Zone S: Tofino Security White Paper Using The ISA/IEC 62443 Zone & Conduit Strategy

This document defines Zone S1, the safety system for a Unit 1 Hydrocracker. Zone S1 contains safety integrity systems that provide safety functions for the hydrocracker. The zone has low to moderate security risks but extreme consequences if breached. The security objective is to protect the integrity and availability of the safety system. Connections to Zone S1 from the hydrocracker's basic control and process zones must use secure conduits, and all changes must follow the approved change management process.

Uploaded by

hvananth

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

85 views

Zone S: Tofino Security White Paper Using The ISA/IEC 62443 Zone & Conduit Strategy

Uploaded by

hvananth

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1

Tofino Security White Paper Using the ISA/IEC 62443 Zone & Conduit Strategy

ZONE S1
Zone Name: Unit 1 Hydrocracker Safety System
Definition of this Zone: This zone includes all safety integrity systems for the Unit 1 Hydrocracker.
Controlling Agency: Process Automation Department, SIS Team.
Zone Function: The systems in this zone provide safety functions to the Unit 1 Hydrocracker.
Zone Boundaries: The Safety Integrated System as defined by the Unit 1 Hydrocracker HAZOP.
Typical Assets: The Safety Integrated System controller, engineering station and communications hardware
Inheritance: This zone inherits attributes from Zone C1 (Unit 1 Hydrocracker Basic Control System)
Zone Risk Assessment: This is a low to moderately secure zone with extreme consequences if breached.
a) Security Capabilities of Zone Assets: All assets are assumed to be incapable of withstanding low
level attacks (i.e. those launched by unsophisticated attackers or malware) on their availability or
confidentiality. This is a result of the protocols in use and system design. Assets are assumed to be
capable of withstanding medium level attacks (i.e. those launched by moderately sophisticated
attackers or malware) on their integrity.
b) Threats and Vulnerabilities: The vulnerabilities of this zone are assumed to be typical of legacy
industrial control devices using MODBUS for communications. The principal threats are:
a. Network-based Denial of Service to SIS communications.
b. Internal or External unauthorized access to the SIS engineering station.
c. Spoofing of MODBUS/TCP control commands.
d. Spoofing of MODBUS/TCP responses to the process system.
e. Reprogramming of safety functions.
c) Consequences of a Security Breach:
a. Loss of production >6 hrs from false trip of emergency shutdown system.
b. Loss of production <6 hrs due to loss of visibility to safety system.
c. Disabling/manipulation of emergency shutdown resulting in fatality or major community
incident.
d) Business Criticality: Extreme
Security Objective: To protect the integrity and availability of the Unit 1 Hydrocracker Safety System.
Acceptable Use Policy: I/O and Fieldbus communications is allowed to Zone P1 (Unit 1 Hydrocracker Process).
Read access to published data is allowed to approved systems in the Zone C1 (Unit 1 Hydrocracker Basic Control
System). All Write access to this zone is forbidden. All system management and programming functions shall be
internal to this zone.
Inter-zone Connections: Conduits to this zone may be established from Zone C1 (Unit 1 Hydrocracker Basic
Control System) and from Zone P1 (Unit 1 Hydrocracker Process).
Security Strategy: All connections to this zone must be controlled using type S conduits. Access to these
systems must be approved by the Controlling Agency.
Change Management Process: All changes to this zone or any of its connecting conduits must follow the
approved change management process of its corresponding Controlling Agency (see above). This includes, but
is not limited to, the installation or replacement of equipment, modification of security policy, and exceptions to
security policy or existing practices.