In the wake of a serious security breach involving Schneider Electric’s Triconex industrial safety system at a “critical infrastructure” facility overseas, Priority Payload Report talked with Joe Weiss, managing partner of Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats. Weiss has decades of experience in the energy industry and serves on the ISA99 committee of the International Society of Automation.
PPR: Why is the incident involving Schneider Electric’s Triconex safety system such a big deal?
Weiss: Triconex and Siemens have a large segment of the safety systems worldwide and Triconex also happens to be used in many U.S. nuclear power plants as Triconex has been certified by NRC for nuclear safety applications. Schneider for years has said you can’t hack Triconex because it’s triple-redundant. Triple-redundant improves reliability but does not address cyber security.
PPR: What is a typical industrial scenario that would require the triple-redundant PLC?
Weiss: In a refinery, you would use this to make sure that the safety valves would open if the pressure got too high, so a pipe doesn’t burst. Safety systems are used to make sure that you don’t have a pipe break, or a valve releasing toxic chemicals, prevent trains from crashing, etc.
PPR: So this isn’t about IT security, but facility integrity and human life at risk.
Weiss: Safety systems are to protect facility integrity and human life, not for data.
PPR: We don’t know all of the details of the incident, but is this a situation in which air-gapping that particular PLC could have prevented the breach?
Weiss: We have to isolate or air gap safety from all other systems. Today, non-nuclear safety standards allow safety to talk to non-safety. Nuclear does not allow safety systems to mix with non-safety. The nuclear plant approach must be extended to non-nuclear safety systems.
PPR: If a manager or engineer at a power plant came to you and said, ‘I just heard about this incident involving Triconex, which we have implemented in our facilities. What should I be doing now?’
Weiss: The very first thing is make sure safety doesn’t touch non-safety including basic process control systems much less the business network..
PPR: So other than nuclear, there’s no there’s no requirements to have this kind of separation.
Weiss: No, that’s part of what we’re going to have to address in the new ISA Level 0, Level 1 Task Force.
Weiss has also blogged about the Triconex events and associated safety issues at Implications of the Triconex safety system hack – Stuxnet part 2?This is an excerpt from a previous edition of the Priority Payload Report (PPR) newsletter.