North America | Europe | Asia • www.csagroup.org

A cyber-attack can compromise the safety

function of a device (or control system) in

a one or more ways: The device could be

jammed so it will not activate and perform

its safety function when needed – creating

a high-level risk condition. An attacker

could hijack the device to make it appear

to be functioning properly when it is not,

disguising a serious vulnerability. A hijacked

safety function can also be manipulated to

trigger false positive alarms or inappropriately

engage the safety function (e.g. close

and open valves, turn lights on and off

and activate sirens). If the manipulation

seriously abuses the system it can damage

equipment and potentially endanger lives.

Even if the compromised device or system

can still perform its safety function, it could

be rendered inaccessible or raise false

alarms that require service attention.

To mitigate these risks, the Functional Safety

Design Lifecycle and testing & certification

of critical functional safety features must be

extended to also encompass evaluation of

security features. To achieve fully integrated

network security, each individual IoT and

IIoT device or control system must be

designed within the framework of a Security

Development Life Cycle and tested and

evaluated against accepted and applicable

cybersecurity standards.

The Emerging Internet of Things – Advantages and Vulnerabilities

Commercial and residential building

systems, as well as industrial control

systems, increasingly include online

capabilities to enable operators and

service providers to remotely monitor,

control, and analyze system safety,

security and performance.

PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK INCREASING THE SECURITY OF INTELLIGENT BUILDING AND INDUSTRIAL CONTROL SYSTEMS

By Matt JakucProduct Group Manager, Cybersecurity Technical LeadCSA Group

The rise of cyber related attacks on Internet of Things (IoT) and the Industrial Internet of Things (IIoT) infrastructure has made it increasingly

vital to have cybersecurity protocols in place to support functional safety and safety-related solutions in commercial or residential buildings

and industrial processes. As building and process automation increasingly involves linking equipment together in an open network architecture,

the safety and security risks created by Internet connectivity should be a foremost concern of stakeholders such as product design professionals,

building managers, owners and system integrators.

Functional safety verification is essential in equipment that responds to operator inputs because an automated, safety-related device or control

system that responds incorrectly may create a hazard. A cyber-attack on the integrity of a controller can jeopardize the functional safety of a

device or control system in an open network architecture.

North America | Europe | Asia • www.csagroup.org

The creation of intelligent buildings and

industrial processes utilizing open network

architecture is driven by the concept of the

Internet of Things (IoT) and the Industrial

Internet of Things (IIoT) – which sees

manufacturing utilizing IoT technologies for

quality control, sustainability and overall

process improvements – with a multitude

of individual devices and control systems

supporting overall system connectivity.

The advantages of fully integrated online

or cloud-based systems to operators

and other stakeholders are significant:

• System performance can be monitored

continuously.

• System operation can be more easily

controlled to optimize efficiency and

cost-savings.

• Preventive diagnostics can be performed

to predict failures and improve scheduled

maintenance routines.

• Faults can be immediately detected so root

causes can be identified and addressed

quickly, minimizing disruption or potential

damage to the system.

• Robust system data can be compiled and

analyzed to identify opportunities for future

system and operational improvements.

The market for connected devices for

Industrial Automation Control Systems (IACS),

as well as commercial and residential Building

Control Systems (BCS) is expanding rapidly.

Data compiled by IHS Markit and reported

by the Continental Automated Buildings

Association (CABA) predicts that, by the year

2025, there will be approximately 70 billion

IoT-connected devices with an estimated

18 billion devices shipped per year.1

This rapid growth and clear advantages and

opportunities of intelligent buildings is not

without significant security and safety risks,

and vulnerabilities that must be addressed.

An October of 2016 Distributed Denial of

Service (DDoS) attack in the U.S. dramatically

demonstrated the impact of a malicious

attack on unsecured Internet-connected

devices. In this extreme case, vulnerable

household IoT devices were infected with

malicious code or malware known as a

“botnet”. Hackers coordinated those devices

to send an overwhelming volume of traffic

to servers operated by an important Domain

Name System (DNS) provider, disrupting

much of America’s Internet and legitimate

traffic to many of the most popular Web sites.

While unprecedented in its scale and overall

impact on U.S. Internet infrastructure, the

October attack illustrates the potential

vulnerability of intelligent building and

automated industrial control systems

based on IoT devices.

Assuring Functional Safety and Security

The adoption of open networks and IoT

devices increases vulnerability to cyber-

attack, underscoring the importance of

assuring the full integrity of functional

safety across a networked building or

industrial process system. To achieve this

goal, extensions of the Functional Safety

Design Life Cycle and Functional Safety

Testing & Certification must be considered

for each connected device. This can

include the implementation of a Security

Development Life Cycle and potentially

the addition of a Cybersecurity Product

Evaluation. The goal is to establish a level

of confidence in the security features of

the IoT device through an established and

reliable quality assurance process.

PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK

1 CABA Intelligent Buildings and the Impact of IoT, Key Trends in IoT and Commercial Building Technology Markets; IHS Markit for the Continental Automated Buildings Association;

© Continental Automated Buildings Association, 2016.

North America | Europe | Asia • www.csagroup.org

While operators and the service providers

who support them must be concerned

about a host of negative consequences

of cyber-attack, including…

• Breach of data security

• Interrupted operations

• Loss of revenue

• Unplanned recovery expense

• Liability or legal action for negligence

• Tarnished reputation

…a cybersecurity breach poses no greater

threat than the loss of functional safety,

which can place workers, residents and

communities at risk of injury or even

death, while also threatening property

and the environment.

Vulnerabilities Are Widespread

The potential for cybersecurity attack exists

across a wide range of devices currently

used in intelligent building and industrial

control systems. By exploiting the vulnera-

bility of an unsecure controller or other

device, attackers could take control of all

connected equipment on a network. The

potential risk can be magnified if the initial

breach exposes weaknesses in equipment

that was not designed to operate in an open

network environment.

Design Weaknesses May be Exposed

A simulated cyber-attack on an electrical

power generator connected to a substation

dramatically demonstrated the risk created

when appropriate security measures are not

incorporated in an original equipment design.

Although conducted in 2007, the results of

the simulation continue to be a point of

reference in industry and governmental

discussions of power industry security needs.

During the simulation, which was conducted

by the Idaho National Laboratory, researchers

targeted a vulnerable programmable device

to gain access to and control of protective

relays on the generator. Because the

equipment design did not include measures

to prevent the relays from being abused, the

researchers were able to open and close the

breakers rapidly and out of sync, creating

extreme torque conditions. The generator

bounced and vibrated violently, eventually

throwing parts up to 80 feet before it was

destroyed.2 In an actual attack, serious

injury to operators, or even death, could

have occurred.

Improper Implementation Can Undermine Secure Technology

Even when the technology used in a product

is inherently secure, failure to implement

suitable security measures during the

product design process can leave connected

equipment and networks vulnerable to

attack. Wireless protocols widely used in

intelligent building and smart home devices

are one example, affecting millions of

devices worldwide.

Researchers in 2015 and 2016 reported

finding security flaws in many building

automation devices using the Z-Wave

and ZigBee wireless protocols, which are

incorporated in the designs of smart door

locks, alarms, detectors, light bulbs and

lighting controls, motion sensors, switches,

HVAC systems and valve actuators and

other IoT devices.

While the protocols themselves are

secure, investigation revealed the product

manufacturers did not always utilize

secure encryption keys when they were

implemented in product designs, leaving

devices vulnerable to attack.3, 4

In one case involving the Z-Wave protocol,

compact fluorescent light (CFL) bulbs without

encryption were damaged by attackers who

cycled them off and on using specific timings.

The resulting thermal stress destroyed the

bulbs within hours. Loss of facility lighting

or another networked system can disrupt

building operations and compromise security

and safety. A similar attack on a connected

thermostat under cold winter conditions

could cause building water pipes to freeze

and burst, resulting in significant damage,

disruption and property loss.

These examples demonstrate the importance

of implementing a Security Development Life

Cycle to support the design of secure IoT

devices from the beginning of the product

development process, similar to the

Functional Safety Design Life Cycle. It also

reinforces the importance of verifying the

implementation of effective security through

Cybersecurity Evaluation, conducted as part

of Functional Safety Testing and Certification.

By making security an integral part of the

design process and conducting the

appropriate testing to verify proper

security measures have been implemented,

manufacturers and their customers can be

confident that devices support the ultimate

goal of fully integrated security and safety

across the entire intelligent building or

industrial control network.

Supply Chain Mandates

Stakeholders in the intelligent business

supply chain who are key to driving business

forward– including system OEMs, Tier 1

suppliers, system integrators, contractors

and other downstream participants – are

increasingly demanding evidence of a

Security Development Life Cycle and rigorous

cybersecurity evaluation. All supply chain

participants are expected to take measures

PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK

2Aurora Generator Test, Wikipedia. Retrieved January 17, 20173 ShmooCon 2016: Z-Wave Protocol Hacked with SDR, Hackaday, January 16, 2016. Retrieved January 17, 20174Researchers exploit ZigBee security flaws that compromise security of smart homes, Network World, August 11, 2015. Retrieved January 16, 2017

North America | Europe | Asia • www.csagroup.org

to ensure that devices systems support the

security requirements of end users or their

service partners.

The impact of these mandates is wide-

spread, spanning diverse industry supply

chains including HVAC, fire control, access

control, lighting, industrial controls, IT/AV,

and more. However, requirements within

these vertical supply chains are based

on the overarching technology horizontal

requirements defined within the IEC 62443

Series cybersecurity standards.

Supply chain mandates may include

requirements that products be suitable for

use in of “SIL-rated” systems. SIL refers to

the Standard Integrity Level that is assigned

during functional safety evaluation to confirm

the requirements of the IEC 61508 standard

are met. IEC 61508 is the international standard

for safety-related systems associated with

electrical, electronic and software-based

technologies. Similarly, supply chain

requirements may include achieving a

specific security level defined in the

IEC 62443 Series cybersecurity standards.

The close relationship between cybersecurity

and functional safety evaluations is further

described below.

IEC 62443 Cybersecurity Standards

IEC 62443 Series cybersecurity standards

were developed as technology-horizontal

control system standards with broad industry

applicability. This series of standards covers

component technical requirements, system

technical requirements, product supplier

development lifecycle practices, integrator

practices, and onsite end user management

and operation of a cybersecurity program.

While not deliberately industry-specific, the

IEC 62443 Series standards reflected the

initial input of industrial Automation Control

Systems (IACS) participants in the standards

development process. However, the

standards are also accepted as technically

applicable to building control systems and

could be used to assess cybersecurity in

intelligent building systems.

The IEC 62443 Series Includes:

• IEC 62443-4-2 Security for industrial

automation and control systems –

Technical security requirements for

IACS components

• IEC 62443-3-3 Security for industrial

automation and control systems – System

security requirements and security levels

• IEC 62443-4-1 Security for industrial

automation and control systems –

Product development requirements

At the end of 2016, only the IEC 62443-3-3

standard pertaining to control system

security requirements and security levels

had been approved and published by IEC.

Standards for technical security requirements

for components (IEC 62443-4-2) and product

development requirements (IEC 62443-4-1)

are expected to be approved and published

in 2017.

Cybersecurity Evaluation

CSA Group offers cybersecurity analysis

and testing as part of the Functional Safety

Testing and Certification of IoT and IIoT

products and systems. The Cybersecurity

Evaluation process provided by CSA Group

includes the rigorous analysis and testing

called for under the IEC 62443 Series

standards and other cybersecurity

frameworks required by supply chains

and end use customers.

An Extension of Functional Safety Evaluation:

Cybersecurity analysis and testing should

be performed by qualified third party testing

organizations as part of the overall product

functional safety evaluation, which helps

assure that an automated, safety-related

device or system operates correctly in

response to its inputs, protecting operators

and/or property and the environment from

any hazard.

For example, a sensor that measures the

temperature of electric motor windings and

de-energizes the motor before it overheats

provides functional safety. In contrast,

insulation material that helps protect

the motor and its surroundings against

the same overheating does not provide

functional safety because it does not

respond to inputs.5

IEC 61508 is the international standard

for safety related systems associated

with electrical, electronic and software-

based technologies. The principles of

the standard can also be extended to

assess mechanical elements if they are

used in the safety function.

The IEC 61508 standard defines requirements

for determining level of risk using Risk/

Process Hazard Analysis (PHA) and identifying

the relative level of risk reduction required: the

Safety Integrity Level (SIL). It also describes

the lifecycle process for ensuring that

systems are designed, validated, verified,

operated and maintained to perform a

specific function or functions and assure

that risk is kept at an acceptable level.

Cybersecurity Evaluation parallels the

Functional Safety Testing and Certification

process, using specific security frameworks

and the IEC 62443 Series and other applicable

PROTECTING CONNECTED DEVICES AGAINST CYBER ATTACK

5 The adequacy of insulation or other product design elements should be evaluated for conformance with the requirements of the applicable industry standards for safety or performance during the product testing and certification process.

North America | Europe | Asia • www.csagroup.org

standards. The evaluation process first

identifies and assesses applicable risks

and the necessary SILs. The effectiveness

of security measures is then evaluated,

taking into account any related design

considerations. The overall Cybersecurity

Evaluation includes assessment of the

security of the product development process

as well as the implementation of security

measures in the product itself.

Analysis and Testing

The Cybersecurity Evaluation process

typically includes the following analyses

and tests:

Gap Analysis and Risk Assessment

Analyses of the supplier’s Information

Security Management System (ISMS) and

Security Development Lifecycle (SDLC) are

performed to identify strengths, weaknesses,

and recommend any procedural and policy

changes that should be addressed in order

to support a secure SDLC process and

demonstrate supplier due diligence in

mitigating security risk. This analysis

and the resulting recommendations are

designed to identify and address security

threats early in the product life cycle,

before devices enter production.

Vulnerability Identification Testing (VIT)

The objective of VIT is to ensure that

connected devices are free from known

vulnerabilities. Security weaknesses are

defined and detected and the effectiveness

of proposed countermeasures is forecast so

actual effectiveness can be evaluated upon

implementation. Vulnerabilities are analyzed

to determine their impact on applicable

functional safety requirements, which are

established as part of the overall Functional

Safety Testing and Certification process.

Penetration Testing – Penetration testing

evaluates the security of a connected

system by attempting to exploit potential

vulnerabilities. This internal testing of the

system, network or software helps identify

security weaknesses so they can be fixed

before being exposed to an actual attack.

Effective penetration tests are designed

to simulate an attack involving a specific

objective. The test findings reveal how

security was breached so appropriate

preventive counter measures can

be adopted.

Communication Robustness Testing (CRT)

CRT evaluates product resilience when

subjected to network stress testing,

identifying network-based security

vulnerabilities. The test provides a

measure of the extent to which network-

based protocols can defend themselves

against incorrectly formed messages and

inappropriate sequences of messages used

to attack the system. CRT identifies the

presence of common programming errors

and known denial of service vulnerabilities

specifically for networking protocols, which

impact the robustness of embedded devices

that use those protocols.

Conclusion

The widespread adoption of IoT technology

in networked infrastructure has increased

the potential for cyber-attacks that can

compromise safety-related devices and

control systems. Around the world,

cybersecurity breaches are increasingly

occurring and contrary to popular belief,

they cannot be solely attributed to savvy

hackers or aggressive cyber-attack

strategies. Insufficient knowledge of reliable

mitigation processes including the critical role

of functional safety testing and evaluation

of security features is equally responsible.

Products and systems used in intelligent

residential and commercial buildings, as

well as automated industrial processes, that

are designed and evaluated to ensure they

meet strict requirements of both functional

safety and cybersecurity standards can

help to mitigate these risks. Ensuring your

devices and components are suitable for

SIL-rated systems are now commonplace

for participants across diverse supply

chains. By integrating the CSA Group

Cybersecurity Evaluation with Functional

Safety Evaluation into the certification

process, device and system controller

suppliers can potentially out-pace rapidly

expanding cybersecurity threats and help

provide assurance to key stakeholders that

their products provide a higher level of

resilience to cyber-attacks.

About CSA Group

CSA Group is a global testing and certification

service provider offering widely recognized

and accepted CSA certification marks

that appear on billions of products around

the world. CSA Group is accredited by

international technical authorities, including

the U.S. Occupational Safety and Health

Administration (OSHA) as an NRTL, the

Standards Council of Canada (SCC), the

United Kingdom Accreditation Service

(UKAS), and more.

CSA Group is a world leader in providing

Cybersecurity Evaluation along with

Functional Safety Testing and Certification,

including evaluation services for products for

the intelligent building, industrial automation,

HVAC, lighting, electrical, IT/AV, plumbing,

safety and security, and other industries.

The CSA Certified™ advantage – helping

manufacturers get the market access they

need for over 95 years. Contact CSA Group

to obtain more information about our global

Cybersecurity Evaluation and Functional

Safety Testing and Certifications services.

ADDRESSING CYBERSECURITY RISK IN THE DESIGN OF CONNECTED DEVICES FOR INTELLIGENT BUILDING AND INDUSTRIAL CONTROL SYSTEMS

Contact Us

certinfo@csagroup.com

1.866.797.4272

www.csagroup.org