Magazine

Safety Should be Part of Cybersecurity

To better protect physical assets, workers and compliance, it’s vital to understand the link between safety and security risks and how to mitigate them.

By Steve Ludwig, commercial programs manager, Safety, Rockwell Automation

The dangers that cyber threats pose to intellectual property, customer records and productivity are well known, but safety implications of these threats are discussed less often. A cyberattack on your industrial control system (ICS) can damage physical assets, alter recipes, injure workers or cause severe environmental damage.

If you’re on a digital transformation journey — whether it’s a managed process or slow evolution — managing the inherent safety and security risks should be an integral part of the process.

A properly designed security approach will improve information collection, analysis and delivery. It also will minimize security-related interruptions and frustrations. And it will help protect your enterprise.

Know Your Risks

Both security and safety standards already recognize the link between safety and security risks.

Cybersecurity standard ISA/IEC 62443-1-1 mentions that security breaches can have consequences beyond compromised information. The standard states: “The potential loss of life or production, environmental damage, regulatory violation and compromise to operational safety are far more serious consequences. These may have ramifications beyond the targeted organization; they may grievously damage the infrastructure of the host region or nation.”

Functional safety standard IEC 61508-1 specifies that hazards associated with equipment and control systems must be determined under all reasonably foreseeable circumstances. The standard says: “This shall include all relevant human factor issues and shall give particular attention to abnormal or infrequent modes of operation of the EUC [end user computing]. If the hazard analysis identifies that malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.”

Security, like safety, approaches issues based on managing risk, leveraging continuous assessment and baselining to ensure you are managing to a risk threshold. Your level of acceptable risk will vary by industry and potential outcomes.

Considering that most cybersecurity attacks are based on the attacker simply finding a vulnerable target — rather than being specifically targeted due to industry or prominence — a cybersecurity attack is a foreseeable circumstance in every industry.

Assessing your cybersecurity risks, determining your level of acceptable risk and mitigating identified risks to an acceptable level are now the basic “reasonable” steps to help protect people from foreseeable misuse and malevolent or unauthorized actions.

As with safety, ignoring cybersecurity and associated risks is the mistaken belief that “if I don’t know about the risk, I can’t be held accountable.” That’s not an acceptable posture, ethically or for compliance purposes, especially when lives are on the line.

Address Risks Together

Some have used the risks that connected technologies can introduce as an argument against modernization. However, it’s important to recognize that doing nothing is not a solution. Maintaining legacy systems too long not only deprives you of valuable insights and other Industrial Internet of Things (IIoT) benefits, but these systems also often lack the security measures of contemporary systems making them more vulnerable rather than less.

The ISA Global Cybersecurity Alliance

Rockwell Automation is a founding member of the ISA Global Cybersecurity Alliance and has received multiple ISA/IEC 62443 certifications. The standards define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices and assessing electronic security performance. Learn more about industrial security efforts from Rockwell Automation.

The better approach is to make the most of digital transformation, while helping protect safety and security as part of the process. As you do this, keep some key things in mind.

For example, many security practices have long been used in the IT world, but they’re new to the operations technology (OT) world. And, while many of the mitigation steps are similar in comparison, they’re applied very differently in the front office than on the plant floor.

In a manufacturing environment, cybersecurity and safety risks should both be part of risk management and part of the management of change (MOC) process. And EHS professionals should be involved in managing processes and compliance with standards and laws.

Expand What’s Possible

It’s a new age in industry. The advantages of Industry 4.0 certainly outweigh the increased risks. And by understanding the risks and mitigating them as part of your digital initiatives, you can expand what’s possible in your operations while helping protect what matters most to you.

^{The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.}

Subscribe to Rockwell Automation and receive the latest news, thought leadership and information directly to your inbox.