Safety strategy for critical infrastructure and critical industries – APPAU initiatives
Situation in critical infrastructure and critical industries in Ukraine remains extremely tense and in conditions of further escalation will lead to a complete shutdown of certain cities’ and regions’ economic activity, as well as to deepening of the crisis in the humanitarian sphere. The Association of industrial automation of Ukraine (APPAU) is mobilizing its members and, together with partners from the EU, is looking for prevention options and developing a plan of anti-crisis actions. At the same time, APPAU experts are aware that the most effective measures lie in the military-political plane. Thus, and excluding supplies of critical equipment, European aid will be more relevant to consider initiatives in the post-war period, when de-escalation will take place.
Disclaimer: statements in this publication relate exclusively to positions of the APPAU expert community. They are not a result of any research, nor are they related to security aspects derived from political decisions or strategies. Instead, the proposed initiatives are related to sectoral policies and strategies for critical infrastructure, as well as to state level cross-sectoral security policies, which are directly related to technical policies of critical infrastructure enterprises.
Goals and principles of safety strategies
Safety and security strategies for critical infrastructure and critical industries should basically meet the following needs and demands:
- ensuring continuous operation of enterprises in order to provide consumers with appropriate goods and services;
- creation of safety conditions for personnel and minimization of risks associated with equipment failure;
- security against intrusion into production assets (physical or cyber attack);
- sustainability of energy supply and communications;
- rapid response to accidents caused by both equipment breakdowns and external factors.
Similar requirements are basic in a number of international technical standards, which are discussed below, and they were also declared by heads of states and governments at the Warsaw NATO Summit in July 2016, where seven basic requirements for NATO member countries to ensure national resilience were defined.
Implementation of such strategies should be based on the following principles and approaches:
- risk-oriented approaches should be the basis of all technical decisions;
- enterprises have modern production asset management systems;
- decentralization and redundancy, management of critical assets priorities are part of the general technical policy;
- effective management of stocks and spare parts, integrated into maintenance regulations and performed at an appropriate level;
- definition and implementation of possibilities and means of protection of physical and cyber assets (defense in depth);
- enterprises plan and implement transition to methods of preventive and predictive maintenance;
- technical policy contains definition of a clear scheme “regulatory requirements – verification methods – organizational scheme (which defines distribution of responsibility, actors and processes)”.
Similar principles are the basis of the international standard of production assets management, fig. 1
Fig. 1. ISO 55000 standard framework
Current state of enterprises
According to APPAU experts, the current state of most enterprises, with the exception of nuclear energy and, partially, some transport enterprises, both now and in the pre-war period, is characterized by the following features:
1. Low level of implementation of modern standards
ISO 55000 standard (management of production assets) is active (brought to the national DSTU level (State Standards of Ukraine) and translated), but it does not apply in almost any enterprise.
ISO 31000 standard (risk management) has been accepted by confirmation method. There is no information about its widespread implementation at critical infrastructure facilities.
IEC 61508 standard (functional safety) has been adopted by confirmation method, translated by APPAU experts (TK 185), and is being implemented at a number of country’s enterprises related to nuclear energy.
IEC 61511 standard (functional safety in automatic control systems) is not valid in Ukraine, there is no translation and acceptance at DSTU level, there is no information about its implementation.
ISO 27001 standard (IT cyber security) has been brought to DSTU level, translated and is a part of individual enterprises’ operational policies.
IEC 62443 standard (cyber security of OT) has been brought to DSTU level by confirmation method by APPAU experts (Technical Committee 185), also translated into Ukrainian, but there is no information about its wide implementation.
According to APPAU experts, a general characteristic of enterprises is an overall ingnorance of safety standards by majority of end users due to their non-mandatory application. Accordingly, most heads of Control system departments are not sufficiently familiar with these standards and, accordingly, they are not taken into account in enterprises’ technical policies. This includes state enterprises of critical infrastructure. Implementation and supervision of the specified standards requirements fulfilment is almost not carried out.
The greatest progress in Ukraine over the past 5 years has taken place in the field of cyber security. In addition to the adoption of ISO 27001 standard, it is worth noting creation of the state Computer Emergency Response Team of Ukraine (CERT), as well as a number of other initiatives managed by the central government.
Instead, the situation with all other standards shows signs of stagnation.
2. Risk-oriented approaches are the basis of all technical solutions
Modern risk-based approaches are key in assessing and managing security of industrial systems and critical infrastructure. They are based on the principle of acceptable risk (ALARM). IEC 61508 standard sets SIL (Safety Integrity Level) levels as regulatory (mandatory) for relevant systems and equipment. In some industries, they are detailed taking into account specifics (in particular, IEC 26262 standards for the automotive industry). The key component in such risk-oriented approaches is determination of probabilities of transition of systems into emergency (dangerous) state. Probability estimation is carried out by well-established techniques that use systematic data on component failure and other parameters. Here there is a significant difference between nuclear energy enterprises, where safety culture was implemented from the very beginning of the industry formation and development of domestic manufacturers of information and control systems, and other industries. This difference has hardly changed in recent years.
With regard to critical infrastructure facilities, it should be noted that the State Service of Special Communications and Information Protection of Ukraine (DerzhSpecZviazok) has prepared several documents, in particular, categorization of such facilities in the state and their licensing, including communal infrastructure facilities, which are extremely important for the country. A risk-oriented approach is also key in them, and importantly, it is based on quite clear and well-verifiable criteria. Therefore, mechanisms of regulation and real implementation of risk-oriented approaches are being formed, which should become a component of objective, understandable and mandatory assessment and security assurance.
3. State of the production asset management system
Progress in this area in recent years can be considered the greatest. Dozens of enterprises implemented systems of ERP, MES, EAM/APM, ADCS class, with corresponding functions and modules related to management of production assets. The best cases demonstrated at the APPAU conference on asset management in 2021 include solutions at large enterprises such as DTEK, Interpipe, Metinvest. On the other hand, according to APPAU experts’ assessments, the level of implementation of such systems at medium-sized enterprises remains low, in particular, the level of implementation of modern EAM/APM systems, which are based on preventive maintenance methods (APM level 3.0), does not exceed 10-15% in Ukraine, and the number of enterprises implementing predictive maintenance methods is extremely low (ARM level 4.0), less than 1%, fig. 2.
Fig. 2 Evolution of asset performance management (APM) systems according to LNS Research, USA
Read more about the situation in the field of APM in the APPAU review from 2021 here.
There have been no significant changes in the field of functional safety either. Since 2014, APPAU experts have been constantly drawing attention to the fact that the SIL2-SIL3 standards that long ago have been accepted at the level of national standards even in the russian federation, not to mention European countries. But our enterprises of the Oil&Gaz, Energy complex and Utilties refuse to use them, thereby significantly increasing the probability of risks.
However, if Energy and Oil&Gaz big operators have at least certain internal procedures that correspond to risk-oriented approaches, things look much worse in the utility sector. For example, Ukrainian cities’ water utilities, as a rule, do not have methods and clearly defined regulations for responding to emergency situations. Accordingly, their actions in emergency situations rather depend on the level of personnel and are far from optimal, taking into account complexity of situations and many influencing factors.
Taking into account the level of wear and tear of production assets in critical infrastructure up to 70-90%, industry associations, APPAU leading experts and other institutions over the past 10 years have repeatedly raised questions at the level of state structures, as well as enterprise managers, about inconsistency of enterprises’ condition with security challenges. However, there was no effective reaction.
It is also worth noting that the country does not have modern Emergency Response Centers (CERTs) for certain important sectors of critical infrastructure, which would contain the functionality of both functional security and cyber security.
The main challenges
War can surprisingly accelerate safety & security approaches in critical infrastructure and critical industries. First of all, it should be noted that in most eastern and central regions, a large amount of equipment in the energy networks will be replaced with new ones. Thus, renewal of production assets is a significant factor in improving their reliability. But without significant changes in the approaches themselves, without introduction of modern standards and changes in operational & maintenance processes and regulations, this will not have the proper effect and will not contribute to the overall safety level increase.
APPAU assesses the key challenges of the current state as follows:
1) Complete absence or insufficient level of appropriate state policies and necessary measures to improve security in the field of asset management of critical infrastructure production enterprises. In the conditions of the war, it became clear how important resilience of regional, communal objects of critical infrastructure is, as it is a guarantee of infrastructural resilience at the state level. The balance of infrastructural components of security at the level of enterprises, regions and the state must be determined and managed.
2) Low level of culture and awareness of most enterprises, especially the utility sector, about modern standards, methods and solutions in the field of production assets management.
3) Lack of modern service centers, training and expertise centers capable of providing services to a wide range of enterprises, especially in the utility sector. Practically nowhere is there a transition to service models.
4) Overall fragmentation and gaps in the state and pace of digitization and implementation of modern methods between large enterprises and SMEs, between different industries (nuclear vs utilities), between those with Western owners and domestic ones, in the expert communities themselves, and where competition dominates, which is reinforced by vendors.
Proposals of project initiatives and measures
To meet these challenges, the Association of Industrial Automation of Ukraine proposes the following initiatives:
1) Improvement of state policies in the field of critical infrastructure security:
1. It is necessary to transfer a series of functional and cyber security standards to the mandatory level;
2. Consolidation of leading business associations and government structures should take place to adopt a unified action plan for improving safety and security measures for 2023;
3. It is necessary to define and ensure implementation of a clear security regulation scheme (requirements – verification methods – organizational chart).
2) Initiatives to improve culture of enterprises and development of short and medium-term measures to counter crisis phenomena;
1. A series of online webinars and workshops with exchange of best practices between European and Ukrainian customers on the following topics:
- Risk-oriented production management methods;
- Cyber security: best practices, standards and solutions;
- Functional security: best practices, standards and solutions;
2. Introduction of modern standards (ISO 5500, ISO 31000, IEC 61508/511) into the regulatory framework;
3. Preparation of a network of auditors-consultants on safety standards;
4. Broad enlightenment of utility companies about available technical solutions and methods using digital technologies.
3) Initiatives to create elements of the security ecosystem:
1. Creation of personnel training centers according to modern standards and service methods;
2. Creation of industry service centers (primarily for communal enterprises, as the most backward and those in need of assistance);
3. Introduction of the necessary changes in the training programs of specialists at the level of technical colleges and vocational schools with the aim of better training and adaptation of specialists to the level of ARM / ASM 4.0.
4) International cooperation – integration in the EU:
1. Preparation and holding of an international conference in 2023 on security issues of Ukrainian critical infrastructure;
2. Broad inclusion of Ukrainian participants with their pilot projects and proposals to projects of the Horizon Europe/Digital Europe and similar programs, in order to strengthen the innovative focus and proposals for the country’s critical infrastructure;
3. Assistance to key operators, as well as utilities, in the transition to modern methods and standards in the maintenance of production assets by providing international technical assistance.
These initiatives are brought to the discussion of professional communities. The task is to create a road map of initiatives, the first presentation of which will take place on December 13 at a webinar with EU and US partners. Send comments, additions and suggestions to email@example.com
The article was prepared by the team of Alexandre Yurchak (head of APPAU), Vyacheslav Kharchenko (Ph.D., head of “HAI” 4.0 Center), Andriy Gumennyi (CEO “System Automation Service”) and with the support of the “Asset Management” Working Group (head Oleksiy Shcherbatenko, IT-Enterprise partner).