Safety and security – Two sides of the same coin

Digital data and efficient data exchange will define the production process in future. The level of networking is increasing, providing the benchmark for factory productivity. If all communication is decentralised, the demand for secure communication will rise. Aspects of machinery safety (safety) and operational IT-security requirements (security) are involved in equal measure.

With intelligent manufacturing processes in the spirit of Industry 4.0, you can significantly increase efficiency and adapt capacities exactly to the respective order situation. The aim is to manufacture individualised products using the cost structures of mass production, even for a single batch. This requires modular production plants, which are flexible and can be modified quickly while operations are running. Prerequisites include decentralised automation systems and high-performance network communications, where numerous subscribers are connected and large volumes of data can be transferred; innovative concepts for safety and security are also required and need to apply even after the plant has been modified.

The term safety refers to the functional safety of machinery, or in other words: protecting man and the environment from threats emanating from machinery. Safety requires that residual risks emanating from a plant or machine do not exceed acceptable values. This includes hazards to the plant‘s surroundings (e. g. environmental damage) as well as hazards inside the plant or machine (e. g. persons inside the plant). In a nutshell, one option in the case of an emergency is to interrupt the power supply immediately and hard stop the machine. Classically this is achieved through specific safety-related wiring and components such as safety relays, for example. As this approach is very hardware-based and therefore static, it is not really suitable for intelligent manufacturing processes in which the plant layout constantly needs to be changed. Further disadvantages are generally associated with a hard shutdown, whether these involve loss of productivity, extended downtimes due to more complex recommissioning procedures or a restriction in the machine’s operating and maintenance concept.

Dynamic safety concepts, which are based on an overall consideration of changing automation processes and functional safety requirements, offer an alternative. The view of safety itself is changed; it is regarded less as a hardware feature and more as a cross-device function. With this approach, which was developed prior to Industrie 4.0 and Co., processes can be safely controlled and operated, without the need to interrupt processes each time there is an error. However, the dynamic approach can only be implemented efficiently if functional safety is taken into account right from the start, when automation projects are at the planning stage. Otherwise it may be necessary to modify the sequence of individual production stages, if not the whole process, retrospectively, making optimum solutions impossible and creating considerable costs.

When functional machine safety was approved in accordance with the specifications of the EC directive, plant operators had no need to worry about safety, provided the machine did not undergo any significant changes. Intelligent manufacturing requires modular plants, which enable various product types to be produced on one machine, for example. This presents new challenges to functional safety, which must still be guaranteed even if the machine itself or its module layout has been changed. In the Smart Factory the intention is to reconfigure modular plants quickly and flexibly or to re-organise them within their group. The validation for a safety solution must be able to deal with this (subsequent) flexibility, because any compilations that have not been considered as part of CE marking will not be easy for the operator to set up. It is not a simple question of transferability: CEModule1 + CEModule2 = CEOverallMachine

The functional benefit of modular machine concepts is obvious. You gain flexibility in the manufacturing process while at the same time increasing the potential for standardisation at functional level. The highest level of standardisation can be achieved when the dividing limits of the various modules can have an identical structure – irrespective of whether the module has a mechanical, electrical, control or visualisation function. The mechatronic approach aims for a standardised formation of automation objects.

However, until now the existing technological solutions were unable to meet expectations. Different rules and regulations for modularisation are partly the result of the „classic“ safety architecture. The benefits of modularisation are often undone by a rigid – and where possible still hard-wired – safety concept. Electronic programmable safety systems are almost always a reproduction of hardware-based safety – in the form of fixed safety circuits – even if these are provided in a freely programmable connection logic.

The basic element of modern control architectures, in contrast, is the almost total renunciation of systemic regulations. Users are to have total freedom to enhance their systems according to their level of optimisation and modularisation. If the barrier of these different approaches for automation and machinery safety functions can be removed, then users have gained new degrees of freedom.

The automation system PSS 4000 conveys the idea of modularisation and flexibility as one of its basic functions. For the first time it is possible to manage all process variables – including those belonging to safety functions – entirely symbolically and without any reference to hardware within the system. This is demonstrated by the fact that all process variables are available system-wide and are automatically available to all control systems in the distributed automation system, thanks to the multi-master architecture.

Today‘s communication systems are also increasingly open, with a variety of relationships. As a result, manufacturing plants that used to work offline as it were, due to networking via fieldbuses or proprietary, i. e. manufacturer-specific systems, now have a connection to the IT world and the Internet. If no measures are taken, it is much easier for plant and machinery to become the target of cyber attacks. The degree of networking increases the system‘s complexity and the administration involved simultaneously. As a result, the risk of unauthorised or unnoticed access also increases.

Security is concerned with protecting a plant or machine from unauthorised access from outside, as well as protecting sensitive data from corruption, loss and unauthorised access internally. This includes explicit attacks as well as unintended security incidents. The background to security is that, in contrast to functional safety, security mechanisms have to be continuously adapted to the threat level. For example, the threat from an occasional update, given that viruses, worms, trojans etc. are constantly developing and security gaps can ultimately compromise production, with all its functional elements.

In order to react flexibly to the respective threat scenario, safety application protection must be supported by a comprehensive, multi-layered security strategy: with automation components at its heart. Then comes the network, via which these components can communicate with others or with an ERP system (Enterprise Resource Planning) for example. The top layer is the factory, which is shielded from the outside by a special firewall concept, becoming a demilitarised zone so to speak.

The demands placed on security by the worlds of IT and automation differ significantly. While the confidentiality of information is the number one priority in an office environment, the availability of data is most important in the production area, as this is a key requirement for a smooth manufacturing process. An international standard (IEC 62443) is currently being drafted, which is intended to harmonise both worlds. As functional safety and automation are normally unchanged, i.e. more or less static, and so faces different threats from those of the cyberworld, safety and security will remain two separate issues in future, although they will be closely linked.

How can safety applications be protected against the threats from the cyberworld? To put it in a nutshell: only by combining a variety of measures and security guidelines, which are thoroughly respected by all involved.

In terms of networking, the recipe for success is „defence in depth“. One key element that has been applied ever since fortresses were built in the Middle Ages is the „Zones and conduits“ security model, which is already defined in the standard IEC 62443. It requires an automation network to be divided into various zones, within which devices are allowed to communicate with each other. Data exchange with devices in other zones is only possible via a single transfer, which is monitored via a safe router or firewall, which blocks all irrelevant information. Even if an attacker should succeed in penetrating one zone, only the devices in that zone would be at risk; all others would remain safe.

Another measure for protecting safety applications is to prepare safety systems for cyber attacks. In terms of safety, the relevant communication data has already been subjected to multiple testing using a variety of methods before it is transmitted, so that any attempts at manipulation can be detected much sooner by the safe end devices than with other communication methods. But that alone is still not enough. That‘s why Pilz, for example, will also develop future products from the perspective of security, within a TÜV-certified process in accordance with IEC 62443-4-1. Aspects such as threat scenarios, strengths and weaknesses of protocols or encryption methods are considered from the outset.

The starting point is a component for the Ethernet-based network system SafetyNET p, which operates as a firewall and, in contrast to generic firewalls, which require complex configuration, is commissioned using application-specific default settings in accordance with the plug-and-play principle. This network component also supports a procedure for automatic authentication of machines, which communicate with each other with increasing regularity as part of intelligent manufacturing processes and, unlike operators, cannot enter a password to verify their identity and authorisation. But: even the best security measure is worthless if it is not put into practice, or worse still, is consciously defeated, often due to ignorance and lack of understanding or because it takes too much time. So, technical measures alone are not enough – they must be supported by organisational measures and training.

While safety and security are essentially two separate areas that are closely linked, automation and safety continue to converge. Originally they were physically separate so that the relevant systems could not influence each other, the key phrase being the absence of feedback. However, this results in increased effort in terms of wiring, synchronisation and administration. That‘s why physically merged solutions have been developed for some years now, with special mechanisms to ensure that functional safety is still guaranteed to be free from feedback at all times. The automation system PSS 4000 is one example illustrating how the boundaries between the safety and control function are becoming increasingly permeable. Barriers are reduced due to an instruction set that can be used identically for safety and automation, along with programming in accordance with IEC 61131-3 . These can be used to create safety-related programs, programs for automation tasks or a combination of the two. It is very rare for users to demand a clear separation, but they highly value a clear distinction between the areas of responsibility.

The two areas of safety and security increasingly form an integral part of the overall plant and machine function. That‘s why they must be considered from the outset. If subfunctions are to be interlinked to optimum effect, they cannot simply be added retrospectively. Ultimately, the challenge lies in integrating the functions into the overall system.

Safety & security have clear parallels in terms of standardisation and procedure in the engineering process: the respective safety measures must not compromise the availability of plant and machinery.

When it comes to implementation, many processes and experiences from the world of safety can be transferred directly to the world of security. The field of safety is already characterised by considerable security of investment and legal certainty. That is partly due to the need to comply with norms and standards. As a result, terms such as Safety Integrity Level (SIL) are clearly defined worldwide and uniform classification into hazard classes and risk assessments is also possible. In future, further indicators will be required for the interplay of safety and security in terms of standardisation. However, it will also be increasingly important to consider the needs of the user from the outset when developing solutions and to limit the complexity – after all: simplicity is (operator) safety.

www.cpp-net.com search: cpp0117pilz

Senior Manager Product Management, Pilz