The Convergence of Cybersecurity Certification and Process Safety
For end users of process safety systems, cybersecurity certification should be a primary concern, especially after the costly TRITON/TRISIS malware incident that happened in the Middle East this past year. The emergence of TRITON/TRISIS adds a new dimension to the discussion of ICS and SCADA cybersecurity. Safety systems are not immune to cyber-attacks. As a result, end users will have to take a more considered approach to everything from management of change procedures to integration of process control and safety systems.
The worlds of process safety and cybersecurity are already beginning to converge, and the issue goes well beyond things like safety system malware and cyber-attacks. Many suppliers and end users in in the process industries are applying knowledge from the world of process safety, such as process hazard analyses and risk matrices, to develop their cybersecurity strategies.
End Users Must do More to Address Cybersecurity Risks in Process Safety
Safety systems represent the last line of defense between an abnormal plant situation and a plant incident that can have severe consequences for human life, safety, and the environment. Many end users don’t sufficiently address cybersecurity requirements for process safety systems as part of their overall ICS cybersecurity strategy. Poor management of change, physical security practices such as locking cabinets, and other basic cybersecurity “hygiene” measures such as leaving key switches in program mode are just some of the problems that end users are dealing with.
The ageing installed base of safety instrumented systems isn’t helping either. The longer end users continue to rely on outdated, and in many cases antiquated, control systems and SISs, the more they increase their risk of attack. In the case of TRISIS/TRITON, for example, the malware targeted a much older version of system. Many end users are have recently completed or are planning major process safety migration projects. This is a particular problem for safety systems, because the amount of time, complexity, and standards conformance that must be done for a safety system is much more than what is required for a basic process control system.
SIS suppliers are actively addressing these project complexity concerns in addition to the newly emerging cybersecurity threats both through their own next generation systems, in-house initiatives, and partnerships with service providers and ICS cybersecurity suppliers. End users who want to mitigate their risks should pay attention to these new developments as the vendor landscape becomes more complex with a wider range of services for both projects and the process safety lifecycle as it is outlined in the IEC 61508/61511 standards.
In addition to a quantitative assessment of the market and associated analysis, ARC’s recently updated market analysis report on Process Safety Systems includes information such as this to help end users stay up to date with the latest technology, regulatory, and industry trends including information about the latest developments from the key global suppliers and standards organizations. The research report also provides long-term trends impacting this market and its growth over the next five years.