In modern industrial environments, safety is an expectation. In most places, the safety of workers and the environment is expected by law, by contract, and by culture; the care and safety of physical production assets is critical to profitability.
Today, failure to manage cybersecurity risks puts more than your customer records at risk—it places your physical assets and intellectual property at risk, along with the safety of workers, the environment, and the surrounding community.
Best-in-class companies are already proving the tremendous value of digital transformation. Using greater connectivity, smart devices, systems, and software, they’re gaining contextualized information and insights into their operations. These insights are helping increase throughput and efficiency, decrease costs, make smart and timely decisions, improve safety and meet customer expectations.
The necessity of these insights is driving investments in smarter devices that detect when they need maintenance before they fail, integrated control systems that analyze the current state of operation and optimize productivity and safety, and connectivity throughout the supply chain to coordinate activities.
But with smarter technologies and greater connectivity come new risks.
Historically, industrial control systems (ICS) were disconnected from information technology (IT) used in front offices. ICS ran on proprietary hardware and were even programmed using proprietary systems. Demands for less expensive and easier to use ICS products brought the use of open technologies to ICS, and digital transformation brought connectivity of ISC to IT, providing pathways between the Internet and plant floor devices.
Some have used this as an argument against modernization. But it’s important to recognize that maintaining legacy systems too long not only deprives you of the valuable insights IIoT brings—legacy systems most often lack the security measures of contemporary systems.
Which brings us back to the point. A cyberattack on your ICS can disrupt or damage physical assets, steal intellectual property, alter recipes, injure workers, or cause severe environmental damage to the surrounding area.
Previously, criminals launched cyber-attacks primarily for financial gain; now nation states and organized criminal groups are attempting to damage, disrupt, or modify infected industrial control systems (ICS) and networks.
Cyber-attacks can have catastrophic effects on safety and public health.
- American Bar Association, Insurance Coverage Litigation Committee, 2016
If you’re on a digital transformation journey—and most are, whether it’s a managed process or slow evolution—managing the inherent safety and security risks should be an integral part of the process. A properly designed security approach will improve information collection, analysis, and delivery. It will minimize security-related interruptions and frustrations. And it will help protect your enterprise.
Security, like safety, approaches issues based on managing risk, leveraging continuous assessment, and baselining to ensure you are managing to a risk threshold. Your level of acceptable risk will vary by industry and potential outcomes.
Today, both security and safety standards are recognizing these risks:
Cybersecurity standard ISA/IEC 62443-1-1, Section 4.1:
… However, because industrial automation and control systems equipment connect directly to a process, loss of trade secrets and interruption in the flow of information are not the only direct consequences of a security breach. The potential loss of life or production, environmental damage, regulatory violation, and compromise to operational safety are far more serious consequences. These may have ramifications beyond the targeted organization; they may grievously damage the infrastructure of the host region or nation.
Functional safety standard IEC 61508-1 7.4.2.3:
The hazards, hazardous events and hazardous situations of the EUC and the EUC control system shall be determined under all reasonably foreseeable circumstances (including fault conditions, reasonably foreseeable misuse and malevolent or unauthorized action). This shall include all relevant human factor issues, and shall give particular attention to abnormal or infrequent modes of operation of the EUC. If the hazard analysis identifies that malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.
Considering that most cybersecurity attacks are based on the attacker simply finding a vulnerable target rather than being specifically targeted due to industry or prominence, a cybersecurity attack is a foreseeable circumstance in virtually every industry. Assessing your cybersecurity risks, determining your level of acceptable risk, and mitigating identified risks to an acceptable level are now the basic “reasonable” steps to protect people from foreseeable misuse and malevolent or unauthorized actions.
As with safety, ignoring cybersecurity and associated risks—in the mistaken belief that “if I don’t know about the risk, I can’t be held accountable”—is not an acceptable posture.
While many security practices have long been used in the IT world, they are new to the OT world. And, while many of the mitigation steps are similar in comparison, they are applied very differently in the front office than on the plant floor.
Cybersecurity risks are safety risks. In the modern manufacturing environment, both should be part of risk management and part of the management of change (MOC) process. Environmental Health and Safety professionals should be involved in managing processes and compliance with standards and the law.
It’s a new age in industry. The advantages of Industry 4.0 certainly outweigh the increased risks. Understanding the risks and mitigating them is part of the plan.
A version of this post can also be found on the Rockwell Automation blog. It appears on the ISAGCA blog with adjustments made by the author.