When discussing Human-Machine Interfaces (HMIs), the distinction between safety and security is often clear. Steven Garbrecht, Marketing Manager for Infrastructure and Platform Products at Wonderware, explains, “Safety refers to the embedded control operations and safety linkages within the PLC, which are designed into the control program.” Security, on the other hand, targets individuals who break into the control system intending to steal information or cause damage. These are two distinct fields, yet when it comes to HMIs, safety and security overlap somewhat. Proper safety design can prevent damage or destruction to products or equipment by operators and enable them to act promptly to prevent such incidents. In December 1984, a catastrophic accident occurred at a Union Carbide plant in Bhopal, India, where a chemical reactor went out of control, causing tons of methyl isocyanate to leak, resulting in thousands of deaths and numerous illnesses. There was disagreement regarding whether the safety systems functioned during the accident; Union Carbide maintained that “such a large accident could only have been caused by sabotage,” a view strongly disagreed with by others. [align=center]Figure 1: In this pharmaceutical process, the start-up, control, and monitoring of the production process are all performed by operators. Wonderware Intouch's HMI software guides operators step-by-step through this process. The figure shows the overall layout of the plant system (left side) and the sample data management and review process.[/align] In the 1979 nuclear disaster at Three Mile Island (PA) in the United States, operators were unaware that a critical valve had been opened, even though it appeared closed. They subsequently received incorrect information about the reactor level. Later investigations ruled out sabotage; if operators had received the correct information, they could have prevented the situation from spiraling out of control. Ensuring No Loss of Control Admittedly, there are indeed external malicious actors. In a presentation titled "A Guide to Control System Security," Wonderware's Infosec analyst Rich Clark listed 17 scenarios, ranging from disgruntled employees to ordinary criminals, and even organized groups and individuals who threaten national and governmental security. He said these individuals are difficult to identify, but "they have many targets to attack every day." Garbrecht said, "From a human-machine interface perspective, there are three main scenarios: First, someone outside the company crosses the firewall, enters the company through the network, and makes some modifications to the human-machine interface. Second, someone inside the company performs malicious operations for some reason. Third, an employee within the company, not intentionally intending to launch a malicious attack, but due to misoperation, causes security or other issues in the process." Clark said that if a company delegates the security of its control systems to the IT department, it may run into trouble. IT personnel achieve security by isolating each machine; they isolate those who are online and those who may be carrying viruses, preventing them from affecting other parts of the enterprise. This method does work in the IT field, but it sacrifices the convenience of communication between machines and has poor real-time performance. Clark continued, “When control systems are designed, each machine is designed to communicate with another machine without hindrance. In a control system environment, more machines are both servers and clients, which doesn’t fit the client-server model in the IT field.” Clark pointed out that the security solution for control systems is to place the control system behind a protective wall and then closely control all access to the protected area. All communication between the control system and the entire system must pass through a firewall. A biopharmaceutical company in California recently installed a new system compliant with 21 CFR 11 for processing historical data. All information about process errors and events is stored on a server and accessible to those who need it. However, critical data and control information for the plant are stored in a network isolated from the entire system. Clark cited “having limited threat vectors.” He said an ideal security control system should meet the following criteria: ■ Isolation from all threats, including business partners. ■ Layering with strong anti-corrosion equipment. ■ Only one input/output point. ■ All system automation is within a single security set. ■ And every trusted machine within the enterprise can access every other trusted machine without hindrance. Microsoft calls this security model “domain isolation.” GE added this security feature to its iFIX software version 3.5 using the "Application Validator Utility." This software tool automatically manages modifications to system files and functions, reducing the possibility of unintentional or intentional breaches during installation. Joe Quigg, Vice President of Engineering at Systek Automated Controls (formerly Control Engineering Manager at International Automation), warned: "Intentional individuals can create dangers. With older systems, in many cases, people could modify and alter the system unimpeded and without supervision. Moreover, such modifications lacked documentation; if people modified the system and didn't record it, there was no way to trace it." He continued, "Many logic systems have hardware relay logic; if someone can open the control panel, they can set up bypasses whenever they want." He went on to say, "A well-designed modern system is divided into two parts: a standard part, the daily control procedures, which is open-architecture; and a secure part, which is locked down and can be modified only by specific people using the correct password, after training and guidance."