closely with Thomas Käfer.