Safety and Security: Intelligent standards in building automation

Hannover: The basic idea is a brilliant one: the maintenance of lifts without any need to physically be there. With this model, all the relevant data are transmitted digitally to the PCs of the operator or the maintenance or testing companies. Thanks to the increasing fusion of the control technology responsible for the operation of the systems with information and communication technology, this has now become a reality.

And yet, any data transfer also offers a potential gateway for cyber-attacks, thereby putting not only the lifts themselves but also all other installations within a building at risk, as the elevators offer entry points for third parties to the centrally controlled system. Networked buildings offer a significantly wider range of decentralised possibilities for encroachment from the outside and manipulation of the system’s intended purpose. This in turn presents both the system operator and the building with completely new legal challenges. Consider this, for instance: should the hacked component which has given attackers access to the system or the actual target of the attack itself be held accountable?

What is critical is that many lifts are intended for the evacuation of buildings in an emergency. They are often also an integral part of the building control technology, connected to external safety installations such as fire alarm, smoke-extinguishing or ventilation systems. What’s more, lift systems are usually equipped with external access - that is to say, for third parties - thereby rendering them vulnerable to new threats in a whole variety of ways. “The potential for manipulation of their intended function means that lifts can expose their users to considerable risk, not just during normal use, but also - and especially - in conjunction with an evacuation or fire control system,” warns Ulf Theike, Managing Director of TÜV NORD Systems.

Integrated solution lacking

The problem is this: While there may be a whole array of rules governing the operation of lifts - including product liability and product safety legislation, laws on health and safety at work and legislation related specifically to lifts - their scope does not extend beyond functional safety. Scant attention is paid to information security: security against external attacks. “There currently exists no integrated approach to security and safety, either as a standard or as a policy. And yet it’s precisely this kind of approach, which considers the combination of, and interaction between, safety and security, which is so essential when it comes to counteracting the risks of cyber-attacks and minimising their impact. This kind of perspective is long overdue: after all, operators are obliged to show that the technology being used is state of the art at the time of commissioning,” Theike says emphatically.

One way to ensure this would, for instance, be the combined safety and security risk and threat analysis offered by TÜV NORD under the banner of “Security4Safety”. To satisfy the requirements of this analysis, it must be shown that all the associated hazards in relation to safety and security have been reduced to a tolerable level with the aid of adequate technical and organisational measures. This part is the most important step in the process of ensuring liability security for those responsible for operating the systems.

Achieving security goals with practical solutions

As things currently stand, functional safety and non-safety-related concerns, such as information security, are considered separately. This has until now served the purpose of ensuring absence of feedback: in other words, that information security measures do not have a negative impact on the safety of persons, systems and the environment. However, the strict separation of safety and security is no longer possible, particularly in building automation. The focus must therefore be on finding a solution which satisfies both security and safety requirements.

Existing and new standards

Axel Stohlmann, Director of the Competence Centre Conveyor Technology at TÜV NORD, explains exactly what this might look like in the case of lift systems. “It would be conceivable to have a systematic, structured and continuous approach with which planners and, later, operators would be able to evaluate the properties of a building and its systems. This could be designed in accordance with existing practices of hazard and risk assessment under EN ISO 12100, EN 62443-3-2 or VDI/VDE 2182.” The aim of such a concept must be to implement security measures in such a way as to ensure that the classic safety criteria can be observed and protected (Security4Safety). An existing example is provided by the PESSRAL system, which focuses exclusively on the functional safety of lifts. The command and protection system was introduced as a normative amendment to amendment A1 of the EN 81 standard (EN 81-1;1998/A1:2005) and makes it possible to use programmable electronic systems in applications with security relevance.

Recommended as complementary to this system is the certification of processes, security management systems and components based on IEC standard 62443 for manufacturers of building automation products and IT service providers. As the first set of rules in this area, the new standard forms the basis for the combination of IT security and functional safety in what are known as IACS (Industrial Automation and Control Systems). Thanks to its pioneering character and the fact that manufacturers and operators can use this standard to demonstrate compliance with the state of the art, it is set to become even more important in the future. Other system-related and product-specific requirements must also be integrated into the existing regulations. “If we want to ensure the safe use of systems that need monitoring, such as lifts, in the light of the new threats, we’re going to have to think outside the classic risk areas,” says Theike.

Generating awareness

An integrated approach requires not only the right framework conditions but also, in practice, awareness of the link between the two areas. In the context of the conformity assessment procedure, the safety and security aspects need to be considered holistically. This requires the legislature, notified bodies and approved monitoring organisations to take safety and security, general building infrastructure, quality and operation equally into account in the various rule books for lift systems. New requirements will also need to be defined to guarantee the secure use of these systems in combination with building functions.