Safety Considerations

Planning

ICS security testing carries unique risks not present in traditional IT pentesting. Physical safety, environmental protection, and operational continuity must be primary concerns.

Life Safety Systems

Never test safety-instrumented systems (SIS), emergency shutdown systems (ESD), or fire suppression systems in production without explicit approval from process safety engineers and operational leadership. These systems protect human life.

Understanding ICS Risks

Physical Consequences

Human Safety

  • • Moving machinery injuries
  • • Chemical exposure
  • • Electrical hazards
  • • Thermal burns
  • • Pressure vessel failures

Environmental Impact

  • • Chemical spills
  • • Air emissions
  • • Water contamination
  • • Radiation release
  • • Waste discharge

Equipment Damage

  • • Motor burnout
  • • Pump cavitation
  • • Turbine overspeed
  • • Tank rupture
  • • Pipeline stress

Operational Impact

  • • Production loss
  • • Quality defects
  • • Supply chain disruption
  • • Regulatory violations
  • • Community impact

Safety Instrumented Systems (SIS)

Safety systems exist independently of process control systems to prevent catastrophic events. They must remain untouched during testing.

Safety System Types

  • SIS (Safety Instrumented System)
    Automated system that takes process to safe state when unsafe conditions detected
  • ESD (Emergency Shutdown)
    Rapid shutdown of process or equipment in emergency
  • F&G (Fire and Gas)
    Detection and suppression systems for fire and hazardous gas
  • BMS (Burner Management System)
    Safe startup, operation, and shutdown of burners/furnaces
  • HIPPS (High Integrity Pressure Protection)
    Prevents overpressure conditions in pipelines and vessels

SIL Levels (Safety Integrity Levels)

SIL Risk Reduction Failure Rate Example
SIL 1 10-100x 10⁻¹ to 10⁻² Minor equipment protection
SIL 2 100-1000x 10⁻² to 10⁻³ Process area shutdown
SIL 3 1000-10000x 10⁻³ to 10⁻⁴ Plant-wide safety systems
SIL 4 10000-100000x 10⁻⁴ to 10⁻⁵ Nuclear, aerospace (rare in process)

Separation of BPCS and SIS

Process control (BPCS) and safety systems (SIS) should be separate. If you find them on the same network or controller, this is a critical finding to report - not to exploit.

Testing Boundaries

What You Should NEVER Test

  • 🚫 Safety instrumented systems (SIS/ESD)
  • 🚫 Fire and gas detection/suppression
  • 🚫 Emergency shutdown systems
  • 🚫 Burner management systems
  • 🚫 Life support systems (hospitals, etc.)
  • 🚫 Systems protecting from catastrophic failure
  • 🚫 Production systems during active operations without explicit approval

Safe Testing Approaches

Recommended Approaches

  • ✅ Use isolated lab environments replicating production
  • ✅ Test during planned outages/shutdowns
  • ✅ Focus on IT/OT DMZ and Level 3+ systems first
  • ✅ Passive reconnaissance and traffic analysis
  • ✅ Configuration review (offline analysis)
  • ✅ Vulnerability assessment without exploitation
  • ✅ Work with process engineers who understand impact

Pre-Engagement Requirements

Essential Documentation

From Client

  • • Network diagrams (all levels)
  • • Asset inventory
  • • Safety system documentation
  • • Change management procedures
  • • Emergency contacts (24/7)
  • • Rollback procedures

Required Approvals

  • • Written authorization (legal)
  • • IT security sign-off
  • • OT/operations sign-off
  • • Process safety engineer approval
  • • Plant manager authorization
  • • Insurance notification (if required)

Rules of Engagement

ROE Must Define

  • ☐ Specific systems in scope and out of scope
  • ☐ Testing windows (time of day, duration)
  • ☐ Types of testing allowed (passive, active, exploitation)
  • ☐ Immediate stop conditions
  • ☐ Communication protocols during testing
  • ☐ Emergency shutdown procedures
  • ☐ On-site support requirements
  • ☐ Backup and restore procedures
  • ☐ Liability and insurance coverage

During Testing

Monitoring Requirements

  • ✓ Operations staff present during active testing
  • ✓ Real-time process monitoring
  • ✓ Immediate communication channel (radio, phone)
  • ✓ Ability to immediately stop testing
  • ✓ Process safety engineer on-call

Stop Conditions

Immediately stop testing and notify operations if:

  • ⚠️ Any process alarm activates unexpectedly
  • ⚠️ Operator reports abnormal behavior
  • ⚠️ Safety system activates
  • ⚠️ Communication with operations is lost
  • ⚠️ System becomes unresponsive
  • ⚠️ Any physical indication of problem (sound, smell, vibration)

Lab Environment Recommendations

Building an ICS lab is essential for safe testing and skill development.

Lab Components

  • Virtual PLCs: Siemens PLCSim, Codesys (free), OpenPLC
  • SCADA Simulators: GRFICSv2, SWaT, DVCP
  • HMI Software: Ignition (trial), ScadaBR (open source)
  • Physical PLCs: Used Allen-Bradley, Siemens S7-1200 ($100-300)
  • Process Simulators: Tank level, motor control demos
  • Network Equipment: Managed switches, firewalls for segmentation

Training Platforms

Consider platforms like SANS ICS courses, which include virtual ICS labs, or the CISA ICS-CERT virtual training environment for hands-on practice.

Reporting Safety Issues

When you find safety-related vulnerabilities, handle them differently than IT findings.

Safety Finding Requirements

  • • Report immediately - don't wait for final report
  • • Escalate to process safety, not just IT security
  • • Document potential physical consequences
  • • Reference relevant safety standards (IEC 61511, NFPA)
  • • Recommend compensating controls until fixed
  • • Consider regulatory reporting requirements

Related Topics

OT/ICS Security

OT/ICS Tools

Legal Compliance
← SCADA/HMI Security Next: Tools →