The German word “sicherheit” means both safety and security, points out John Cusimano, director of security services at exida, a Sellersville, Pa.-based industrial safety services firm that recently added cyber-security services to its bag of capabilities.

That dual definition is just one illustration that safety and security disciplines are intertwined, says Cusimano. And in the industrial world, in particular, there are growing signs that the fields of safety and cyber security are moving into closer alignment.

One driver for the trend is that safety integrated systems (SIS) , once totally isolated, are increasingly becoming connected to or integrated with process control systems that connect to the outside world. This is causing concerns in some camps that a hacker could cause safety system problems.

An even bigger driver, according to many, is a growing recognition that there are many similarities between the safety and security lifecycles, and that there are efficiencies to be gained by combining the two approaches.

That’s why safety specialist exida, for one, is making the move into cyber-security services. “I firmly believe that the skills, the analysis techniques and experience that we have gained in our functional safety certification work are absolutely directly applicable in security,” declares Bill Goble, exida co-founder and managing partner. The company intends to provide “one-stop shopping,” for safety and security services—both for vendors looking for safety and cyber-security certification of products, and for end-users looking for help in both disciplines.

The perceived overlap between functional safety and cyber-security disciplines was also the driver for one of the latest moves by the International Society for Automation’s ISA99 committee, which is charged with developing a security standard for industrial automation and control systems. In May, the ISA99 co-chairs announced the formation of a joint working group to include members not only from ISA99, but also from the ISA84 safety committee. The joint group, known as ISA99 Working Group 7 (WG7), had by mid-June attracted more than 50 participants, including noted experts in both safety and cyber security.

“Some people may jump to the conclusion that this is a working group to try and identify how to make SIS systems more secure. But that’s not the case,” says WG7 co-chair Mike Boudreaux. “Working Group 7 is focused on finding ways to take a lot of the best practices and concepts from the existing functional safety domain and apply them to the functional security domain,” explains Boudreaux, an ISA84 member who is DeltaV SIS product manager at automation vendor Emerson Process Management, in Austin, Texas.

“We want to make security as easy to adopt and as easy to implement as possible, and the way to do that is to align with existing [safety] engineering practices as closely as possible,” adds Bryan Singer, ISA99 committee co-chair, who is also co-chairing the WG7 with Boudreaux. “That’s why it makes perfect sense to bring in the experts like the ISA84 folks who are more in tune with these engineering disciplines,” Singer explains. “They can help us kind of fuse these two together where it makes sense, and where it’s needed.” By drawing from lessons learned on the safety side, and by borrowing where appropriate, Singer adds, ISA99 also hopes to be able to shorten the time required to develop an effective cyber-security standard and associated work processes.

There is much that the industrial cyber-security community can learn from the safety side, says Singer, principal consultant for Kenexis Security, based in Pelham, Ala. Safety standards and associated engineering work practices are mature and well established, based on decades of learning, he points out. And while safety and security disciplines do have significant differences, many safety processes and procedures have parallels in security, Singer says.

Boudreaux agrees. For example, he says, “On the front end of the security lifecycle, where you’re trying to figure out what your risks are, the kind of risk analysis that you do is very similar to the type of risk assessments that you do for safety, where you’re identifying unwanted consequences, evaluating the likelihood that those might occur, and based on that, you have a level of risk that you need to implement safeguards against.”

In the safety world, standards such as the International Electrotechnical Commission’s IEC 61508 and IEC 61511 describe methods for assigning Safety Integrity Levels (SILs) to designate different levels of risk reduction provided by a safety function. Similarly, the ISA99 committee is working on a parallel concept for security known as SAL—for Security Assurance Level. Just as Safety Integrity Levels range from ...