Sage Journals: Discover world-class research

Abstract

Fieldbus transmitters are commonly used in modern industrial productions, particularly in Safety Instrumented Systems (SIS). Safety and security are critical considerations in the design and operation of these transmitters. Previous research has tended to address safety issues and security issues separately, but with the increasing complexity of network technology, it is important to analyze them simultaneously. In this paper, a systematic framework for comprehensively analyzing random failures and cyber-attack failures is proposed. The framework adopts the FMEA-IMEA method, which combines Failure Modes and Effects Analysis (FMEA) and Intrusion Modes and Effects Analysis (IMEA), to analyze failure modes and effects of fieldbus transmitters. In addition, by extending Reliability Block Diagrams (RBD), the impact of random failures and cyber-attack failures on fieldbus transmitters is quantitatively determined. At the same time, calculation approach of the residual error rate (RER), Component counting method, and Monte Carlo are used to determine random failure rate and cyber-attack failure rate. Using fieldbus pressure transmitter and fieldbus temperature transmitter as examples, the results demonstrate that security issues can significantly impact the safety integrity level. In fact, the safety integrity level is reduced from SIL3 to SIL1 when cyber-attacks are considered. Compared to existing FMEA, the proposed approach offers a more comprehensive analysis of random failures and cyber-attack failures in fieldbus transmitters.

Keywords

Safety instrumented systems failure analysis FMEA IMEA safety and security transmitters

Introduction

Industrial control systems (ICS) are critical to modern industrial processes, and safety instrumented systems (SIS) are essential for ensuring their safety and reliability. SIS have a wide range of applications in various industrial areas, including intelligent manufacturing,¹ chemical production,² and power grids (Figure 1).³ SIS consist of complex information communicators and embedded devices that are interconnected with the network/physical world through sensors and actuators.⁴ These sensors collect real-time data from the physical environment, while actuators perform specific operations based on the information processed by SIS, ensuring the safe and reliable operation of industrial processes. Unlike traditional production methods, equipment in SIS no longer work independently but form a cooperative group through wired or wireless networks.⁵ The network between equipment also brings both potential threats such as malware attacks or manipulation. SIS are typically divided into three main sub-systems: input components (such as transmitters or sensors), logic solvers, (usually implemented by programmable electronic controllers (PLC)), and actuation components (such as safety valves or circuit breakers),⁶ as shown in Figure 2. In fieldbus transmitters,⁷ safety and security are now considered separately, rather than separately.⁵

Figure 1.

SIS in power plant steam turbine.

Figure 2.

SIS components.

Risk is a combination of probability and severity of a hazard occurring, which is influenced by environment, equipment, and human factors. The probability of a hazard occurring is related to equipment failures. Therefore, it is necessary to comprehensively analyze equipment failures.⁸

Previous research on the analysis of safety and security in fieldbus safety transmitters has primarily focused on assessing functional safety. Traditional methods, such as Fault Trees, have been used to identify causal factors,⁹ but the complex logic may pose challenges in calculating the probability of top-level events.¹⁰ Similarly, Hazard and Operability (HAZOP) analysis identifies potential hazards through analyzing failure modes and their related effects, with results presented in the form of guiding words.¹¹ Layers of Protection Analysis (LOPA) provides a semi-quantitative approach to assess hazard scenarios and describe related risks.⁴ Unfortunately, these approaches ignore the security vulnerabilities of fieldbus safety transmitters and the potential consequences they may cause, potentially resulting in system failures. In addition, existing analysis methods for cyber-attack threats, including Analytic Hierarchy Process (AHP),¹² Event Trees,¹³ steady-state vulnerability assessment (SSVA),¹⁴ and Attack Trees,¹⁵ mainly focus on assessing network attack threats. These methods are not sufficient to comprehensively addressing the critical research trend of integration analysis random failure and cyber-attack failure.

In order to address this knowledge gap, researchers have explored innovative approaches to integrate safety and security analysis. Sulaman et al. used STPA to address risk issues.¹⁶ Unlike traditional risk analysis methods, STPA is not limited to potential attacks, it focuses on identifying and controlling system vulnerabilities.¹⁷ Young and Leveson proposed the STPA-Sec method, utilizing STPA to analyze cybersecurity loss scenarios.¹⁸ Friedberg et al. proposed the STPA-SafeSec method to analyze the integration of safety and security.¹⁹ This method is only used for qualitative analysis of systems. Fovino et al. proposed a method that combines Fault Trees and Attack Trees (FT&AT) to simulate risks in systems,²⁰ with the goal of the attack trees being the event of the fault tree. In 2013, Steiner and Liggesmeyer proposed Component Fault Trees and Attack Trees, which are more suitable for simulating large-scale systems.²¹ FT&AT provides a lucid and easily comprehensible logic for both qualitative and quantitative analysis, without a numerical case study. Terje Aven et al. proposed a unified analysis framework for analyzing risks and vulnerabilities in safety and security, particularly suitable for the early stages of systems engineering such as concept and requirement determination.²² While this method can reduce analysis time and cost, it may be prone to incomplete analysis and the omission of key elements.²³ This poses challenges in comprehensively assessing the integration level of functional safety and security of equipment. Currently, there is no comprehensive framework for analyzing random failures and cyber-attack failures, which includes qualitative analysis and quantitative analysis.

Traditional failure analysis for SIS only considered random failure and system failure.^1,24 Safety instrumented systems are currently subjected to various failure modes. Most studies focused on random failure analysis.²⁵ Research on the integration analysis approach of functional safety and security is still in its early stages, with most studies focused on conceptual stage.³ However, the impact of cyber-attacks on systems or equipment with functional safety has received relatively little attention.²⁶

The contributions of this paper are described as follows:

• A novel qualitative and quantitative analysis framework for the integration of random failures and cyber-attack failures and their impacts on fieldbus transmitters is proposed.

• The FMEA-IMEA method is used to address the issue of incomplete dimensions in failure mode analysis.

• The extended RBD is presented to address the challenging task of quantitatively analyzing both random failures and cyber-attack failures, providing a solution to a complex analytical problem.

• Through comparative analysis with FMEA, the study clearly reveals the advantages of the FMEA-IMEA method in failure modes and impact analysis, providing a more comprehensive and integrated analysis framework for safety and security assessment in transmitters.

This paper is organized as follows. The proposed framework includes qualitative and quantitative analysis is described in Section 2. The case study of fieldbus pressure transmitter and temperature transmitter is described in Section 3. Finally, the concluding remark is presented in Section 4.

Integrated failure analysis of safety and security of fieldbus transmitters

This paper presents a unified assessment framework which combines both qualitative and quantitative methods. The combination of FMEA and IMEA is used to qualitatively analyze failure modes and their effects in this framework. For quantitative analysis, an extended RBD is employed to establish the relationship between these failure modes. Monte Carlo, RER, and component counting methods are integrated to derive the failure rate of each part. Specifically, the Component Counting method is used to determine the random hardware failure rate, while RER is used to calculate the random communication failure rate. The cyber-attack failure rate is obtained by Monte Carlo simulation. Finally, the integrated failure rate is determined. The assessment framework is illustrated in Figure 3.

Figure 3.

Integrated failure assessment framework for safety and security of fieldbus transmitters.

Qualitative analysis of integration of random failures and cyber-attack failures

FMEA¹⁶ is used to identify both existing and potential failure modes, causes, and consequences of a system or its users.²⁷ IMEA is used to identify potential intrusion modes and their impacts. IMEA focuses on possible behaviors, goals, and intentions of attackers to identify the threats.²⁸

In this study, FMEA is utilized to analyze the impact of random failures of transmitter and fieldbus. The results are summarized in Table 1. The use of fieldbus of transmitters will introduce the vulnerabilities of malicious attack, encompassing active attack mode such as tampering attack, denial of service attack, replay attack, and jamming attack, as well as passive attack mode including eavesdropping attack, Illegal access, and data flow analysis. IMEA is applied to analyze malicious attacks, intrusion modes, and harm, as illustrated in Table 1.^16,29 By combining FMEA and IMEA, the FMEA-IMEA method is proposed to address the problem of incomplete failure mode analysis. Compared with methods such as FMEA and HAZOP, this method can provide a more comprehensive analysis of failure modes and effects.

Table 1.

Integrated failure modes and influences of fieldbus transmitters.

Failure domain	Nature and type of failure/intrusion		Cause	Influence
				Hardware	Data	Transmitter	SIS
Hardware	Random		Sensor or data acquisition element failed	Crash	-	No collection signal or data error	Dangerous failure
			Data process MCU failed or interfered		Data error	Data process MCU failed
			Data process internal storage element failed or interfered		Data loss	Internal storage failed
			External storage element failed or interfered		Data loss	External storage failed
			Power module failed	Hang up	-	Power supply unstable or exceeds the threshold
Communication network	Random	Corruption	Communication fault or interfered	-	Data error	Communication transmission failed, and the intelligent transmitter abnormal	Dangerous failure
		Disorder
		Delay
		Loss			Data loss
		Repetition			Data error
		Insertion			Data error
		Addressing error			Data loss
	Malicious	Tamper	Encryption and authentication mechanism insufficient	-	Violate confidentiality and integrity	Abnormal	Dangerous failure
		Replay	Authentication mechanism weak	-	Violate availability	Abnormal
		DOS	Instrument protection weak	Hang up		Unavailable
		Interference	Instrument protection weak	-		Communication blocked
		Eavesdrop	Authentication mechanism weak		Violate confidentiality	No impact
		Illegal access			Violate availability
		Data stream analysis			Violate availability

Integrated quantitative analysis of safety and security

Reliability Block Diagram is an effective tool for analyzing the integration of random failures and cyber-attack failures of fieldbus transmitters. This approach has the characteristics of clear logical relationships, simple models, comprehensibility, and portability. Fieldbus safety transmitter includes two essential parts: transmitter and fieldbus, as shown in Figure 4.

Figure 4.

Composition diagram of the fieldbus transmitter.

Fieldbus failures include potential failures of communication and cyber-attacks, as illustrated in Figure 5. These failures can be classified into safe failures and dangerous failures, as described in Reference.²⁴ Safe failures can’t endanger or disable safety-related systems. Conversely, dangerous failures put these systems in a potentially hazardous state or a state of loss of function. In high demand or continuous mode, dangerous failures of the fieldbus safety transmitter need to be taken into account. Dangerous failures include detected dangerous failure (λDD) and undetected dangerous failure (λDU). The relationship between these two types of failure is presented in formulas (1)–(5) and the notations are shown in Table 2.

λ_{D} = α λ_{D_hardware} \oplus β λ_{D_{_com}}

(1)

λ_{D_hardware} = λ_{DD_hardware} \otimes λ_{DU_hardware}

(2)

λ_{D_{_com}} = λ_{D D_{_safety}} \otimes λ_{D U_{_safety}} \otimes λ_{D D_{_security}} \otimes λ_{D U_{_security}}

(3)

Figure 5.

Reliability block diagram of the fieldbus transmitter.

Table 2.

The notations of RBD.

Notation	Definition
$α$ , $β$	The weight of hardware failures or fieldbus failures
$λ_{D}$	Dangerous failure rate per hour
$λ_{D_hardware}$	Dangerous failure rate of hardware random failures per hour
$λ_{DU_hardware}, λ_{DD_hardware}$	Undetected dangerous failure rate/detected dangerous failure rate of hardware random failures per hour
$λ_{D_{_com}}$	Dangerous failure rate of fieldbus per hour
$λ_{DU_safety}, λ_{DD_safety}$	Undetected dangerous random failure rate/detected dangerous random failure rate of fieldbus per hour
$λ_{DU_security}, λ_{DD_security}$	Undetected dangerous attack failure rate/detected dangerous attack failure rate of fieldbus per hour

Analysis of random hardware failures

Transmitter hardware typically comprises power supply unit, data acquisition unit (or input part), data processing unit (logic operation), and output unit. The random hardware failure rate of the transmitter is determined by the failure rate of each part, which is made up of various electronic components. In this paper, the Component Counting method is used to derive the random failure rate of the transmitter.³⁰ According to this approach, the random failure rate is the sum of the failure rates of all individual components.

λ_{DU_hardware} = \sum_{i = 1}^{N} λ_{DU_par t_{i}}

(4)

λ_{DD_hardware} = \sum_{i = 1}^{N} λ_{DD_par t_{i}}

(5)

λ_{DU_part} = \sum_{j = 1}^{M} λ_{DU_componen t_{j}}

(6)

λ_{DD_part} = \sum_{j = 1}^{M} λ_{DD_componen t_{j}}

(7)

N is the number of parts of the transmitter.

M is the number of components of the part in a transmitter.

Failure analysis of fieldbus

Failures analysis of communication

RER is used to derive the failure rate of communication.³¹ This approach relies on the communication message structure, as illustrated in Table 3). In order to guarantee functional safety of communication, a lot of measures are used, such as redundancy, time stamp, sequence number, and CRC.³¹ This method starts from four perspectives: integrity errors, timeliness errors, authenticity errors, and masquerade errors. This process consists of formula (8)–(15), with parameters listed in Table 4.

LT = LT (1) + LT (2)

(8)

R_{CRC} (P_{e}) \approx 2^{- r} \times \sum_{k = d_{\min}}^{n} (\begin{matrix} n \\ k \end{matrix}) \times ({P_{e}}^{k} \times (1 - P_{e})^{n - k})^{2}

(9)

R R_{I} = R P_{I} \times v \times R P_{U} \times R P_{FSCP}

(10)

R R_{T} = 2^{- LT} \times ω \times R_{T} \times R P_{FSCP}

(11)

R R_{A} = 0

(12)

R R_{M} = 2^{- LT} \times ω \times 2^{- r} \times 2^{- LR} \times R P_{U} \times R_{m}

(13)

λ_{SC} = R R_{I} + R R_{A} + R R_{T} + R R_{M}

(14)

Table 3.

Composition of communication messages.

Sequence number	Time stamp	Data	CRC	Sequence number	Time stamp	Data	CRC
$LT (1)$	$LT (2)$	$n$	$r$	$LT (1)$	$LT (2)$	$n$	$r$

Table 4.

Definition of items used for RER.

Equation items	Definition
$R_{CRC} (P_{e})$	Residual error probability for CRC polynomials
$P_{e}$	Bit error probability
$R R_{I}$ , $R P_{I}$	Residual error rate/probability for data integrity
$v$	Maximum sample rate of the safety communication layer per hour
$R P_{U}$	Residual error probability for other unique fields
$R P_{FSCP}$	Residual error probability for communication protocol’s unique measure, not used in this case
$R R_{T}$ \ $R R_{A} \ R R_{M}$	Residual error rate for timeliness/authenticity/masquerade errors
$ω$	Range of values of accepted time stamps or sequence numbers for receiving safety messages
$R_{T}, R_{m}$	Occurrence rate of out-of-sequence/masquerading safety messages
$LR$	Bit length of the repeated part in the safety message
$λ_{SC}$	Residual error rate per hour of the safety communication channel
m	Maximum number of logical connections that is permitted in a single safety function

The residual error rate is obtained.

λ_{SCL} = λ_{SC} \times m

(15)

The residual error rate of communication is the undetected dangerous failure rate.

λ_{DU_safety} = λ_{SCL}

(16)

Failure analysis of cyber-attack

In this study, Monte Carlo simulation³² is used to quantitatively analyze the failure rate of cyber-attacks. This method is less susceptible to human factors and provides a more accurate depiction of the actual situation. Monte Carlo simulation predicts the behavior or outcome of complex systems through random sampling.¹³ In this paper, the probability of cyber-attack events occurrence is estimated using random sampling. Commonly used random distribution functions include binomial distribution, Poisson distribution, normal distribution, and uniform distribution. Random distribution function of cyber-attack modes, as listed in Table 1, are shown in Table 5.

Table 5.

Attack modes and their suitable random distribution function.

Attack	Random function
Tampering attack	Normal
Replay attack	Uniform
DOS	Poisson
Jamming attack	Normal
Eavesdropping attack	Poisson
Illegal access	Binomial

Tampering attacks can change the transmitted message, leading to changes in the transmission outcome.³³ Protective measures like CRC can be used to detect some errors caused by tampering attacks. It is assumed that more than $X_{1}$ bytes errors in N bytes of transmitted data can be detected by CRC. However, if the error caused by tempering attacks is less than $X_{1}$ bytes, it might still lead to transmission failures without detection by CRC. A normal distribution is used to simulate the number of changed data.

\begin{matrix} X ~ N (μ, σ) \\ {\begin{matrix} X < X_{1} Tampering attack successful \\ X > X_{1} Tampering attack failed \end{matrix} \end{matrix}

A replay attack is a form of malicious activity in which the attacker repeatedly transmits the same message to deceive the network system.¹³ Uniform distribution ensures that each packet has an equal chance of being selected. The number of occurrences of a packet follows a uniform distribution, denoted by X. A replay attack is considered successful if the packet is repeated two or more times.

\begin{matrix} X ~ U (0, p * N) \\ {\begin{matrix} X is repeated twice or more replay attack succeeded \\ X appears once or not replay attack failed \end{matrix} \end{matrix}

A denial-of-service (DOS) attack is a malicious action in which the attacker sends a large number of requests to the receiver of originally secure communication in a short period.⁵ This attack causes communication resources exhaustion and communication interruption. The Poisson distribution is employed as a probability distribution to describe the frequency of occurrences of a random event per unit time. It can be used to simulate the number of attack requests within a unit of time. In this case, it is assumed that there is an average of 500 requests per second, with a threshold denoted as $X_{2}$ . If the number of requests is greater than $X_{2}$ , a successful DOS attack is considered to have occurred.

{\begin{matrix} X > X_{2} DOS attack successful \\ X < X_{2} DOS attack failed \end{matrix}

Jamming attacks typically arise from noise generated by malicious actors, leading to communication interruption.¹³ The frequency of the noise follows a normal distribution with a mean of μ and a standard deviation of $σ$ . If the frequency of noise denoted as X, exceeds the threshold $X_{3}$ , jamming attacks will cause damage to the transmitted information or potentially disrupt the communication process.

\begin{matrix} X ~ N (μ, σ) \\ {\begin{matrix} X > X_{3} jamming attack successful \\ X < X_{3} jamming attack failed \end{matrix} \end{matrix}

An eavesdropping attack is a malicious behavior in which an attacker obtains the communication content by monitoring communication transmission lines or stealing data packets.³⁴ This attack will cause harm when the number of stolen data exceeds a certain value. It is appropriate to use Poisson distribution to simulate the number of stolen packets per unit time. Assuming that the average transmission rate between the two communication parties is 50 packets per second, an eavesdropping attack³⁵ will succeed, if more than $X_{4}$ packets are stolen.

{\begin{matrix} X > X_{4} eavesdropping attack successful \\ X < X_{4} eavesdropping attack failed \end{matrix}

Illegal access has two outcomes: either it succeeds or fails.¹⁹ Therefore, the binomial distribution is appropriate for simulating the probability of illegal access occurrence. As data flow analysis attacks⁸ are founded on eavesdropping attacks, failures caused by data flow analysis attacks can be included in failures caused by eavesdropping attacks, and do not need to be simulated separately.

X ~ B (n, p)

Case study

Taking the experimental platform of SIS as an example, the fieldbus pressure transmitter and fieldbus temperature transmitter are analyzed, as shown in Figure 6. Pressure transmitters and temperature transmitters are critical sensor devices widely used in the industry. Pressure transmitters play a crucial role in monitoring and measuring pressure changes within systems, finding applications in industrial automation, liquid level control, and power systems. Within industrial automation, pressure transmitters guarantee the maintenance of pressure within pipelines and containers at a safe range, ensuring the smooth progression of production processes. In the power system, pressure transmitters are used to monitor oil-immersed transformers and gas-insulated switchgear.³⁶

Figure 6.

Experimental platform of SIS: (a) One of transmitters: Pressure transmitter; (b) One of transmitters: Temperature transmitter.

Temperature transmitters are used to measure and transmit temperature information within a system. During the process of industrial production, they are used to ensure precise temperature control to improve product quality and production efficiency. Within thermal systems, temperature transmitters are used to monitor the temperature of pipelines and equipment, providing accurate temperature feedback for heating and cooling systems. In power systems,³⁷ temperature transmitters play a crucial role in real-time temperature monitoring of generator cooling systems and high-voltage switchgear, preventing equipment overheating and malfunction.³⁸

Pressure transmitter

NCS-PT105H-FS PROFISafe Intelligent Pressure Transmitter (Figure 6(a)) is used as an example for analysis. The SIL target for the equipment is SIL3, considering its application in oil pipelines.

The fieldbus pressure transmitter is composed of data acquisition unit, data process unit and power supply unit. Component parameters are determined according to the actual condition in industrial production and relevant standards,³⁰ as shown in Table 6. Sequence number, timestamp, redundancy and CRC are used in PROFISafe. The message structure is shown in Table 7.

Table 6.

The dangerous failure rate of each component.

Part	Component	$λ_{DU}$ (/h)	$λ_{DD}$ (/h)
Data acquisition	Sensor	3.62E-08	3.26E-07
	Collection	1.24E-09	1.12E-08
	Temperature	1.95E-09	5.19E-09
	CPU1	1.20E-09	1.08E-08
Data process	CPU2	1.20E-09	1.08E-08
Data process	SRAM	6.90E-10	6.82E-08
Power and isolation	Collection power	7.20E-10	6.49E-09
	Transform	6.30E-10	5.63E-09
	Process power	1.25E-09	1.13E-08

Table 7.

The message structure for safety communication.

Sequence number	Time stamp	Data	CRC	Sequence number	Time stamp	Data	CRC
4	8	10	4	4	8	10	4

According to formula (6) and formula (7), the random failure rate of all parts is obtained by the following formulas.

λ_{DU_acq} = λ_{D U_{_sensor}} + λ_{DU_col} + λ_{DU_tem} + λ_{DU_cpu 1}

λ_{DU_process} = λ_{DU_cpu 2} + λ_{DU_sram}

λ_{DU_power} = λ_{DU_col_power} + λ_{DU_trans} + λ_{DU_pro_power}

λ_{DD_acq} = λ_{D D_{_sensor}} + λ_{DD_col} + λ_{DD_tem} + λ_{DD_cpu 1}

λ_{DD_process} = λ_{DD_cpu 2} + λ_{DD_sram}

λ_{DD_power} = λ_{DD_col_power} + λ_{DD_trans} + λ_{DD_pro_power}

λ_{DU_hardware} = λ_{DU_acq} + λ_{DU_process} + λ_{DU_power}

λ_{DD_hardware} = λ_{DD_acq} + λ_{DD_process} + λ_{DD_power}

So, $λ_{DU_hardware} = 4.51 E - 08 (/ h)$ , $λ_{DD_hardware} = 4.55 E - 07 (/ h)$ .

According to the above message structure, the undetected dangerous failure rate is obtained.

λ_{DU_safety} = 1.02 E - 15 (h^{- 1})

In 2020, there were more than two million recorded cases of malicious cyber-attack originating from overseas.³⁹ The National Industrial Security Development Research Center tracked and disclosed nine domestic industrial security events. The data mentioned above is used using Monte Carlo simulation to determine the probability of occurrence for each attack mode.

MATLAB is used for Monte Carlo simulation to model the failure scenarios of fieldbus transmitters under different mode of attack. Through a review of relevant literature, parameters are defined (see details in Table 8), which serve as inputs for the Monte Carlo simulation. The initial probability for each attack mode is set at 7.5E-07/h.

Table 8.

Parameter settings in the Monte Carlo simulation.

Attack	Tampering attack			Replay attack		DOS
Parameters	$μ$	$σ$	$X_{1}$	$p$	$N$	$X_{2}$
Parameters	50	10	3	7.5E-07	1E08	610
Attack	Jamming attacks			Eavesdropping attack		Illegal access
Parameters	$μ$	$σ$	$X_{3}$	$X_{4}$		$n$	$p$
Parameters	50	10	95	10		1E07	7.5E-07

In Monte Carlo simulation, if an attacker modifies some data without detection, the tampering attack is considered successful. The failure rate of replay attack is estimated based on the initial probability of attack occurrence. For the DOS attack simulation, Poisson distribution is applied to simulate the number of attack requests. A normal distribution is used to simulate the frequency of noise in the jamming attack. The noise frequency is assumed to be an average of 50 and a standard deviation of 10. When the noise frequency exceeds 95 Hz, it will cause harm to the communication process. When an eavesdropping attack succeeds, it is assumed that more than 10 data items are monitored. In the illegal attack simulation, a binomial distribution is used to simulate the probability of successful illegal attack to obtain the probability of pressure transmitter failures caused by illegal attacks.

After five simulation experiments for each attack, the average cyber- attack failure rate is obtained, as shown in Table 9.

Table 9.

Experimental results from 5 Monte Carlo simulations.

Attack	Results					Average
Attack	1	2	3	4	5	Average
Tampering attack	1.0000E-06	4.0000E-06	2.0000E-06	2.0000E-06	1.0000E-06	2.0000E-06
Replay attack	1.9815E-07	1.9817E-07	1.9800E-07	1.9812E-07	1.9817E-07	1.9812E-07
DOS	4.0000E-06	6.0000E-06	3.0000E-06	8.0000E-06	4.0000E-06	5.0000E-06
Jamming attacks	2.0000E-06	1.0000E-06	6.0000E-06	1.0000E-06	1.0000E-06	2.2000E-06
Eavesdropping attack	7.8820E-01	7.7130E-01	7.4610E-01	7.9900E-01	8.2820E-01	7.8656E-01
Illegal access	4.0000E-07	9.0000E-07	5.0000E-07	1.0000E-06	2.0000E-07	6.0000E-07

Passive attacks do not have a direct impact on fieldbus transmitters. The failure rate of undetected cyber-attacks is only from active attacks.

λ_{DU_security} = 9.40 E - 06 (h^{- 1})

Following Monte Carlo simulation, the calculated failure rate exceeds the probability of fault events disclosed by the organization. It indicates that there are still many undisclosed fault events in industrial control systems. The simulation results reveal that eavesdropping attacks pose a significant threat and may lead to major accidents.

According to formula (1)–(3), the following formula is obtained.

λ_{DU} = 1 - (1 - λ_{D U_{hardware}}) (1 - λ_{D U_{safety}}) (1 - λ_{DU_security})

Dangerous failure rates of fieldbus pressure transmitters are determined and presented in Table 10.

PFH = λ_{DU} = 9.34 E - 06 (h^{- 1}) (SIL 1)

Table 10.

Failure rates of the fieldbus pressure transmitter.

	$λ_{DU} (h^{- 1})$	$λ_{DD} (h^{- 1})$
Hardware	4.51E-08	4.55E-07
Communication	1.02E-15	-
Security	9.40E-06	-
Total	9.40E-06	$4.55 E - 07$

Without considering failures caused by cyber-attacks, the PFH is $4.55 E - 08 h^{- 1}$ , which meets SIL3 requirements.

Considering all kinds of failures, the PFH is $9.34 E - 06 h^{- 1}$ , which is increased by 50 times. This value corresponds to the functional safety integrity level of SIL1.

Temperature transmitter

NCS-TT105H-FS PROFISafe Intelligent Temperature Transmitter is used as an example for analysis, as shown in Figure 4(b). The target for this system is SIL3, which is determined based on the specific application field where the transmitter is deployed – oil pipelines.

Fieldbus temperature transmitters consist of three key components: an input unit, a logic operation unit, and an output unit. The parameters are determined based on the actual situation of industrial production and relevant standards,³⁰ as shown in Table 11.

λ_{DU_input} = λ_{DU_AD_MCU} + λ_{DU_AD}

λ_{DD_input} = λ_{DD_AD_MCU} + λ_{DD_AD}

λ_{DU_\log_operation} = λ_{DU_MCU} + λ_{DU_power}

λ_{DD_\log_operation} = λ_{DD_MCU} + λ_{DD_power}

λ_{DU_output} = λ_{DD_DA} + λ_{DD_output}

λ_{DD_output} = λ_{DD_DA} + λ_{DD_output}

λ_{DU_hardware} = λ_{DU_input} + λ_{DU_\log_operation} + λ_{DU_output}

λ_{DD_hardware} = λ_{DD_input} + λ_{DD_\log_operation} + λ_{DD_output}

Table 11.

Dangerous failure rates of each component.

Part	Component	$λ_{DU}$ (/h)	$λ_{DD}$ (/h)
Input	AD MCU	1.2 E-09	1.08 E-08
Input	A/D	7.58 E-09	9.763 E-08
Logical operation	MCU	1.2 E-09	1.08 E-08
Logical operation	Power	2.196 E-09	5.4 E-09
Output	D/A	7.77 E-10	7.19 E-08
Output	Output circuit	2.02 E-10	0

So, $λ_{DU_hardware} = 1.32 E - 08 (/ h)$ , $λ_{DD_hardware} = 1.97 E - 07 (/ h)$ .

The fieldbus pressure transmitter and the fieldbus temperature transmitter are located in the same safety instrumented system. In both case studies, the communication protocol is the same and the network attack situation is the same.

λ_{DU_safety} = 1.02 E - 15 (h^{- 1})

λ_{DU_security} = 9.40 E - 06 (h^{- 1})

PFH = λ_{DU} = 9.40 E - 06 (h^{- 1}) (SIL 1)

In the Table 12, without considering failures caused by cyber-attacks, the PFH is 1.32E-08 $h^{- 1}$ , which meets SIL3 requirements.

Table 12.

The failure rate of the fieldbus temperature transmitter.

	$λ_{DU} (h^{- 1})$	$λ_{DD} (h^{- 1})$
Hardware	1.32E-08	1.97E-07
Communication	1.02E-15	-
Security	9.40E-06	-
Total	9.40E-06	1.97E-07

Considering random failures and cyber-attack failures, the PFH is $9.40 E - 06 h^{- 1}$ , which is increased by 50 times. This value corresponds to the functional safety integrity level of SIL1.

Comparison experiment

For the sake of proving the high-performance of the FMEA-IMEA method, an experiment is conducted for comparison. The results of comparison experimental are shown in Figure 7. The FMEA-IMEA method comprehensively analyzes the failure modes of pressure transmitters and identifies 19 types. However, the traditional FMEA method only identifies 12 types of failure modes. In Figure 8, compared to FMEA, FMEA-IMEA includes a broader range of impact types from the impact on hardware, data, pressure transmitters, and SIS. Therefore, it can be concluded that compared to FMEA, the FMEA-IMEA method provides a more comprehensive analysis of failure modes and their impacts on pressure transmitters.

Figure 7.

Numbers of failure modes from FMEA-IMEA and FMEA.

Figure 8.

Numbers of effect types from FMEA-IMEA and FMEA.

Results and discussion

In both cases, the failure rate of the transmitter is most affected by cyber-attack failures. It can be asserted that the safety integrity level of the transmitter is completely affected by these attacks. Comparative analysis with FMEA reveals FMEA-IMEA method provides a more comprehensive analysis of the failure modes and effects of fieldbus transmitters. Cyber-attack failures have a significant impact on overall safety level. It is inaccurate to exclude cyber-attack failures from existing research.

The failure rate obtained from big data statistics is too optimistic, and the actual situation may be more serious than expected. Therefore, the overall safety level discussed in this paper may be overly idealistic.²³

In order to select an appropriate random distribution function in Monte Carlo simulation, various factors need to be considered, including the attacker’s strategy and goals. However, after considering these factors, the complexity of the simulation process will be increased.⁴⁰

Conclusion

Traditional failure analysis approaches associated with safety and security tend to be independent process.²⁴ However, with the development of equipment network processes, security issues can directly impact the physical safety of equipment. It is necessary to consider both functional safety and security failures in SIS. A novel and comprehensive analysis framework is proposed to study the influence of random failures and cyber-attack failures on safety transmitters. This framework includes qualitative and quantitative method for functional safety and security analysis. Considering the failure of attack, the FMEA-IMEA method is more comprehensive than traditional analysis methods, as verified through a comparison with FEMA. The RBD is extended to determine the quantitative relationship between random failures and cyber-attack failures. The feasibility of the framework is validated by analyzing the fieldbus pressure transmitter and the fieldbus temperature transmitter. Experimental results demonstrate that malicious cyber-attacks pose a significant threat to fieldbus transmitters, leading to a reduction in the safety integrity level from SIL3 to SIL1. The proposed framework provides guidance and decision support for ensuring functional safety and security in SIS.

Future exploration in this domain will focus on optimizing the configuration of functional safety barriers and security measures. Possible measures for exploration may include Trusted Platform Modules^41,42 and intrusion detection system.⁴³ Through the rational configuration, these measures aim to mitigate the harm caused by cyber-attacks on fieldbus transmitters, ultimately improving their overall safety and security levels.

Footnotes

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work is supported by the National Key Research and Development Program 2021YFB2012302.

ORCID iD

Xiufang Zhou

References

Brissaud

Folleau

de Cournuaud

. Reliability and availability models for ageing safety-related systems. J Loss Prev Process Ind 2022; 75. DOI: 10.1016/j.jlp.2021.104712

Chen

Reniers

Khakzad

. Integrating safety and security resources to protect chemical industrial parks from man-made domino effects: a dynamic graph approach. Reliab Eng Syst Saf 2019; 191: 106470.

Kriaa

Pietre-Cambacedes

Bouissou

, et al. A survey of approaches combining safety and security for industrial control systems. Reliab Eng Syst Saf 2015; 139: 156–178.

Ouazraoui

Nait-Said

Bourareche

, et al. Layers of protection analysis in the framework of possibility theory. J Hazard Mater 2013; 262: 168–178.

Martin

Schmittner

, et al. Combined automotive safety and security pattern engineering approach. Reliab Eng Syst Saf 2020; 198. DOI: 10.1016/j.ress.2019.106773

Jin

Lundteigen

Rausand

. Reliability performance of safety instrumented systems: A common approach for both low- and high-demand mode of operation. Reliab Eng Syst Saf 2011; 96: 365–373.

Piesik

Śliwiński

Barnert

. Determining and verifying the safety integrity level of the safety instrumented systems with the uncertainty and security aspects. Reliab Eng Syst Saf 2016; 152: 259–272.

Yang

S-H

Cao

, et al. Harmonizing safety and security risk analysis and prevention in cyber-physical systems. Process Saf Environ Prot 2021; 148: 1279–1291.

Kaiser

Peter

Mäckel

. A new component concept for fault tree. In: Proceedings of the 8th Australian workshop on Safety critical systems and software, Canberra, 2003, pp. 37–46.

10.

Peeters

JFW

Basten

RJI

Tinga

. Improving failure analysis efficiency by combining FTA and FMEA in a recursive manner. Reliab Eng Syst Saf 2018; 172: 36–44.

11.

Crawley

Tyler

. HAZOP: Guide to Best Practice. London: Elsevier, 2015.

12.

Kumar

Pant

. Analytical hierarchy process for sustainable agriculture: an overview. MethodsX 2023; 10: 101954.

13.

Srivatanakul

. Security analysis with Deviational Techniques. York: University of York, 2005.

14.

Chen

Mohamed

Dampage

, et al. A multi-layer security scheme for mitigating smart grid vulnerability against faults and cyber-attacks. Appl Sci 2021; 11: 9972.

15.

Ingoldsby

. Attack tree threat risk analysis. Report, Amenaza Technologies Limited, Canada, 2010.

16.

Sulaman

Beer

Felderer

, et al. Comparison of the FMEA and STPA safety analysis methods–a case study. Softw Qual J 2019; 27: 349–387.

17.

Liu

Zhou

. Integrated failure analysis for intelligent instruments with dynamic causal diagrams. Chin J Sci Instrum 2022; 43: 131–139.

18.

Young

Leveson

. An integrated approach to safety and security based on systems theory. Commun ACM 2014; 57: 31–35.

19.

Friedberg

McLaughlin

Smith

, et al. STPA-SafeSec: safety and security analysis for cyber-physical systems. J Inf Secur Appl 2017; 34: 183–196.

20.

Nai Fovino

Masera

De Cian

. Integrating cyber attacks within fault trees. Reliability Engineering & System Safety 2009; 94: 1394–1402. DOI: 10.1016/j.ress.2009.02.020.

21.

Steiner

Liggesmeyer

. Combination of safety and security analysis finding security problems that threaten the safety of a system. In: SAFECOMP 2013, International Conference on Computer Safety, Reliability and Security, Toulouse, France, 2013, pp.233–240.

22.

Aven

. A unified framework for risk and vulnerability analysis covering both safety and security. Reliability Engineering & System Safety 2007; 92: 745–754. DOI: 10.1016/j.ress.2006.03.008.

23.

Bartnes

. Safety vs. Security? In: Proceedings of the eighth international conference on probabilistic safety assessment & management (PSAM). 2006, pp.1202–1210.

24.

IEC 61508-6-2010. Functional safety of electrical/electronic/programmable electronic safety-related systems.

25.

Alanen

Linnosmaa

Malm

, et al. Hybrid ontology for safety, security, and dependability risk assessments and security threat analysis (STA) method for industrial control systems. Reliab Eng Syst Saf 2022; 220. DOI: 10.1016/j.ress.2021.108270

26.

Śliwiński

Piesik

. Integrated functional safety and cyber security analysis. IFAC-PapersOnLine 2018; 51: 1263–1270.

27.

IEC/ISO 60821. Analysis techniques for system reliability–procedure for failure mode and effects analysis (FMEA).

28.

Kharchenko

Furmanov

Gorbenko

. Intrusion Tolerance of web-systems: IMEA-analysis and multiversion architecture. Радиоэлектроника и компьютерная система 2006; 7: 23–27.

29.

Babeshko

Kharchenko

Gorbenko

. Applying F(I)MEA-technique for SCADA-based industrial control systems dependability assessment and ensuring. In; 2008 Third international conference on dependability of computer systems DepCoS-RELCOMEX, 2008, pp.309–315.

30.

IEC TR 62380. reliability data handbook - universal model for reliability prediction of electronic components, PCBs and equipment.

31.

IEC 61784-3. Industrial communication networks-functional safety fieldbuses profiles- general rules and profile definition.

32.

Rubinstein

Kroese

R, P, D

, Simulation and the Monte Carlo method. Hoboken, NJ: A John Wiley &Sons, 2008.

33.

Varadharajan

Bajpai

. Chronicles of security risk assessment in process industries: Past, present and future perspectives. J Loss Prev Process Ind 2023; 84. DOI: 10.1016/j.jlp.2023.105096

34.

Torok

Szalay

Saghi

. New aspects of Integrity Levels in automotive industry-cybersecurity of automated vehicles. IEEE Trans Intell Transp Syst 2022; 23: 383–391.

35.

Agrawal

Kumar

. Security Perspective Analysis of Industrial Cyber Physical Systems (I-CPS): a decade-wide survey. ISA Trans 2022; 130: 10–24.

36.

Liu

Yuan

Gong

, et al. Adaptive spectral trend based optimized EWT for monitoring the parameters of multiple power quality disturbances. Int J Electr Power Energy Syst 2023; 146. DOI: 10.1016/j.ijepes.2022.108797

37.

Wang

, et al. An effective method for sensing power safety distance based on monocular vision depth estimation. Int Trans Electr Energy Syst 2023; 2023: 1–16.

38.

Wang

Zhou

, et al. An effective risk identification method for power fence operation based on neighborhood correlation network and vector calculation. Energy Rep 2021; 7: 6995–7003.

39.

Pinto

Dragoni

Carcano

. TRITON: the first SIS cyber attack on safety instrument system. In: Black Hat USA, Mandalay Bay, Las Vegas, 2018.

40.

IEC 62443. Security for industrial automation and control systems.

41.

Chiu

W-Y

Meng

. NoSneaky: a blockchain-based execution integrity protection scheme in industry 4.0. IEEE Trans Ind Inform 2023; 19: 7957–7965.

42.

Huang

Cao

, et al. Defending data poisoning attack via trusted platform module and blockchain oracle. In: ICC 2022 - IEEE international conference on communications, 2022, pp.1245–1250. New York: IEEE.

43.

Liu