Most conversations about the industrial Internet of Things (IIoT), safety and security revolve around two separate topics: “smart” machinery or process safety to protect people and equipment, or industrial control system security as stand-alone topics.
These conversations are important and valid. However, too many industrial companies are not focused on the inherent safety implications of common security risks.
When an oil pipeline was hacked in Turkey causing an explosion and 30,000 barrels of spilled oil, the cyber attackers negated the existing safety system to shut down alarms, cut off communications and super-pressurize crude oil in the line.
A regional water supplier experienced a cyber-security breach that not only compromised customer data, but caused unexplained valve and duct movements, including manipulation of PLCs that managed water treatment and public safety.
In industrial production, your safety and security programs are inextricably linked.
Many of our customers are tapping IIoT technology to remotely access production machinery, allow wireless access to pumping stations, or connect plant-floor equipment to the IT infrastructure.
This is the future. This is how they can realize improved asset utilization, faster time to market, and lower total cost of ownership. However, greater connectivity can increase security risks that will impact safety. This is where better enterprise risk management is important.
Integrating Safety and Security Efforts
Safety and security have traditionally been viewed as separate entities, but there is a commonality between them in the approaches used to analyze and mitigate risks. For example, the concept of “access control” is common between safety and security. In both cases, policies and procedures are built based on business practices, risk management approaches, application requirements and industry standards.
Manufacturers and industrial operators that want to reduce the likelihood of security-based safety incidents will need to rethink safety in this way. Specifically, start thinking of safety and security in relation to each other. There are three key areas this can have the biggest impact:
- Behavior: In addition to helping protect intellectual property, processes and physical assets, security personnel must make protecting safety systems a core value in everything they do. Greater collaboration between EHS, operations and IT teams is more important as well. For example, all three teams should work together to develop co-managed objectives for safety and security, and identify critical safety-data requirements from plant-floor systems. And because a strong safety culture involves every employee, a companywide understanding of the relationship between security and safety is needed.
- Procedure: Compliance efforts should meet the security requirements in safety standards, such as IEC 61508 and 61511. Conversely, security efforts should follow a defense-in-depth approach and address safety-related security risks at all levels of an organization. Defense-in-depth is recommended in the IEC 62443 (“Security for Industrial Automation and Control Systems”) standard series (formerly ISA99) and elsewhere.
- Technology: All safety technologies should have built-in security features. They also should use security technologies that help protect against safety-system breaches and enable speedy recoveries should a breach occur.
Risk Mitigation
The list of potential security threats that could have safety implications is honestly quite vast. So, any mitigation of your company’s security-based safety risk must start with understanding where your company is most vulnerable.
This should be done by conducting separate safety and security risk assessments, then comparing reports to examine where security most impacts safety. This will allow you to best address your unique set of risks.
We’ve outlined some key mitigation measures that manufacturers and industrial operators should implement in a white paper on “Safety through Security: Protecting People, the Environment and Critical Infrastructure against Industrial Security Threats.”
The concept of digital transformation is bringing production intelligence to our customers for measuring and improving nearly every aspect of their operations. It’s also providing instantaneous information sharing and seamless collaboration across organizations.
For all these opportunities, more connection points can create more entrance points for security threats. You must account for and address how these threats impact the safety of your people, your infrastructure and the environment around your operations. The IIoT is bringing opportunity, risk and the ability to holistically integrate your safety and security programs to optimize operations.