Cyberattacks no longer impact just the IT environment. As operational technology (OT) systems in production environments have become more connected, cyberattacks on those systems have put people, equipment, production capacity and the environment at risk.
Back in 2014, cyber attackers were able to gain access to a steel mill’s network by hacking the company’s email to steal login information. After the hackers gained access to the mill’s network, workers lost control of a blast furnace containing molten metal heated to over 1,000 degrees Fahrenheit. The attack caused a massive amount of damage to the facility. Thankfully, no one was injured, but if the hack had escalated, the risk to workers could have been catastrophic.
In February 2021, cyber attackers hacked a Florida wastewater treatment plant’s computer system and increased the levels of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million. Luckily, a plant manager noticed the hack as it happened and was able to return the system to normal before it caused damage or endangered the public. If it had gone unnoticed, residents of Oldsmar, Fla., and surrounding communities would have suffered severe consequences, such as burns to the mouth, throat, eyes, lungs, esophagus, nose and stomach, resulting in permeant damage or death.
The increasingly interrelated nature of safety and security in today’s connected production environment means that these two elements must be addressed together. But how do you make the necessary changes to align two areas of risk management that have historically been managed separately? Given that safety and security are both reliant on people, processes and technologies, there are tremendous opportunities for your organization to improve efficiencies and effectiveness by bringing together efforts in the following three areas.
People: Foster Safety and Security Collaboration
Understanding and addressing your security-based safety risks require a combination of safety and IT expertise. Therefore, better collaboration is needed between your EHS, IT and operations teams. They must work together to develop safety and security objectives; identify vulnerable assets and critical safety data requirements; and conduct risk assessments that address both safety and security risks.
In our work with organizations in this area, we’ve identified several best practices for how teams can collaborate in meaningful ways for their organizations. As you get started in this area, we recommend the following:
- First, identify common goals between the disparate teams, such as reducing costs associated with production interruptions, injuries or non-compliance, or damage to brand image.
- Second, cultivate a common language by using terms such as “risk assessment,” “risk mitigation,” “layers of protection,” “validation protocols” and more.
- Third, agree on shared ways to measure success through key performance indicators (KPIs). Examples of KPIs common to both safety and security risks include unscheduled asset downtime, supply chain interruptions and costs of noncompliance.
- Fourth, develop a response plan that includes continuous improvement measures to enhance both defenses and response.
- Fifth, identify proactive measures that could identify vulnerabilities before an attack or accident occurs. This includes architecture and technology reviews, assessments, system validation/analysis, testing and more.
- And, finally, establish leadership and executive accountability for risk management. This often involves members of the legal and compliance teams who are well-versed in management of many risk types.
Bringing together these critical teams can help your organization cultivate an enterprise-wide mindset that prioritizes safety and security as integral pillars to helping achieve operational excellence and business performance.
Process: Leverage Industry Standards and Methodologies
Addressing safety through security is no longer just an aspiration—it's a matter of compliance. Standards now provide formal guidelines for addressing safety in the context of security.
The functional safety standard IEC 61508, for instance, states that hazards associated with equipment and control systems must be determined under all reasonably foreseeable circumstances. According to the standard, “This shall include all relevant human factor issues and shall give particular attention to abnormal or infrequent modes of operation of the EUC [equipment under control]. If the hazard analysis identifies that malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.”
For cybersecurity, the ISA/IEC 62443 standard defines requirements for implementing electronically secure industrial control systems. They apply to any organization that designs, manufactures, implements or manages these systems. This includes not only product and service providers, but also system integrators and asset owners that do their own integration and maintenance of control systems.
Fortunately, safety and security share common risk management methodologies that come from interrelated safety and security standards that take a lifecycle approach to assessing and mitigating risk. Security guidance also comes from the National Institute of Standards and Technology (NIST) cybersecurity framework, which organizes basic cybersecurity activities into functional levels. The ISO 12100 functional safety lifecycle helps maximize productivity and improve safety with steps required to assess and mitigate machinery risks.
Each process begins with a proactive and methodical approach based on the specific standards. Generally, this involves asset analysis to identify any safety hazards or security vulnerabilities in your systems. The next step for both processes involves analyzing and mitigating potential failures in the design stage. For security, this entails developing an architecture that thwarts and detects security attacks. For safety, it’s devising a system that can account for failures of technology and human errors.
Your organization can implement a companywide risk management strategy to manage security threats and vulnerabilities, and their potential implications for safety. Two assessments are essential to this strategy:
- A safety risk assessment to confirm compliance with standards, including IEC 61508 and ISO 12100, which addresses standard operating functions and all human-machine interactions.
- A security risk assessment that describes the overall security posture regarding software, network, control system, policies and procedures, and even employee behaviors. It also should outline what steps must be taken to achieve the desired level of security.
Your EHS and IT teams can complete these assessments on their own or use a collaborative partner with expertise in both safety and security. A partner can identify blind spots that might be overlooked by an internal team that is involved with the systems and networks day in and day out. Working together, a plan can be developed that helps your team comply with the standards of today and prepares your organization for tomorrow. And, most importantly, an external partner can help you best identify and address potential safety risks that could result from the security threats facing your company.
Aligning safety and security processes using these similar, standards-based methodologies can help your company address safety and security risks together. Ultimately, this will create a more compliant work environment.
Technology: Secure Safety Equipment
Modern safety equipment is increasingly connected and programmable. Safeguarding the equipment from threats that could compromise the system is critical.
To help protect safety equipment against cyberattacks, you need a defense-in-depth security approach that uses multiple layers of defense. Two of those layers can include CIP Security and CIP Safety, which can be combined to provide a robust, certified basis for achieving safety and security in industrial automation control systems.
CIP Security is an extension of the Common Industrial Protocol (CIP). It helps protect devices by rejecting potential threats, including altered data, messages sent by untrusted people or devices, and messages requesting actions that aren’t allowed.
CIP Safety is also a CIP extension and provides fail-safe communication between nodes such as safety input/output blocks, safety interlock switches, safety light curtains, safety controllers and robots. It helps protect communication-transmission integrity by detecting errors and allowing devices to take appropriate actions.
Safety devices with CIP Safety also make possible a smarter approach to safety in production environments. For example, the devices give users access to diagnostic data that can provide insights into common failures or misuse and can help improve productivity.
While this may seem complicated, your team does not have to do this alone. A services partner can help you create a reliable and secure network infrastructure. This strategic partnership can combine the correct knowledge and expertise needed to provide a holistic approach that can help you design, deploy and manage a network infrastructure that is central to your enterprise.
Case Study: Chemical Company Addresses IT and OT Risks
COVID-19 has forced companies to find new ways to manage safety and security while keeping operations running smoothly.
For one Latin American chemical company, it needed to implement a greenfield project during the pandemic. Due to the significant increase in the number of employees working from home to protect employee health and safety, the company needed a safe and secure solution for employees and suppliers to access their IT/OT network remotely to support the implementation. As part of this process, the company needed the ability to monitor and audit remote interactions with the site’s industrial control system by operations while maintaining system reliability and reducing risk of potential cybersecurity incidents.
By deploying secure remote-access solutions and a pre-engineered virtualized environment solution, the company was able to:
- Complete the greenfield project using secure remote access for implementation.
- Reduce overall cybersecurity risk to the corporate and OT networks.
- Simplify control and monitoring of all OT remote access sessions and increase system reliability.
- Improve workforce efficiency with reduced travel needs and improved systems support coverage.
- Protect employee safety by reducing the number of people on-site.
Implementing change to bring together safety and security can seem intimidating. But a planned, holistic approach that encompasses people, processes and technologies can bring these two entities together as part of a larger companywide risk management strategy. And if you have strained resources, or don’t know where to start on an effort like this, a partner with industrial safety and security experience can help you address your specific security-based safety challenges.
George Schuster, TÜV functional safety expert (FSExp), TÜV cyber security specialist (CySec), joined the Rockwell Automation Industry Solutions Team as a senior industry specialist in 1997. In this position, he has provided controls and safety-application consulting in the areas of advanced process development and system integration. He has also been involved in the development of control system solutions, safety systems and services business development.