Safe & Secure Systems for Industry & IIoT
Published on : Monday 30-11--0001
A Seminar organised by LDRA Certification Services for safety and security standards compliance for IIoT in industry.
LDRA, the UK headquartered global company that has developed and driven the market for software that automates code analysis and software testing for safety-, mission-, security-, and business-critical markets, recently held a Technical Seminar at Navi Mumbai on the theme of Building Safe & Secure Systems for Industry & IIoT.
Welcoming the delegates, Shinto Joseph, Director, South East Asia Operations – LDRA, stated that LDRA, established in 1975 by Dr Mike Hennell of Liverpool University in UK is the pioneer and the oldest organisation in this industry. Founded in academic environment, LDRA (abbreviation of Liverpool Data Research Associates) is the leader in standards compliance, automated software verification, source code analysis, and test tools. The company began its direct operations in India in 2009 and has grown by leaps and bounds over a decade, and today boasts the largest team in LDRA worldwide. “When we started in India, it was safety that was more of a concern to the industry in India but today the emphasis is more on security,” said Joseph.
The Seminar, attended by over 50 delegates from the industry – process industry as well as discrete manufacturing – was divided into four technical sessions.
Part I – Functional Safety of Industrial Applications and the Role of IEC 61508 was conducted by Priyasloka Arya, Senior Technical Manager, LDRA. This session comprised of Introduction to Safety, SIL Levels and Development Requirements with a detailed explanation of each aspect with a lot of slides. As it turned out, not many of the delegates attending the Seminar were familiar with IEC 61508, which is a basic functional safety standard applicable to all kinds of industry. However, many of the delegates were aware of IEC 62443, which has been developed to improve the safety, availability, integrity, and confidentiality of components or systems used in industrial automation and control systems (IACS).
Arya conducted an interesting session by referring to the Bhopal Gas Disaster on 1984, one of the world’s largest industrial disasters with a heavy loss of life and the consequences of which are still being faced by the local population. He referred to the status of IEC 61508 as the ‘Mother’ of all Functional Safety standards, which,
- Describes a 16 phases overall Lifecycle and its requirements (analysis, realisation and operation)
- Can be used for specification, realisation and assessment of:
- A system element (e.g. sensor, actuator, PLC) where the specific safety application may not be known
- A sub-system comprising one or more elements (where the specific safety application is known or where only the type of safety application is known), and
- A complete system that performs the safety function(s).
The IEC 61508 standard contains general requirements that apply to all parties in the supply and use chain, such as: Documentation; Management of functional safety (including competence); and Functional safety assessment. Although IEC 61508 is about E/E/PE technologies, its principles can be applied to non-E/E/PE technologies.
Moreover, it can be used for applications where no appropriate sector specific standard exists. IEC 61608 is a General Purpose Standard that leads to IEC 61511 which is a Sector Specific Standard. However both are meant for users, designers and integrators.
It was an interesting session with lot of interaction with the audience, the speaker at the outset had made it clear any doubt and question being welcome.
Part II – Secure Development of IACS Complying with IEC 62443-4-1 was conducted by Deepu Chandran, Sr Technical Consultant, LDRA.
IEC 62443 concerns security for industrial automation and control systems, and Part 4-1 deals with secure product development lifecycle requirements. These are developed by Secure Development Life-cycle Assessment (SDLA) Certification, with requirements from the ISA Security Compliance Institute (ISCI). Chandran began the session by referring to the growing software complexity in products and equipment be it in agriculture, transportation or even entertainment where gadgets and devices are equipped with sensors, cameras, robot arms, AI and much else. While all these components make products easy and convenient to use make life much easier, the increased complexity also brings in the possibility of unsafe and insecure environment.
If is important to understand the difference between System Safety and Cybersecurity. Safety systems basically ensure there is no harm to life, no harm to property and no harm to environment. Cybersecurity, on the other hand is to ensure there are no vulnerabilities that lead to losses – financial, operational, privacy or safety losses. All safety-critical systems are cybersecurity-critical, but all cybersecurity-critical systems are not safety-critical.
One of the important things about process requirements for the secure development of products used in IACS is the EDSA Certification. Embedded Device Security Assurance (EDSA) is the first ISA Secure certification that focuses on the security of embedded devices and addresses device characteristics and supplier development practices for those devices. The EDSA certification is designed to certify, Part 4-1 – Secure product development requirements, and Part 4-2 – Technical security requirements for IACS.
The presentation elaborated upon the relation between IEC 61508 and IEC 62443, 8 practices of 62443-4-1, the automation of the process activities and the conclusion/benefits aspect. The 8 practices are:
- Security Management
- Specification of security requirements
- Secure by design
- Secure Implementation
- Security Verification and Validation testing
- Management of Security related issues
- Security update management, and
- Security guidelines.
As with the previous session, audience participation ensured doubts were raised and clarified.
Part III – IIoT Compliance Management was once again conducted by Priyasloka Arya, taking off from he left the Part I, the agenda being:
- Functional Safety Management
- Liability
- Gap Analysis, Tool Qualification
- Stakeholders Interaction, and
- Integrated Lifecycle, Competency.
This was an important session talking about the implementation and processes to be followed, with details of functional safety in the organisational context, the outline of the company’s safety plan, detailed guidelines and the teams implementing the same. There were sections on Audit, Assessment and Review, the Functional Safety Audit and Functional Safety Assessment followed by verification and validation reviews and confirmation.
Part IV – Achieving Compliance with LDRA Tool Suite, the final session of the day, was conducted Deepu Chandran. This in a way rounded off the day’s proceedings by bringing the focus on the agencies engaged in helping companies implement the relevant safety standards or upgrading/migrating to the appropriate ones.
LDRA offers comprehensive tools and services for safety and security standards compliance for IIoT. LDRA Certification Services (LCS) addresses IIoT/ICS customer ‘pain points’ by offering an efficient blend of compliance services throughout the project lifecycle. These include overseeing Independent Verification and Validation, and deployment services leveraging the LDRA Tool Suite to automate requirement traceability, verification activities and compliance management.
The day long even concluded with the participants receiving copies of the presentation slides for their reference. The Seminar was supported by ISA District 14 and the Maharashtra Section of ISA, with Industrial Automation as the media partner.
Captions
Pix1: Priyasloka Arya, Senior Technical Manager, LDRA.
Pix2: IEC 61508 – Mother of safety standards.
Pix3: Deepu Chandran, Sr Technical Consultant, LDRA.
Pix4: LDRA Certification Services (LCS) provides full cycle solutions for suppliers to achieve compliance with industry standards.