Why Cybersecurity Must be Part of Your Safety Plan
May 5, 2020
By Steve Ludwig
The dangers that cyber threats pose to intellectual property, customer records and productivity are well known, but less discussed are the safety implications of these threats. A cyberattack on your industrial control system (ICS) can damage physical assets, alter recipes, injure workers or cause severe environmental damage.
If you’re on a digital transformation journey — whether it’s a managed process or slow evolution — managing the inherent safety and security risks should be an integral part of the process.
A properly designed security approach will improve information collection, analysis and delivery. It will minimize security-related interruptions and frustrations. And it will help protect your enterprise.
Know your risks
Today, both security and safety standards already recognize the link between safety and security risks.
Cybersecurity standard ISA/IEC 62443-1-1 mentions that security breaches can have consequences beyond compromised information. The standard states: “The potential loss of life or production, environmental damage, regulatory violation and compromise to operational safety are far more serious consequences. These may have ramifications beyond the targeted organization; they may grievously damage the infrastructure of the host region or nation.”
Functional safety standard IEC 61508-1 specifies that hazards associated with equipment and control systems must be determined under all reasonably foreseeable circumstances. The standard says: “This shall include all relevant human factor issues and shall give particular attention to abnormal or infrequent modes of operation of the EUC. If the hazard analysis identifies that malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.”
Security, like safety, approaches issues based on managing risk, leveraging continuous assessment and baselining to ensure you are managing to a risk threshold. Your level of acceptable risk will vary by industry and potential outcomes.
Considering that most cybersecurity attacks are based on the attacker simply finding a vulnerable target — rather than being specifically targeted due to industry or prominence — a cybersecurity attack is a foreseeable circumstance in virtually every industry. Assessing your cybersecurity risks, determining your level of acceptable risk and mitigating identified risks to an acceptable level are now the basic “reasonable” steps to help protect people from foreseeable misuse and malevolent or unauthorized actions.
As with safety, ignoring cybersecurity and associated risks is the mistaken belief that “if I don’t know about the risk, I can’t be held accountable.” That’s not an acceptable posture, ethically or for compliance purposes, especially when lives are on the line.
Address risks together
Some have used the risks that connected technologies can introduce as an argument against modernization. But, it’s important to recognize that doing nothing is not a solution. Maintaining legacy systems too long not only deprives you of valuable insights and other IIoT benefits, but these systems also often lack the security measures of contemporary systems making them more vulnerable rather than less.
The better approach is to make the most of digital transformation, while helping protect safety and security as part of the process. As you do this, keep some key things in mind.
For example, many security practices have long been used in the IT world, but they’re new to the OT world. And, while many of the mitigation steps are similar in comparison, they’re applied very differently in the front office than on the plant floor.
In a manufacturing environment, cybersecurity and safety risks should both be part of risk management and part of the management of change (MOC) process. And EHS professionals should be involved in managing processes and compliance with standards and laws.
It’s a new age in industry. The advantages of Industry 4.0 certainly outweigh the increased risks. And by understanding the risks and mitigating them as part of your digital initiatives, you can expand what’s possible in your operations while helping protect what matters most to you.
Learn more about industrial security.
Steve Ludwig is Commercial Programs Manager, Safety, Rockwell Automation. Rockwell Automation is a founding member of the ISA Global Cybersecurity Alliance and has received multiple ISA/IEC 62443 certifications.
