Safety has been a more and more important facet of industrial life since the middle of the last century. Before that the condition in which workers, and before that slaves, worked was, except in the rarest cases, appalling with scant regard to principals of safety.
ISA Symposium April 2011
More recently safety has become an important part of modern life. Health and safety are watchwords used more and more frequently and many practices of the past have been outlawed. Indeed sometimes one wonders how anybody survived the past it was so dangerous. Last night I saw a victorian rocking horse which had been in a locam school for over a hundred years which gave immeasurable joy to children through the generations but which may not now be played with by the children because of “health and safety implications!”
As technology developed, and processes became more and more sophisticated, so too did safety systems. In the early and mid parts of the twentieth century safety in process control was one of two things. Pneumatic instrumentation (remember 3-15psi/0.2-1bar?) and the big heavy cast metal explosion-proof box. Pneumatics as a safety method has now largely been replaced by the more sophisticated and less unwieldy electronic safety systems, though one may still find the odd explosion-proof contained instrument around!
Since July when we first learned of Stuxnet in an email in mid July 2009 from Eric Byres of Byres Security (our blog “Security threat to the control system world!“), we have been following developments. Indeed we have listed links to developments as we learned of them on Nick Denbow’s article, “Stuxnet – not from a bored schoolboy prankster!” the following September. We gradually learned of the seriousness of this malware incident (Though Byres had realised this almost from the start), and indeed its implictation, as we started to understand that this was a direct atack on automation systems, designed for that purpose.
Virus infection and malware have been around, I suppose, since the invention of software. I first realised that it could present a problem was at the Read-out Forum in 2003 where, in the inimitable words of Andrew Bond “..Brian Ahern of Verano (now Industrial Defender)… sent a shiver up everyone’s spine by pointing out just how vulnerable Internet enabled, Windows based automation systems are to ‘cyber terrorism’. (There were) few dissenters when he told this largely pharmaceutical industry oriented audience that the security issue is “the next 21CFR11.” Nevertheless..“given the degree of concern shown by the audience it was perhaps surprising to hear the vendors respond pretty much with one voice that they have as yet to see the issue addressed in RFQs but would of course respond once they did, not a view which particularly impressed some members of the audience who took the view that vendors were under an obligation to ensure that their systems were secure. “
Several events in the mid-past and more recently have tended to amalgamate these two important considerations and in some cases have blurred the lines of demarcation between them. Events like Bhopal in 1987, the blackout of the eastern states of the US in 2003 (or Brazil more recently), the explosion in Buncefield in 2005, Deepwater Horizon in the Gulf of Mexica, the terrible tragedy still unfolding in Japan, see out blog Assessing nuclear threat in Japan, and unfortunately many more take the headlines and show that we still have a lot to learn.
Training has assumed an important role here and this blog has been inspired by a number of notifications received in a few short days of events and publications which confront these issues.
First in a few days time Industrial Defender have a webcast scheduled for the 24th March 2011 addressing, “Security AMI Solutions for the Smart Grid: Creating enhanced capabilities in secure cyber-infrastructure” featuring the aforementioned Brian Ahern and Jeff McCullough, Director of IP Communications, Elster Solutions, LLC. They will discuss the newly announced partnership between the two companies, and the benefits of their integrated security solution.
The 2011 ISA Safety & Security Symposium is scheduled for Texas will focus on training including courses: An Introduction to Safety Instrumented Systems (EC50C) and Introduction to Industrial Automation Security and the ANSI/ISA99 Standards (IC32C). This two day event (13-14 May 2011) will provide an in-depth look at today’s safety technologies and procedures associated with identifying and mitigating safety hazards in industrial environments. This symposium will focus not only on Safety Instrumented Systems (SIS) topics, but also include material on cyber security and associated challenges in designing and implementing SIS and process automation solutions. It will include a small exhibit and promises to be well worth attending.
We travel back across the Atlantic now to Manchester (GB) the ProfiBus organisation and the University of Manchester will hold a one day event on 12th May 2011, “Functional Safety and IT Security.“ This new, one-day seminar addresses the key safety and security issues arising from the use of digital communications technologies in automated manufacturing and advanced engineering applications.
Staying in Manchester, IDC Technology are hosting the Safety Control Systems Conference, a three day event focusing on the technology and application of safety-related control and instrumentation systems in the chemicals, energy, mining and manufacturing industries. In particular it will discuss the changes to the IEC61508 standard and the implications this will have on your industry. The dates are 24-26th May 2011. Speakers include Paul Gruhn, (co-author of Safety Instrumented Systems: Design, Analysis, and Justification), and Clive Timms, a globally recognised expert in functional safety.
Safety and security will continue to excercise our minds. Perhaps the problems in the final analysis are not so much technical problems as a procedural one. In any case where procedures are not followed there must be a way of dealing with the aftermath.