Safety and Security Should Go Hand in Hand

May 1, 2015
Process safety and cybersecurity can be deeply intertwined, with one type of incident easily affecting the other. But more than that, there is much that security lifecycles can learn from the more longstanding tradition of safety.

During a business trip years ago to visit an automation supplier in Germany, one of their engineers made the point that “safety” and “security” are the same word in German: Sicherheit. His point was, despite them being said the same in German and several other languages, we really needed to remember that they were two different concepts and needed to have separate consideration.

Well, it seems we’ve come full circle. Despite safety and security being distinct words in English, we really need to start putting them together in our thoughts of plant integrity. They share a lot of similarities, and the effects of one are often intertwined with the effects of the other.

This has been a common theme at Schneider Electric’s Global Automation Conference this week in Dallas, repeated from a variety of perspectives. With the launch of the Tricon CX, Schneider executives pointed repeatedly to the world’s first joint safety and security certification from TUV. In his discussion of the new compact safety system, Mike Chmilewski, vice president of process systems offer management for Schneider Electric’s process automation business, emphasized the importance of that joint certificate and the need to start thinking about safety and security in a more tandem way so they can really work together.

The fact that both TUV and Exida are now issuing certificates that have both safety and security certifications on them is “a huge step forward,” said Scott Mourier, global process automation SIS expertise area leader for Dow Chemical.

Mourier took the stage during a special safety and security general session on Wednesday as the safety expert. Andre Ristaino, head of ISASecure, served as his security counterpart. Together, the two explained repeatedly the value of looking at security from a safety standpoint, and vice versa.

Process industries are steeped in safety culture, primarily because, when things go wrong, the consequences tend to be particularly severe. Things explode. Toxins are spread. People die. The list goes on.

Industry has seen its share of mishaps. “Industry has learned, unfortunately, through accidents and incidents,” Mourier noted.

After Mourier listed the steps that need to be taken for manufacturers to make sure they understand what could go wrong—such as starting with the process design, which will then drive identification of the hazards—it was Ristaino’s turn to talk about security.

“If you took the word ‘safety’ and substituted ‘security,’ you’d pretty much be there,” Ristaino commented. “The safety lifecycle is very similar to the security lifecycle.”

One key difference, though, is that security doesn’t have the same level of maturity in the industry that safety does. It’s been 35 years of learning for safety, and part of the hope is that the industry won’t have to spend 35 years making all the same mistakes with security.

“We’re in the early phases of the maturity lifecycle for security,” Ristaino commented. “It’ll come faster for us. It won’t be 35 years.” Urgency is one reason for that, he added, but also they have an opportunity to learn from safety.

Steve Elliott, senior offer director for Schneider Electric’s process automation offerings, and also moderator for the conversation with Mourier and Ristaino, emphasized how important it is to keep safety and security together in discussions of operational integrity. “These two things are actually stronger together. They’re more similar than they are different,” he sais. “We need to make sure we’re making the same commitment to security that we made to safety.”

Elliott also noted how easy it is for a security incident to become a safety incident. The most dangerous situation, Ristaino said, can be a perceived security incident that perhaps isn’t real. “People start pushing buttons and pulling levers,” he said, and cause a safety upset.

And when a security issue is real, it’s no less damaging to safety. “Cybersecurity incidents can relate directly to process safety incidents,” said Josh Carlson, systems cybersecurity manager at Schneider Electric, during a private conversation this week.

An example Carlson pointed to was an incident that took place in 2008 in which hackers used an Internet connection to explode an oil pipeline in Turkey—compromising the cameras and sensors used to monitor the pipeline, modifying the alarm management system to mute alarms, and creating pressure inside the line to cause the explosion.

“If you don’t do cybersecurity at all the levels,” Carlson warned, “bad things can happen.”

Talking about the interconnection of process safety and cybersecurity can not only help people understand that cybersecurity incidents can relate directly to process safety incidents, but can also help them make more sense of cybersecurity efforts.

“They have very similar methodologies,” Carlson said. So rather than try to reinvent the wheel, security can follow a similar lifecycle through the process to safety, including risk assessment, threat analysis, implementing mitigating factors, maintaining and monitoring, and reassessing on a regular basis.

“What I think it’s doing is peeling back the onion and taking the black box of security away; it’s making it a manageable process that people can work with,” Carlson said. “They’re already trained in how to do safety. It’s just a repetitive process. Now, how do I do cybersecurity? It makes it a lot more manageable and tolerable to take that on.”

About the Author

Aaron Hand | Editor-in-Chief, ProFood World

Aaron Hand has three decades of experience in B-to-B publishing with a particular focus on technology. He has been with PMMI Media Group since 2013, much of that time as Executive Editor for Automation World, where he focused on continuous process industries. Prior to joining ProFood World full time in late 2020, Aaron worked as Editor at Large for PMMI Media Group, reporting for all publications on a wide variety of industry developments, including advancements in packaging for consumer products and pharmaceuticals, food and beverage processing, and industrial automation. He took over as Editor-in-Chief of ProFood World in 2021. Aaron holds a B.A. in Journalism from Indiana University and an M.S. in Journalism from the University of Illinois.

Companies in this Article

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.

Micro Motion 4700 Coriolis Configurable Inputs and Outputs Transmitter

The Micro Motion 4700 Coriolis Transmitter offers a compact C1D1 (Zone 1) housing. Bluetooth and Smart Meter Verification are available.