Wilamowski B.M., Irwin J.D. The Industrial Electronics Handbook. Second Edition: Industrial Communication Systems
Подождите немного. Документ загружается.
21-10 Industrial Communication Systems
21.5.2 Hazard and risk analysis
Hazard.and.risk.analysis.is.a.crucial.step.in.every.safety.lifecycle.and.safety.development.of.a.communi-
cation
.system.(see,.e.g.,.VDI2184.[VDI2184])..Hazards.increase.the.risk.of.a.fatality.and.not.only.must.be.
identied.by.a.hazard.and.risk.analysis.but.also.mitigated.by.implementing.safety.measures.according.
to.safety.requirements..As.outlined.before,.there.is.a.magnitude.of.possibilities.(e.g.,.HAZOP.or.FMEA).
of.how.to.carry.out.a.hazard.analysis.
e
.scope.of.the.hazard.and.risk.analysis.is.the.node.connected.to.the.communication.system..First,.
hazards.resulting.from.failures.on.the.network,.which.are.inuencing.node.safety,.must.be.investigated..
It.is.not.intended.to.ensure.network.safety.in.case.of.a.black-channel.approach.and.hence.not.included.
into.safety.considerations..Second,.the.node.hardware.and.rmware.itself.has.to.be.examined.regarding.
failures..Moreover,.the.risk.caused.by.the.failures.must.be.assessed.and.safety.measures.according.to.the.
target.SIL.have.to.be.specied.
Table
.21.5.lists.typical.network.faults..e.faults.can.be.categorized.in.three.dierent.groups:.faults.
directly.corresponding.to.human.mistakes.(8,.9),.faults.not.directly.relating.to.human.mistakes.(1–7),.
and.faults.either.directly.or.indirectly.referring.to.human.mistakes.(10)..e.cause.of.such.a.grouping.is.
to.point.out.that.human.mistakes.must.be.considered.during.investigation.of.(network).faults.
e
.next.step.is.to.identify.the.network.failures.resulting.from.faults.listed.in.Table.21.5..Network.fail-
ures
.can.be.separated.into.stochastic.(i.e.,.hardware.failures).and.systematic.failures..Another.important.
topic.is.to.analyze.the.eect.of.the.failure.(i.e.,.the.hazard)..erefore,.an.FMEA.is.an.appropriate.means.
as.shown.in.Table.21.6.
Risk
.analysis.can.be.performed.by.quantifying.or.qualifying.the.risk..According.to.IEC61508,.stochas-
tic
.or.hardware.failures.can.be.quantied,.others.only.qualied.by.specifying.discrete.levels.such.as.“low,”.
“medium,”.or.“high.”.For.example,.risk.of.a.“bits.being.destroyed”.can.be.calculated.by.the.following..
TABLE 21.5 Typical.Network.Faults
1..Crosstalk . 6..Aging
2.
.Broken.cable . 7..Temperature
3.
.EMC.failure . 8..Human.failure
4.
.Stochastic.failure . 9..Wiring.failure.by.human
5.
.Stuck.at.failure 10..Transmission.of.non-authorized.messages
Source:
. Reinert,.D..and.Schaefer,.M..(Publisher),.Sichere Bussysteme
in der Automation,.Hüthig.Verlag,.Heidelberg,.Germany,.2001,.32.pp..
With.permission.
Safety-related part of node (gray)
A B
Node
Non-safety-related part of node
(black)
Black channel
FIGURE 21.5 Black-channel.concept.
© 2011 by Taylor and Francis Group, LLC
Functional Safety 21-11
According.to.[PHO97],.the.probability.of.a.bit.being.destroyed.on.shielded.twisted.pair.cables.is.p.=.10
−5
..
It.is.assu
med
.that.v.=.10.safe
ty-related
.mess
ages
.are.sent.ever
y
.second
.
.e.rate.of.sing
le
.bit.tran
smission
.
erro
r
.U.is
. U p v
1
4
10= =
−
* /s . (21.1)
In
.othe
r
.word
s,
.ever
y
.10,0
00
.s,.a.singl
e
.tran
smission
.erro
r
.occu
rs
.and.the.risk.of.a.singl
e
.bit.bein
g
.
dest
royed
.per.seco
nd
.is.10
−4
..e.probability.that.two.bits.are.destroyed.within.1.s.is.10
−9
,.assuming.that.
prob
abilities
.are.inde
pendent
.and.ther
efore
.p
2
.is.inserted.into.the.aforementioned.formula.instead.of.p..
As.a.resu
lt,
.the.safe
ty
.inte
grity
.of.a.safe
ty
.meas
ure
.must.be.chos
en
.so.that.the.resid
ual
.fail
ure
.prob
ability
.
of.a.mes
sage
.is.at.lea
st
.bel
ow
.10
−7
.h
−1
.to.reach.the.target.SIL3.
Also,
.fail
ures
.on.node.side.must.be.inve
stigated.
.at.is,.a.haza
rd
.anal
ysis
.and.risk.anal
ysis
.has.also.
to.be.perf
ormed
.to.iden
tify
.fail
ures
.on.the.node.itse
lf
.(Tab
le
.21.7
).
.In.IEC6
1508,
.part.2,.a.deta
iled
.list.
is.prov
ided
.that.give
s
.info
rmation
.on.the.vari
ous
.fail
ures
.in.the.comp
onents
.of.a.micr
ocontroller
.that.
must.be.tak
en
.into.con
sideration.
.Suc
h
.a.haz
ard
.ana
lysis
.is.als
o
.car
ried
.out.by.mea
ns
.of.FME
A.
TABLE 21.6 FMEA.of.Network
Network.Failure Failure.Mode Description Eect.(Hazard)
Data
.corr
uption Single
.bit.destr
oyed EMC
.eec
t
.
destro
ys
.bit
C
hange
.of.mess
age
.can.
prod
uce
.malf
unction
.at.
receiv
er
.side
Loss
I
ncorrect
.seq
uence
Repetition
Broken
.wire.or.
gatewa
y
.pro
blem,
.
wron
g
.rou
ting
Aging
.of.wire.or.
hard.so
ware
.
prob
lem
.in.
gatewa
y
A
.saf
ety-related
.mess
age
.
isnot.or.in.the.wro
ng
.
sequen
ce
.or.mor
e
.oen.
transmi
tted
.to.the.
receiver
Delay
Insertion
Buering
.of.messa
ges
.
in.a.gate
way
e
.gatewa
y
.canno
t
.
proces
s
.mor
e
.tha
n
.
a.single.mess
age
.
at.the.sam
e
.time
e
.dela
yed
.or.inser
ted
.
messa
ge
.incl
udes
.an.
outd
ated
.value
C
oupling
.betw
een
.saf
ety
.
and.non-s
afety-related
.
messa
ges
Wrong
.netw
ork
.
conguratio
n
A
.non-a
uthorized
.
messa
ge
.looks.like.
a.saf
ety-related
.
messa
ge
Receiver
.perf
orms
.
anon-int
ended
.
safet
y-related
.action.being.
trigg
ered
.fro
m
.anon-
s
afety-related
.sender
TABLE 21.7 FMEA.of.Node.Hardware
Hardware.
Component Failure.Mode Description Eect.(Hazard)
Controller Malfunction Due
.to.high.temp
erature,
.the.
ALU.of.the.CPU.deliv
ers
.
wron
g
.values
W
rong
.opera
tion
.
of.device
M
emory Wrong
.values.sto
red Stuck
.at.faul
t
.in.the.vol
atile
.
memor
y
.resu
lts
.in.wro
ng
.
values.sto
red
Wrong
.opera
tion
.
of.device
I
nput
.device
Wrong
.dat
a
.read.by.
contr
oller
Stuck
.at.fail
ure
.or.sho
rtcut
.
failur
e
.betw
een
.dieren
t
.
chann
els
Wrong
.opera
tion
.
of.device
O
utput.device.to.
network.interface
Corrupted.messages.
sent.or.received
Stochastic.and.systematic.
failures.during.data.transfer
Wrong.operation.
of.device
O
utput
.device.to.
actua
tor
Failure
.of.out
put
.swit
ch Stuck
.at.fail
ure
.or.sho
rtcut
.
failur
e
.in.the.out
put
.circui
t
Unable
.to.swit
ch
.o
© 2011 by Taylor and Francis Group, LLC
21-12 Industrial Communication Systems
In.literature.such.as.[GIE95].or.[LIG02],.failure.rates.for.standard.hardware.components.are.listed..
Fai
lure
.rat
es
.are.ava
ilable
.for.resi
stors,
.dio
des,
.tra
nsistors
.or.cap
acitors,
.and.the.lik
e,
.and.are.qua
ntied
.
in.fai
lure
.in.tim
e
.(FI
T),
.whi
ch
.equ
als
.a.ris
k
.of.10
−9
.h
−1
..ey.are.used.to.perform.the.risk.analysis..For.
exa
mple,
.a.ris
k
.res
ulting
.fro
m
.the.inp
ut
.dev
ice
.is.a.comb
ination
.of.fai
lures
.rat
es
.of.di
erent
.com
ponents
.
na
lly
.lea
ding
.to.a.qua
ntied
.ris
k
.val
ue
.for.the.com
plete
.cir
cuit.
.e.sam
e
.is.tru
e
.for.the.CPU
,
.or.non
-
volatile
.an
d
.vo
latile
.me
mory.
.Se
e
.[B
OE04]
.fo
r
.ex
amples
.on.ho
w
.to.ca
lculate
.fa
ilures
.ra
tes
.of.ci
rcuits.
In
.co
nclusion,
.th
e
.ha
zard
.an
d
.ri
sk
.an
alysis
.is.th
e
.ba
se
.fo
r
.tw
o
.ty
pes
.of.re
quirements:
•
. Haz
ards
.sh
all
.be.ad
dressed
.by.ad
equate
.sa
fety function requirements.
•
. e.ris
k
.res
ulting
.fro
m
.the.haz
ards
.has.an.imp
act
.on.the.saf
ety integrity requirements.
.e.low
er
.
the.re
sidual
.ri
sk
.sh
all
.be
,
.th
e
.hi
gher
.an
d
.st
ricter
.th
e
.sa
fety
.in
tegrity
.re
quirements
.ar
e.
Both
.req
uirements
.hav
e
.an.imp
act
.on.the.typ
e
.of.saf
ety
.mea
sures
.use
d
.to.rea
ch
.the.tar
get
.SIL
.
.e.
rs
t
.de
nes
.wha
t
.mea
sures
.are.req
uired
.whi
le
.the.lat
ter
.spe
cies
.the.saf
ety
.per
formance
.of.the.mea
sures
.
(e.
g.,
.wh
at
.ty
pe
.of.fa
ults
.ca
n
.be.de
tected).
21.5.3 Failure Mitigation
Failure. mitigation. comprises. all. activities. in. the. safety. lifecycle. relating. to. the. identication. of.
saf
ety
.fun
ctions
.and.saf
ety
.int
egrity
.req
uirements
.as.wel
l
.as.der
ivation
.of.saf
ety
.mea
sures
.fro
m
.the.
req
uirements.
As
.men
tioned
.bef
ore,
.bot
h
.typ
es
.of.req
uirements
.are.a.res
ult
.of.the.haz
ard
.and.ris
k
.ana
lysis.
.It.is.
sep
arated
.into.two.par
ts:
.net
work
.(cf
.
.Tab
le
.21.
6)
.and.nod
e
.har
dware
.(cf
.
.Tab
le
.21.
7).
.Typ
ical
.haz
ards
.
and.me
asures
.to.de
tect
.th
em
.ar
e
.li
sted
.in.Ta
ble
.21
.8.
Table
.21.
8
.sho
ws
.tha
t
.eig
ht
.saf
ety
.mea
sures
.are.spe
cied
.to.add
ress
.the.var
ious
.haz
ards
.res
ulting
.
fro
m
.net
work
.fai
lures.
.e.mea
sures
.res
ult
.in.a.gen
eric
.saf
ety-related
.mes
sage
.for
mat:
.in.a.spe
cic
.com
-
munication
.mo
del
.an
d
.a.re
quired
.ha
rdware
.ar
chitecture.
As
.in.mos
t
.cas
es,
.the.sta
ndard
.pro
tocol
.sha
ll
.not.be.alt
ered
.(bl
ack-channel
.app
roach),
.the.saf
ety-
related
.pro
tocol
.is.embe
dded
.into.the.pay
load
.el
d
.of.the.com
munication
.pro
tocol.
.And.it.sha
ll
.be.dif
-
ferent
.fro
m
.the.sta
ndard
.pro
tocol
.to.red
uce
.the.lik
elihood
.of.cou
pling
.bet
ween
.non
-safety-related
.and.
saf
ety-related
.mes
sages.
.As.sho
wn
.in.Fig
ure
.21.
6,
.the.saf
ety-related
.mes
sage
.has.the.fol
lowing
.str
ucture:
•
. ID (
Identier) consists of length eld and a version eld:
.Ver
sion
.den
otes
.the.ver
sion
.of.the.pro
to-
col.
.It.is.pos
sible
.tha
t
.di
erent
.typ
es
.of.saf
ety-related
.mes
sage
.str
uctures
.are.use
d.
.e.ide
ntier
.
is.a.me
ans
.of.de
tecting
.in
sertion
.of.a.me
ssage
.by.a.fa
ulty
.no
de.
•
. Saf
e address:
. Saf
ety-critical
. and. non
-safety-critical
. ser
vices
. sha
ll
. be. pro
vided
. by. the. sys
tem.
.
er
efore,
.saf
ety-
.and.non
-safety-related
.mes
sages
.coe
xist
.in.the.sam
e
.net
work.
.To.gua
rantee
.
abs
ence
.of.rea
ction
.bet
ween
.the
m
.exp
licitly,
.eve
ry
.saf
ety-related
.mes
sage
.inc
ludes
.a.saf
e
.add
ress.
.
Dat
a
.sen
t
.fro
m
.a.saf
e
.out
put
.dat
a
.poi
nt
.(ca
lled
.pro
ducer)
.to.a.saf
e
.inp
ut
.dat
a
.poi
nt
.(ca
lled
.con
-
sumer)
.is.on
ly
.pr
ocessed
.if.th
e
.sa
fe
.ad
dress
.of.th
e
.pr
oducer
.is.kn
own
.to.th
e
.co
nsumer.
•
. Tim
estamp:
.A.tim
estamp
.is.the.onl
y
.mea
ns
.to.det
ect
.the.del
ay
.bet
ween
.sen
ding
.at.the.sen
der
.
side.and.rec
eiving
.at.the.rec
eiver.
.In.cas
e
.of.eve
nt-triggered
.com
munication
.and.dev
ices
.stor
ing
.
mes
sages
.tem
porarily
.(e.
g.,
.rou
ters),
.con
gestion
.on.the.net
work,
.or.wro
ng
.rou
ting,
.a.mes
sage
.can.
be.del
ayed
.and.the
refore
.out
dated.
.Add
itionally,
.wro
ng
.seq
uence
.of.a.mes
sage
.and.rep
etition
.of.
the.sam
e
.mes
sage
.is.det
ected.
.How
ever,
.a.tim
estamp
.mec
hanism
.req
uires
.tim
e
.syn
chronization
.
amo
ng
.th
e
.di
erent
.no
des,
.wh
ich
.is.an.ad
ditional
.e
ort
.to.be.co
nsidered.
•
. Saf
ety-related data:
.Se
nsor
.an
d
.ac
tuator
.da
ta
.is.emb
edded
.in
to
.th
at
.e
ld.
•
. Cyclic redundancy check:.e.measures.mentioned.before.are.implemented.to.detect.systematic.
faults.(faults.that.cannot.be.quantied)..e.CRC.is.a.means.against.stochastic.faults.like.a.bit.
fau
lt
.lea
ding
.to.a.cor
ruption
.of.the.mes
sage,
.and.it.ens
ures
.the.int
egrity
.of.the.saf
ety-related
.
mes
sage.
.Dep
ending
.on.the.med
ium
.of.the.net
work
.(tw
isted
.pai
r,
.pow
erline,
.…),.di
erent
.CRC.
pol
ynomials
.ha
ve
.to.be.ch
osen
.[K
OO04].
© 2011 by Taylor and Francis Group, LLC
Functional Safety 21-13
TABLE 21.8 Network-Related.Hazards.and.Measures.to.Detect.em
Measures.Hazard
Consecutive.
Number Time.Mark
Time.Out.
(Watchdog)
Acknowledgment.
(Echo)
Identier.for.Sender.
and.Receiver
Data.
Protection
Redundancy.
with.Cross.
Comparison
Dierent.Data.
Protection.for.
Safe/Non-Safe.
Messages
Repetition
✓ ✓ ✓
Loss
✓ ✓ ✓
Insertion
✓
✓
a
✓
b
✓
Incorrect.sequence
✓ ✓ ✓
Data.corruption
✓ ✓
✓
c
Delay
✓
✓
d
Coupling.between.safety.and.
non-safety-related.messages
✓ ✓ ✓
Source:. BG-PRÜFZERT,. Fachausschuss. Elektrotechnik.. GS-ET-26—Bussysteme für die Übertragung sicherheitsrelevanter Nachrichten.. Prüfgrundsätze,. Köln,.
Deutschland,.Germany,.2002..With.permission.
a.
Application.dependent.
b.
Detection.of.insertion.of.an.invalid.source.only.
c.
Serial.bus.only.
d.
Always.required.
© 2011 by Taylor and Francis Group, LLC
21-14 Industrial Communication Systems
e.value.of.each.data.point.(sensor.or.actuator.value),.irrespective.of.whether.it.has.changed.or.not,.
is.periodically.sent.to.the.receiver.by.using.a.safety-related.message..at.mechanism.is.called.heartbeat..
On.the.receiver.side,.a.watchdog.is.used,.which.is.reset.every.time.a.valid.message.has.been.received..As.
a.consequence,.a.malfunction.at.the.sender.side.or.a.fault.in.the.black-channel.(e.g.,.unavailability.of.the.
network.due.to.a.broke.wire.or.a.defect.in.the.standard.network.interface).can.also.be.detected.
In
.addition,.each.safety-related.message.can.be.duplicated.as.shown.in.Figure.21.6..Just.the.CRC.are.
dierent..At.the.receiver.side,.not.only.the.CRC.are.veried.but.also.the.duplicated.data.is.compared.
bit-by-bit..Such.a.mechanism.increases.the.integrity.of.the.message.and.reduces.the.risk.of.corruption.
to.a.minimum.
Finally,
.every.message.received.by.a.node.is.processed.by.two.safe.controllers..Each.of.them.veries.
the.ID,.the.safe.address,.the.timestamp,.and.the.CRC..Aer.that.they.compare.their.results..Only.if.both.
safe.controllers.agree.on.the.same.positive.result,.action.according.to.the.data.point.value.is.taken..Such.
an.approach.is.called.redundancy.with.cross-comparison.
By
.using.such.a.safety-related.message.structure.as.shown.in.Figure.21.6,.a.heartbeat.and.redun-
dancy
.with.cross-comparison,.all.faults.mentioned.in.Table.21.8.are.addressed.and.can.be.detected..
Embedding.the.safety-related.message.into.the.data.eld.of.the.standard.industrial.communication.
system.message.format.leaves.the.standard.protocol.unchanged..Consequently,.non-safe.and.safe.nodes.
use.the.same.protocol,.only.the.structure.of.the.data.eld.is.dierent.
Node
.hardware-related.safety.measures.are.outlined.in.detail.in.[HOE86]..Faults.in.the.hardware.
components.as.listed.in.Table.21.9.are.stochastic.faults..ey.cannot.be.avoided.but.detected.and.han-
dled
.properly..Fault.detection.is.performed.by.means.of.online.and.oine.hardware.self.tests.
e
.online.tests.that.are.executed.guarantee.a.high.integrity.of.the.hardware.by.revealing.faults.in.the.
dierent.parts.of.the.hardware..Tests.are.separated.into.volatile.memory.(RAM),.nonvolatile.read-only.
memory.(FLASH),.CPU.(controller).tests,.and.test.of.the.input/output.unit..Faults.of.the.communication.
interface.to.the.network.interface.are.tested.by.sending.heartbeats.implicitly.
In
.general,.volatile.memory.test.algorithms.dier.in.test.eort.and.diagnostic.coverage..A.high.test.
eort.and.a.high.diagnostic.coverage.is.ensured.when.using.the.galloping.pattern.test,.a.low.one.when.
ID
Safe address Safe address
Time stamp Time stamp
Data: n byte Data: n byte
Message part 1 Message part 2
CRC
1
CRC
2
ID
FIGURE 21.6 Generic.safety-related.message.format.
TABLE 21.9 Node.Hardware-Related.Hazards.and.Measures
Hardware.
Component Eect.(Hazard) Safety.Measure
Controller Wrong
.operation.of.device Use.of.a.1oo2.structure.with.watchdog.and.
cross-checking;.use.of.cyclic.communication.
via.serial.interface.between.both.channels;.
use.of.CPU.test.at.startup.and.during.
operation
Memory Wrong
.operation.of.device Use.of.memory.test.at.startup.and.during.
operation
Input
.device Wrong.operation.of.device Use.of.test.pulses;.use.of.test.pattern.with.
dierent.test.pulses
Output
.device.to.
network.interface
Wrong.operation.of.device Check.of.message.by.independent.channels.
and.comparison.of.check.results
Output
.device.to.
actuator
Unable.to.switch.o Use.of.test.pulses
© 2011 by Taylor and Francis Group, LLC
Functional Safety 21-15
implementing.the.marching.bit.test.[HOE86]..e.level.of.the.diagnostic.coverage.depends.on.the.faults.
rev
ealed
.by.the.tes
t.
.Tes
ts
.wit
h
.a.hig
h
.lev
el
.det
ect
.fau
lts
.acc
ording
.to.the.DC-
fault
.mod
el,
.oth
ers
.onl
y
.
det
ect
.st
uck-at
.fa
ults
.[I
EC61508].
Tests
.of.the.non
volatile
.rea
d-only
.mem
ory
.rel
y
.on.saf
ety
.mea
sures
.lik
e
.par
ity
.bit
s,
.che
cksums,
.or.
CRC
s,
.whe
reas
.dia
gnostic
.cov
erage
.of.the.rs
t
.is.low.and.the.las
t
.is.hig
h.
.e.dat
a
.stor
ed
.is.spl
it
.up.in.
blo
cks
.of.equ
al
.len
gth
.and.eac
h
.blo
ck
.is.saf
eguarded
.wit
h
.a.saf
ety
.mea
sure.
.Dur
ing
.ope
ration,
.the.CRC.
or.che
cksum
.of.the.blo
ck
.is.rec
alculated
.and.ver
ied
.wit
h
.the.stor
ed
.one
.
.In.cas
e
.of.equ
ality,
.the.int
eg-
rity
.of.da
ta
.is.gu
aranteed.
e
.CPU.tes
t
.con
sists
.of.the.tes
t
.of.the.reg
isters
.use
d
.(eq
ual
.to.the.tes
t
.of.the.vol
atile
.mem
ory),
.the.
sta
ck
.te
st,
.th
e
.a
g
.te
st,
.an
d
.th
e
.te
st
.of.th
e
.CP
U’s
.ar
ithmetic
.lo
gic
.un
it
.(A
LU):
•
. Sta
ck test:
.Tes
ting
.the.sta
ck
.poi
nter
.wit
hout
.man
ipulation
.of.the.pro
gram
.ow.is.not.pos
sible.
.
Con
sequently,
.the.sta
ck
.tes
t
.is.red
uced
.to.the.ver
ication
.of.a.sta
ck
.ove
row,
.whi
ch
.is.the.mos
t
.
com
mon
.sta
ck
.fau
lt.
.er
efore,
.a.de
ned
.bit.mas
k
.is.stor
ed
.at.the.upp
er
.and.low
er
.bou
nd
.of.the.
sta
ck.
.It.is.che
cked
.per
iodically,
.if.the.bit.mas
k
.rem
ains
.unc
hanged.
.In.cas
e
.of.a.cha
nged
.bit.mas
k,
.
it.is.ob
vious
.th
at
.a.st
ack
.ov
erow
.oc
curred
.re
sulting
.in.an.un
dened
.an
d
.un
safe
.be
havior.
•
. Fla
g test:
.Tes
ting
.the.ag
s
.is.don
e
.by.set
ting
.and.res
etting
.the.CPU.ag
s
.and.ver
ication
.of.the.
res
ults.
.In.ad
dition,
.th
e
.co
nditional
.ex
ecution
.of.in
structions
.ha
s
.to.be.ve
ried.
•
. Ari
thmetic logic unit:
. e. tes
t
. of. the. ALU. sho
uld
. cov
er
. all. phy
sical
. pat
hs
. wit
hin
. the. CPU
.
.
Obv
iously,
.th
e
.pr
oblem
.is.th
at
.th
e
.en
tire
.CP
U
.la
yout
.is.un
known
.an
d,
.mo
re
.im
portant,
.too.co
m-
plex
.for.a.com
prehensive
.ana
lysis.
.In.ord
er
.to.add
ress
.thi
s
.pro
blem,
.the.ins
truction
.set.of.the.
mic
rocontroller
.is.sep
arated
.int
o
.com
mand
.cla
sses.
.Com
mand
.cla
sses
.are
,
.e.g
.,
.the.AND.and.
the.MOV.com
mand.
.For.eve
ry
.com
mand
.cla
ss,
.the.inp
ut
.val
ues
.are.cho
sen
.so.tha
t
.eve
ry
.bit.of.the.
out
put
.pe
rforms
.a.“1
–0”
.an
d
.a.“0
–1”
.tr
ansition.
All
.the.saf
ety
.req
uirements
.and.saf
ety
.mea
sures
.res
ult
.in.add
itional
.saf
ety-related
.rm
ware.
.In.mos
t
.
cas
es,
.it.is.log
ically
.loc
ated
.abo
ve
.ISO
/OSI
.lay
er
.7.of.the.sta
ndard
.pro
tocol
.sta
ck.
.And.ano
ther
.con
se-
quence
.is.tha
t
.mos
tly
.a.dua
l
.cha
nnel
.har
dware
.arc
hitecture
.(se
e
.Tab
le
.21.
4)
.is.req
uired.
.In.oth
er
.wor
ds,
.
the.sta
ndard
.har
dware
.of.a.nod
e
.is.ext
ended
.wit
h
.a.saf
ety
.con
troller
.to.all
ow
.cro
ss-comparison
.of.dat
a.
acronyms
1oo2. One.out.of.two
DC
. Dir
ect
.cu
rrent
EUC
. Equ
ipment
.un
der
.co
ntrol
FIT
. Fai
lure
.in.ti
me
FMEA
. Fai
lure
.mo
de
.an
d
.e
ect
.an
alysis
FTA
. Fau
lt
.tr
ee
.an
alysis
GSN
. Goa
l
.st
ructuring
.no
tation
HAZOP
. Haz
ard
.an
d
.op
erability
.st
udy
SIL
. Saf
ety
.in
tegrity
.le
vel
references
[BOE04].J..Börcsök..Electronic Safety Systems..Hüthig.Verlag,.Heidelberg,.Germany,.2004,.107.pp.
[DS00-58]
.Minis
try
.of.Defen
ce.
.HAZOP.studies.on.system
s
.cont
aining
.prog
rammable
.elec
tronics.
.U.K..
Defen
ce
.St
andard.
.Def.St
an
.00-58..Mini
stry
.of.Def
ence,
.Gl
asgow,
.U.K.,.2000.
[GIE95]
.K..Gie
ck
.an
d
.R..Gie
ck.
.Te
chnische Formelsammlung.
.Gie
ck
.Ver
lag,
.Ger
mering,
.Ger
many,
.1995.
[GS-ET26]
.BG-PR
ÜFZERT,
.Fach
ausschuss
.Elek
trotechnik.
.GS-ET-26—B
ussysteme für die Übertragung
sicherheitsrelevanter Nachrichten.
.Pr
üfgrundsätze,
.Kö
ln,
.Deu
tschland,
.Ger
many,
.2002.
© 2011 by Taylor and Francis Group, LLC
21-16 Industrial Communication Systems
[HOE86]. H.. Hölscher. and. J.. Rader,. Microcomputers in Safety Technique, An Aid to Orientation for
Developer and Manufacturer.
.TÜV.Rh
einland,
.Co
logne,
.Ger
many,
.1986.
[IEC60812]
.Ana
lysis
.tec
hniques
.for.system.reli
ability—Procedure
.for.fail
ure
.mode.and.eec
ts
.ana
lysis
.
(FMEA)..In
ternational
.Ele
ctrotechnical
.Co
mmission,
.Gen
eva,
.Sw
itzerland,
.2006.
[IEC61025]
.Fau
lt
.tre
e
.ana
lysis
.(FTA)..Int
ernational
.Elec
trotechnical
.Commi
ssion,
.Gene
va,
.Swi
tzerland,
.
2006.
[IEC61508]
. Func
tional
. saf
ety
. of. elec
trical/electronic/programmable
. elec
tronic
. saf
ety-related
. system
s.
.
Int
ernational
.Ele
ctrotechnical
.Co
mmission,
.Gen
eva,
.Sw
itzerland,
.2000.
[Ke
l&04]
.T..Ke
lly
.an
d
.R..We
aver.
.e.go
al
.st
ructuring
.no
tation—A
.sa
fety
.ar
gument
.no
tation.
.Co
nference
on Dependable Systems and Networks (DSN).
.Flor
ence,
.It
aly,
.2004.
[KO
O04]
.Ph..Koo
pman
.and.T..Cha
kravarty.
.Cyc
lic
.red
undancy
.code.(CRC).pol
ynomial
.sele
ction
.for.
embe
dded
.netw
orks.
.In.Pro
ceedings of the International Conference on Dependable Systems and
Networks,
.Flor
ence,
.It
aly,
.pp
.
.145–154,.Jun
e
.28–Ju
ly
.1,.2004.
[LIG02]
.P..Lig
gesmeyer.
.So
ware Qualität.
.Sp
ektrum
.Akademi
scher
.Ver
lag,
.Heide
lberg,
.Ger
many,
.2002.
[PH
O97]
.Pho
enix
.Con
tact
.(Publi
sher).
.Gru
ndkurs Sensor-Aktor-Feldbustechnik.
.Voge
l-Verlag,
.Würzbur
g,
.
Germ
any,
.1997.
[REI01]
.D..Reiner
t
.and.M..Sch
aefer
.(Publi
sher).
.Sic
here Bussysteme in der Automation.
.Hüt
hig
.Verl
ag,
.
Heidel
berg,
.Ger
many,
.2001,.32.pp
.
[VDI2184]
. VDI. 2184.. Reli
able
. opera
tion
. and. main
tenance
. of. eld. bus. system
s.
. Verein. Deuts
cher
.
Ingenieure,.Germany,.2008.
[WRA07]
. P..Wrat
il
. and. M.. Kiev
iet.
. Sic
herheitstechnik für Komponenten und Systeme.
. Hüt
hig
. Verl
ag,
.
Heidel
berg,
.Ger
many,
.2007,.150.pp
.
© 2011 by Taylor and Francis Group, LLC
22-1
22.1 Introduction to Security in Industrial Communication
Modern.industrial.communication.systems.go.far.beyond.small.automated.islands.that.have.been.
in.mind.when.deve
loping
.the.orig
inal
.comm
unication
.prot
ocols.
.Vert
ical
.inte
gration
.and.tran
smis-
sion
.over.the.Inte
rnet
.are.comm
on
.toda
y,
.but.they.requ
ire
.addi
tional
.secu
rity
.meas
ures
.to.prot
ect
.
the.asse
ts.
In
.lite
rature,
.a.mult
itude
.of.secu
rity
.den
itions
.that.are.more.or.less.ambig
uous
.exis
t
.[R49
,PFL,MEN,
.
BIS,
I15].
.In.the.cont
ext
.of.indu
strial
.comm
unication,
.secu
rity
.can.be.den
ed
.as.meas
ures
.that.prot
ect
.
syst
em
.reso
urces
.agai
nst
.adve
rsaries
.that.inte
ntionally
.try.to.gain.unau
thorized,
.mali
cious
.acce
ss.
.e.
aim.of.such.an.acce
ss
.can.be.mani
fold.
.In.the.eld.of.indu
strial
.comm
unication,
.an.adve
rsary
.may.be.a.
huma
n
.or.some.piec
e
.of.mali
cious
.sow
are
.(e.g
.,
.Troj
an
.hors
e,
.viru
s,
.worm
)
.with.the.inte
ntion
.to.gain.
unau
thorized
.acce
ss
.to.cont
rol
.func
tions,
.i.e.,.func
tions
.that.inte
ract
.with.the.proc
ess
.unde
r
.cont
rol.
.
Note.that.this.den
ition
.of.secu
rity
.is.cont
rary
.to.the.den
ition
.of.safe
ty.
.Whil
e
.secu
rity
.prot
ects
.the.
syst
em
.agai
nst
.inte
ntional
.acti
ons
.that.may.resu
lt
.in.dama
ge
.to.the.syst
em
.and.as.a.cons
equence
.may.
also.be.harm
ful
.to.peop
le,
.safe
ty
.meas
ures
.redu
ce
.the.risk.of.unin
tentional
.syst
em
.stat
es
.that.do.caus
e
.
harm.to.hum
ans.
e
.actu
al
.acti
on
.that.an.adve
rsary
.perf
orms
.to.gain.acce
ss
.to.the.cont
rol
.func
tions
.is.gene
rally
.
refe
rred
.to.as.a.secu
rity attack.
.A.secu
rity
.atta
ck
.is.only.possi
ble
.if.the.syst
em
.sue
rs
.vuln
erabilities,
.i.e.,.
aws.and.weak
nesses
.that.may.be.expl
oited.
.e.exis
tence
.of.vuln
erabilities
.lead
s
.to.secu
rity threats
.that.
can.be.seen.as.the.pote
ntial
.for.viol
ation
.of.secu
rity.
.To.prov
ide
.meas
ures
.that.avoi
d
.a.viol
ation
.of.the.
syst
em’s
.secu
rity,
.thes
e
.secu
rity
.thre
ats
.have.to.be.dete
rmined.
.Note.that.a.secu
rity
.atta
ck
.is.die
rent
.to.
22
Security in Industrial
Communication Systems
22.1. Introduction.to.Security.in.Industrial.Communication...........22-1
22.2
. Plan
ned
.App
roach
.to.Sec
urity:
.Def
ense
.in.Dept
h.....................22-3
22.3
. Secu
rity
.Mea
sures
.to.Cou
nteract
.Net
work
.Att
acks...................22-4
Virtual.Private.Networks. •. Firewalls. •. Cryptography. •. .
DoSPrevention.and.Detection
22.4. Security.Measures.to.Counteract.Device.Attacks......................22-9
Protected.Hardware.and.Security.Token. •. Secure.Soware.
Environments
22.5. State.of.the.Art.in.Automation.Systems.....................................22-12
Security.in.Building.Automation.Systems. •. Security.in.Industrial.
Communication. •. Security.in.IP-Based.Networks. •. Security.
inWireless.Communication.Systems
22.6. Outlook.and.Conclusion..............................................................22-15
Abbreviations.............................................................................................22-15
References...................................................................................................22-16
Wolfgang Granzer
Vienna University
of Tec
hnology
Albert Treytl
Austrian Academy
of Sci
ences
© 2011 by Taylor and Francis Group, LLC
22-2 Industrial Communication Systems
a.security.threat..While.a.security.attack.is.the.actual.action.that.tries.to.violate.the.security.of.a.system,.
a.se
curity
.th
reat
.is.th
e
.po
tential
.fo
r
.vi
olation
.of.se
curity
.th
at
.ma
y
.ne
ver
.be.ut
ilized
.[R
49].
Up
.to.now
,
.sec
urity
.has.bee
n
.neg
lected
.in.the.ind
ustrial
.com
munication
.dom
ain.
.How
ever,
.as.men
-
tioned
.in.[DZ
U],
.ind
ustrial
.com
munication
.sys
tems
.are.alr
eady
.the.tar
get
.of.sec
urity
.att
acks
.as.rep
orted
.
inc
idents
.sho
w.
.e.con
sequences
.of.a.suc
cessful
.sec
urity
.att
ack
.on.an.ind
ustrial
.com
munication
.sys
-
tem
.may.be.man
ifold.
.In.add
ition
.to.a.mal
function
.of.saf
ety
.cri
tical
.ser
vices,
.whi
ch
.are.har
mful
.to.
hum
ans,
.sec
urity
.att
acks
.on.ind
ustrial
.com
munication
.sys
tems
.can.als
o
.hav
e
.mas
sive
.eco
nomic
.imp
act.
.
Con
sider,
.fo
r
.ex
ample,
.a.po
wer
.pl
ant
.be
ing
.th
e
.ta
rget
.of.a.se
curity
.at
tack.
Since
.sec
urity
.has.bee
n
.a.majo
r
.topi
c
.in.the.Inf
ormation
.Tec
hnology
.(IT
)
.wor
ld
.for.yea
rs,
.man
y
.ava
il-
able
.sec
urity
.mec
hanisms
.exi
st.
.How
ever,
.it.is.not.alw
ays
.pos
sible
.to.tri
vially
.map.the
se
.mec
hanisms
.
to.the.ind
ustrial
.com
munication
.dom
ain.
.is.is.for.var
ious
.rea
sons.
.e.req
uirements
.reg
arding
.the.
use
d
.com
munication
.pro
tocol(s)
.may.di
er.
.Ind
ustrial
.com
munication
.sys
tems
.oe
n
.hav
e
.rea
l-time
.
and.saf
ety
.req
uirements
.tha
t
.can
not
.be.met.by.pro
tocols
.and.the
ir
.ext
ensions
.use
d
.in.the.IT.wor
ld.
.
Add
itionally,
.whi
le
.Int
ernet
.pro
tocol
.(IP
)-based
.net
works
.are.get
ting
.mor
e
.pop
ular
.in.ind
ustrial
.com
-
munication
.sys
tems,
.non
-IP-based
.el
dbus
.med
ia
.and.pro
tocols
.are.sti
ll
.use
d
.at.the.el
d
.lev
el.
.Sin
ce
.
mos
t
.IT.sec
urity
.mec
hanisms
.are.tai
lored
.to.IP.net
works,
.the
y
.are.of.lim
ited
.use.in.non
-IP-based
.el
d-
busses.
.Fur
thermore,
.in.con
trast
.to.dev
ices
.typ
ically
.fou
nd
.in.the.IT.dom
ain,
.ind
ustrial
.com
munication
.
sys
tems
.may.con
sist
.of.low
-power
.embe
dded
.dev
ices
.wit
h
.lim
ited
.sys
tem
.res
ources.
.is.is.esp
ecially
.
tru
e
.in.wir
eless
.sen
sor
.net
works.
.Sin
ce
.sec
urity
.mec
hanisms
.are.com
putationally
.int
ensive,
.the
ir
.use.
must.not.exceed.the.available.resources.of.these.embedded.devices.
Industrial
.com
munication
.sys
tems
.are.dis
tributed
.sys
tems
.whe
re
.the.con
trol
.fun
ctionality
.is.spr
ead
.
acr
oss
.di
erent
.dev
ices.
.To.int
eract
.wit
h
.eac
h
.oth
er,
.the
se
.dev
ices
.are.int
erconnected
.by.a.com
mon
.
net
work.
.er
efore,
.an.adv
ersary
.has.two.di
erent
.opp
ortunities
.to.gai
n
.una
uthorized
.acc
ess
.to.con
trol
.
fun
ctions:
.e.adv
ersary
.may.try.to.mal
iciously
.int
erfere
.wit
h
.the.dat
a
.tha
t
.is.exc
hanged
.bet
ween
.the.
dev
ices
.(net
work attacks)
.or.the.adv
ersary
.may.dir
ectly
.att
ack
.the.dev
ices
.tha
t
.imp
lement
.the.con
trol
.
fun
ctionality
.(de
vice attacks).
Network
.at
tacks
.ca
n
.be.di
vided
.in
to
.fo
ur
.cl
asses
.[P
FL]:
•
. Int
erception attacks:
. e. adv
ersary
. tri
es
. to. gai
n
. una
uthorized
. acc
ess
. to. con
dential
. dat
a
.
exchanged.over.the.network.(e.g.,.network.sning).
•
. Mod
ication attacks:
.e.adv
ersary
.tri
es
.to.cha
nge
.the.dat
a
.whi
le
.it.is.tra
nsmitted
.ove
r
.the.net
-
work
.(e
.g.,
.mo
dication
.of.ne
twork
.me
ssages).
•
. Fab
rication attacks:
.e.adv
ersary
.tri
es
.to.ins
ert
.mal
icious
.dat
a
.(e.
g.,
.rep
lay
.pre
viously
.sen
t
.net
-
work
.me
ssages).
•
. Int
erruption attacks:
.e.adv
ersary
.tri
es
.to.int
errupt
.the.com
munication
.bet
ween
.dev
ices
.and.
thu
s
.ma
kes
.da
ta
.un
available
.(e
.g.,
.de
nial-of-service
.(D
oS)
.at
tacks).
Device
.at
tacks,
.on.th
e
.ot
her
.ha
nd,
.ca
n
.be.cl
assied
.in
to
•
. So
ware attacks:
.An.adv
ersary
.may.use.reg
ular
.com
munication
.cha
nnels
.to.exp
loit
.wea
knesses
.
in.a.de
vice’s
.so
ware.
•
. Phy
sical attacks:
.An.adv
ersary
.may.use.phy
sical
.int
rusion
.or.man
ipulation
.(e.
g.,
.pro
bing
.of.bus.
lin
es,
.re
placement
.of.RO
M
.ch
ips)
.to.in
terfere
.wi
th
.a.de
vice.
•
. Sid
e-channel attacks:
.Sid
e-channel
.att
acks
.are.bas
ed
.on.obs
erving
.ext
ernal
.par
ameters
.of.a.dev
ice
.
suc
h
.as.cur
rent
.con
sumption
.of.EM.emi
ssions
.tha
t
.are.mea
surable
.dur
ing
.ope
ration
.to.col
lect
.
inf
ormation
.ab
out
.it
s
.in
ternals.
To
.cou
nteract
.the
se
.typ
es
.of.sec
urity
.att
acks,
.di
erent
.sec
urity objectives
.hav
e
.to.be.gua
ranteed.
.
Acc
ording
.to.[DZ
U],
.the
se
.are.int
egrity,
.ava
ilability,
.aut
hentication,
.aut
horization,
.con
dentiality,
.and.
non
-repudiation
.or.tra
ceability,
.whe
reas
.the.rs
t
.fou
r
.hav
e
.a.ver
y
.hig
h
.ran
king
.in.ind
ustrial
.com
muni-
cation
.sy
stems.
© 2011 by Taylor and Francis Group, LLC
Security in Industrial Communication Systems 22-3
22.2 Planned approach to Security: Defense in Depth
Security.should.be.a.planned.process.that.comprises.the.complete.system..e.security policy,.also.called.
secu
rity architecture,
.desc
ribes
.all.secu
rity
.meas
ures
.but.also.all.rele
vant
.orga
nizational
.proc
edures
.and.
the.syst
em
.envi
ronment
.requ
ired
.to.prot
ect
.a.syst
em.
.It.incl
udes
.the.orga
nization’s
.appr
oach
.to.risk
,
.a.
form
al
.stat
ement
.of.rule
s
.thro
ugh
.whic
h
.peop
le
.are.give
n
.acce
ss
.to.the.orga
nization’s
.asse
ts,
.a.den
ition
.
of.busi
ness
.and.sec
urity
.goa
ls,
.and.a.des
cription
.of.the.imp
lemented
.sec
urity
.mea
sures.
Security
.is.only.20%.tech
nology
.and.80%.orga
nization
.incl
uding
.pers
onnel,
.proc
ess
.desc
riptions,
.etc..
Rele
vant
.area
s
.can.be.comp
rehended
.in.the.4.P’s.of.secu
rity:
.Peop
le,
.Poli
cy,
.Proc
esses,
.and.Proc
edures.
.
e.set
up
.and.mai
ntenance
.of.a.sec
urity
.pol
icy
.inc
ludes
.the.fol
lowing
.ste
ps:
. 1..Asse
t and risk analysis
.ident
ifying
.the.valu
es
.to.be.prot
ected
.(e.g
.,
.info
rmation
.or.hard
ware),
.
possi
ble
.att
acks,
.and.the.pos
sible
.dam
age
.to.the.sys
tem.
. 2.. rea
t analysis
.is.base
d
.on.the.risk.anal
ysis
.and.is.assig
ning
.the.impa
ct
.of.dama
ge.
.Wher
eas
.the.
risk.anal
ysis
.is.only.comm
itted
.to.the.iden
tication
.of.risk
s,
.the.thre
at
.anal
ysis
.is.givi
ng
.a.prio
rity
.
to.the.impa
ct
.of.risk
s
.and.assig
ns
.occu
rrence
.prob
abilities
.as.well.as.the.exte
nt
.of.dama
ge.
.e.
resu
lting
.risk.nal
ly
.is.the.prod
uct
.of.caus
ed
.dama
ge
.and.the.prob
ability
.of.the.thre
at.
.In.gene
ral,
.
for.indu
strial
.comm
unication
.syst
ems,
.a.qual
itative
.risk.asse
ssment
.is.comm
on
.since.it.is.hard.to.
prec
isely
.det
ermine
.val
ues
.for.dam
age
.and.its.pro
bability.
. 3..Anal
ysis of weaknesses
.trac
king
.vuln
erabilities
.of.the.syst
em.
.In.this.step
,
.the.syst
em
.will.be.care
-
fully
.anal
yzed.
.Base
d
.on.the.prev
ious
.two.step
s,
.actu
al
.weak
nesses
.will.be.iden
tied.
.Only.for.
thes
e
.wea
knesses
.cou
ntermeasures
.mus
t
.be.desi
gned.
. 4.. Desi
gn and specication of security measures
.deal
ing
.with.the.plan
ning
.and.impl
ementation
.of.
appropriate.countermeasures..Especially.important.in.this.step.is.to.nd.the.trade-o.between.
cons
equences
.of.an.atta
ck
.and.“com
fort.”
.For.exam
ple,
.cons
equences
.coul
d
.be.a.mone
tary
.loss.
but.also.a.dama
ge
.of.the.imag
e
.or.an.envi
ronmental
.dama
ge,
.wher
eas
.“com
fort”
.subs
umes
.many.
area
s
.begi
nning
.from.eci
ent
.data.tran
smission,
.low.inst
allation
.cost
s,
.easy.usab
ility,
.or.soci
al
.
acce
ptance.
.Hund
red
.perc
ent
.secu
rity
.is.not.possi
ble.
.Only.an.optim
um
.with
in
.this.trad
e-o
.can.
be.foun
d
.on.the.base.of.a.cert
ain
.appl
ication
.or.appl
ication
.clas
s.
.Anot
her
.impo
rtant
.part.of.this.
phas
e
.is.the.den
ition
.of.the.syst
em
.boun
daries
.of.the.secu
rity
.arch
itecture.
.For.exam
ple,
.the.best.
crypto
graphy
.to.prot
ect
.the.tran
smission
.chan
nel
.is.usel
ess,
.if.the.pass
word
.requ
ires
.bein
g
.so.
comp
lex
.tha
t
.all.use
rs
.mai
ntain
.a.pap
er
.cop
y
.of.the.pas
sword
.ben
eath
.the
ir
.key
board.
is
.general.procedure.to.design.a.security.policy.is.a.continuous.process.throughout.the.life.time.
of.a.syst
em.
.In.part
icular,
.a.good.secu
rity
.poli
cy
.is.acti
ve
.and.not.only.reac
tive
.in.the.sens
e
.that.it.fore
-
sees
.inci
dents
.and.avoi
ds
.bein
g
.a.pure.reac
tion
.on.atta
cks.
.Adver
saries
.are.favo
red;
.they.can.conc
en-
trate
.on.cert
ain
.vuln
erabilities
.and.do.not.have.to.prote
ct
.the.whol
e
.syst
em.
.To.all.thes
e
.proce
dures,
.
the.princ
iple
.of.Kerck
ho
.shou
ld
.be.appl
ied
.dema
nding
.that.the.comp
lete
.cryp
tographic
.algo
rithm
.
must.be.publ
ic
.and.the.secu
rity
.shou
ld
.only.rely.on.the.secr
ecy
.of.the.keys.[KER
].
.No.secu
rity
.by.
obsc
urity.
.Allo
wing
.algo
rithms
.and.proce
dures
.to.be.open.allo
ws
.wide.sprea
d
.secu
rity
.anal
ysis,
.and.
ther
efore
.redu
ces
.the.risk.of.undi
scovered
.secu
rity
.hole
s.
.Addit
ionally,
.this.princ
iple
.also.redu
ces
.the.
risk.of.insi
der
.atta
cks
.sinc
e
.the.know
ledge
.of.the.syst
em
.stru
cture
.oer
s
.no.adva
ntages
.unle
ss
.the.
prope
r
.keys.are.know
n.
For
.indu
strial
.auto
mation
.syst
ems
.a.“def
ense-in-depth”
.conc
ept
.is.the.favo
rable
.appr
oach
.to.prot
ect
.
syst
ems
.sin
ce
.man
y
.ind
ustrial
.com
munication
.sys
tems
.are.alr
eady
.str
uctured
.in.a.hie
rarchical
.way.fol
-
lowing
.the.comp
uter-integrated
.manu
facturing
.(CIM
)
.mode
l
.phil
osophy
.and.also.foll
owing
.the.need.
to.stru
cture
.the.netw
ork.
.Defe
nse
.in.dept
h
.reli
es
.on.die
rent
.secu
rity
.laye
rs
.to.prot
ect
.valu
able
.asse
ts:
.
Usin
g
.the.famo
us
.onio
n
.anal
ogon,
.we.see.that.remo
ving
.the.outm
ost
.(sec
urity)
.laye
r
.reve
als
.anot
her
.
layer.and.many.more.remain.to.be.peeled.away.before.the.assets.become.vulnerable..In.the.physical.
worl
d
.such.a.proc
edure
.is.natu
ral
.(als
o
.in.indu
strial
.auto
mation)
.havi
ng
.a.fenc
e
.arou
nd
.the.fact
ory
.area
,
.
© 2011 by Taylor and Francis Group, LLC