Taking a process safety approach to cybersecurity risk management

Emerson Automation Solutions

By Martin Van Der Merwe
Friday, 03 May, 2019


Taking a process safety approach to cybersecurity risk management

Over the last decade the industrial sector has been dramatically impacted from the waves of frenzy brought about through big data, the IIoT and Industry 4.0. The latest evolution from these trends includes harnessing the opportunities created from machine learning, augmented/virtual reality and artificial intelligence. These concepts continue to pervade boardrooms and quickly become strategic objectives for organisations to gain an edge and remain competitive. This means that more money is being allocated to IT and OT infrastructure than ever before — a welcome opportunity for many ageing industrial sites.

In the most recent downturn of commodity prices, several final investment decisions on many of these infrastructure projects were delayed. The additional strain on bottom lines caused many companies to also consider the opportunity to consolidate their IT and OT functions to save cost. This consolidation created great opportunities, but as IT and OT infrastructure inevitably merged and monthly news articles about cyber attacks on facilities increased, it became clear that cybersecurity risks needed to be closely managed.

Many companies approached IT consultancy firms to help run risk reviews and develop mitigation strategies — which was a great start; however, in several instances that I have observed, consultants failed to effectively address the operational risk or impact practical site processes. In other cases, the mitigation outcomes only focused on getting similar IT infrastructure into the OT layer, such as firewalls, security information and event management and automated patch management. Critically, they neglected to address the greater lifecycle requirements that a secure OT infrastructure requires.

While every company typically has its own defined risk management process, some specific requirement for industrial cybersecurity should be considered. There are several published guidelines in the various frameworks — for example, NIST — and standards such as IEC 62443 that outlines these requirements clearly, based on the full lifecycle for industrial cybersecurity. It is important that these be adopted when these cybersecurity risk mitigation projects are executed, since OT has a distinctly different risk profile and lifecycle to that of enterprise IT.

Adopting a lifecycle risk management approach to industrial cybersecurity should not be hard for the industry to grasp because there are very strong parallels between industrial cybersecurity and those of process safety; however, the general pattern I have observed is that a disparity in the focus between them still exists even after a cybersecurity project is delivered.

A good test of a company’s maturity in this regard is to review a typical Management of Change (MOC) or Permit-to-Work (PtW) procedure. Does a cybersecurity risk assessment check exist, or is the expectation that this falls under the ‘other’ risks and left up to the individual to disclose? Would a PtW check of personal protection equipment be considered as ‘other’? Neither should the use of a USB device.

More equipment on sites now has the capability today to be networked through the enterprise layers. More contractors connect to site assets, directly and remotely, to complete their work — and the consequences continue to increase as attacks become more sophisticated and targeted. Therefore, effective lifecycle cybersecurity risk management will require a culture change and should utilise similar approaches to process safety relating to risk identification, assessment, mitigation, implementation and measurement, underpinned by continued awareness training.

Martin Van Der Merwe is passionate about automation, with a degree in Electronic Engineering and IT from the University of Johannesburg and over 17 years’ experience in the industry. He thrives on connecting clients’ challenges with solutions as the Director for Emerson’s Systems and Solutions in Australia and NZ.

Image: ©stock.adobe.com/au/Olivier Le Moal

Related Articles

Why Australia should care about the Volt Typhoon hacking network

If Volt Typhoon hackers were lurking inside American critical infrastructure for years, it's...

Futureproof plant strategies: a how-to guide

Industrial organisations face a major challenge in delivering future facilities that are both...

Proactive decision-making for emissions management: the roadmap to net zero

In order to make good on commitments to achieve net zero carbon emissions, companies in the...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd