Cyber security in Process Plant Safety

Process plants have industrial control systems (ICS) embedded in the various levels of the company’s digitalisation. BUT no system is invulnerable; a technology malfunction can lead to asset damage, environmental consequences, financial losses, and even injury or loss of life.

Digitalisation, automatic control systems and other technological advanced tools are used to optimise industrial processes; all process plants have industrial control systems (ICS) embedded in the various levels of the company’s digitalisation, from field devices (instruments, actuators etc) to PLCs as complex logic controllers. These systems can even be used to remotely monitor and control worksites, acquiring and transmitting data without requiring personnel to travel long distances. The devices that make up an ICS can open and close valves and breakers, collect data from sensor systems and monitor the local environment; within a plant. An ICS can centrally control the various phases of production, gather and share data for quick access, and find and notify faults while minimising their overall impact.

However, no system is invulnerable and in an industrial context, a technology malfunction can lead to financial losses, asset damage, environmental consequences and even injury or fatalities. The scale of the consequences can be enormous and can also be the result of criminal activity that targets vulnerabilities in these automated, centralised cyber systems. The scope of the damage that can be done when organisations fail to establish robust, resistant cyber protections can be far greater than covered in the original design. When a plant fails, or struggles financially, when the air or water is polluted, or employees’ health and safety is compromised the effects are far reaching.

Given the risks and subsequent consequences, organisations must understand that cyber threats are just as potent as all other 'traditional' safety risks, and cyber attacks can hijack the conventional safety measures they have put in place. Alarms can be disabled, controls can be manipulated, and the signals workers rely upon to ensure safety, are all vulnerable to tampering via cyber attack. Prevention of the consequences of cyber attack is covered by IEC62443 for process plant and IEC61511 for safety systems.

When exploring Cyber Security within a plant, the main questions to consider include:

• If a cyber attack succeeds, what is the ultimate risk to your people, plant, environment?
• What are your defences against attack?
• Have you identified the essential barriers to a cyber attack and labelled them as CYBER CRITICAL SAFEGUARDS and subjected them to consistent Cyber Safety Management?
• Have you checked for defence in depth and diversity amongst your safeguards and barriers, for major accident hazards caused by these attacks?