Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

The Connection Between Cybersecurity and Safety

This blog post is the first in a four-part series discussing the intersection of safety and security.

 

The funny thing about human nature is that we tend to assume things are going to workuntil they don’t.

The recent power crisis in Texas is a good reminder of that. Everyone assumes the power system is going to workuntil it doesn’t. Who would have thought that a few days of weather in the teens would nearly collapse the power system in the state of Texas for days? It’s a little reminiscent of the Fukushima nuclear incident about 10 years ago. Who would have thought that a once-in-a-lifetime tsunami would cause a meltdown of a nuclear reactor on the coast of Japan behind a 19-foot-high seawall? There are plenty more examples.

The same phenomenon occurs with security and cybersecurity breaches. It is human nature to assume that people will follow the law, respect boundaries, and not harm othersuntil they don’t. In a world run by computers, it doesn’t take a lot of creativity to imagine what could happen if these computers stopped workingor worse, if they were tampered with to a degree that you could not trust the integrity of the data.

Anyone involved in automation knows just how critical industrial control and safety systems are to the safe and reliable operations of the machines, processes, and facilities they control. Compromise of the integrity or availability of these systems could lead to any of the following outcomesespecially if safeguards are also implemented in programmable electronic control or safety systems.

  • Interruption of service
  • Off-spec product
  • Machine, unit, plant, or facility shutdown
  • Equipment damage
  • Environmental incident
  • Employee injury or death
  • Public safety incident

So, while we don’t like to think the unthinkable, someone must. This is where safety engineers, security and cybersecurity experts, and risk management professionals come in. While we can’t prevent every disaster, the field of risk management exists to bring discipline to the process of identifying what could happen, how bad could it be, and what can be done to mitigate the risk.

Process engineers and machine builders have been conducting process safety and machine safety studies for decades to understand and mitigate risk. They utilize a variety of methodologies to perform these assessments, such as process hazard analysis (PHA), layer of protection analysis (LOPA), hazard and operability analysis (HAZOP), and failure modes and effects analysis (FMEA).

These traditional process and machine hazard evaluation and mitigation techniques are great tools in helping to understand risks. However, they do not typically evaluate or mitigate cyber threats that could impact the integrity or availability of control systems. The convergence of information technology (IT) and operations technology (OT) platforms are exposing modern industrial automation systems to increased cyber threats and vulnerabilities. These increasing threats have the potential to affect multiple layers of protection, including basic process control, process alarms, and safety instrumented systems. In fact, in certain circumstances, it may be possible for a single cyber threat to simultaneously defeat multiple layers of protection.

Therefore, to ensure our machines, processes, and facilities are truly safe, we must evaluate the risks associated with cyber compromise of the integrity and availability of control systems.

This blog series will discuss the intersection of safety and security. The remaining posts will address the following topics:

  1. Regulations, standards, and best practices: What do regulations and standards say about integrating safety and security? How are safety standards and cybersecurity standards interrelated? What regulations and standards apply to my industry?
  2. Risk assessment methodologies: How do you evaluate the risk of cybersecurity to an industrial control system? How does one account for the effectiveness of existing safeguards? What methodologies are companies in my industry using to assess cyber risk? How do they compare?
  3. Case study(ies): One or more case studies from asset owner(s) who have successfully integrated safety and security in their companies and facilities.

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

John Cusimano, aeSolutions
John Cusimano, aeSolutions
John Cusimano, CFSE, CISSP, GICSP, is the vice president of industrial cybersecurity at aeSolutions.

Related Posts

Call for Volunteers: ICS4ICS Improves Management of ICS Cybersecurity

If you would like to participate in the ICS4ICS effort, please visit our website at: www.isa.org/ICS4ICS ...
Brian Peterson Sep 21, 2021 5:30:00 AM

The Problem with Platform Ascendency for Cyber-Physical Integrations

Integration is the buzzword of the year for technology in 2021. Application programming interfaces (APIs)...
Danielle Jablanski Sep 14, 2021 5:30:00 AM

New York Lawmakers Reference ISA/IEC 62443 in New Proposed Bill

New York state legislature is hoping to add additional protections to the state’s critical infrastructure...
Steven Aliano Sep 7, 2021 5:30:00 AM