Safety has been the top priority in the process industry for decades, while cyber security only became relevant in recent years. Cyber security and safety seem to have an arbitrary contradiction. Differences certainly exist between these two pillars that support industry, but they have even more in common. Safety isn’t possible without proper cyber security in all cases.
A Safety Instrumented System (SIS) is the ‘last automated line of defense’ of any production process and is standardized in the IEC 61511.
An integral approach to cyber security and safety is necessary to guarantee business continuity. Cyber security and safety are of equal importance. But, having cyber risks automatically means a company can’t guarantee safety. These risks don’t pose any new dangers to safety, but they can disable critical safety controls and lead to hazardous situations. Not taking into account the possible environmental- and reputation damage.
An integral approach to safety and cybersecurity does have some challenges on an organizational level. For example: It isn’t possible to combine cyber security and safety in the same Risk and Vulnerability Assessment (RVA). In safety the challenge is to avoid any incidents. In cyber security the challenge is not to only avoid any incidents, but to also stay in control after one has occurred.
The current worldwide cyber security standard for Industrial Automation and Control Systems (IACS) is the IEC 62443. This standards framework describes the implementation of a Cyber Security Management System (CSMS) from its first steps to a full implementation. Furthermore, it describes how the use of RVA’s will assist in determining Security Levels (SL’s) and managing vulnerabilities.
Safety is part of CE-marking and it’s likely cyber security will develop into a similar system as the Safety Integrity Level (SIL). Cyber security products will receive a cyber certification to indicate capability. In the short-term authorized certification will become more widespread.