Cyber security issues are becoming more common in the modern world due to the fact more and
more devices are designed with high levels of technology. Devices, systems and networks are
becoming increasingly more open and integrated and therefore accessible providing an ever
increasing attack surface for cyber security threats. Many safety-related systems were designed and
developed at a time when the issue of cyber security was not envisaged. That leaves many of today’s
current systems potentially vulnerable to new and emerging threats.
Whilst the IT industry is further ahead in relation to cyber security the priorities for Information
Technology (IT) are different from those of Operational Technology (OT) and the solutions and
mechanisms used are not necessarily applicable to industry and industrial control systems. There are
many threat vectors and it is important to bear in mind that not all cyber security incidents are the
result of deliberate actions. Many cyber security incidents are triggered accidently or by inadvertent
actions. The security threat landscape is constantly changing, however there are some general
classifications as described in IEC 62443 of potential threats that an organization should consider:
– Malicious hackers – an individual whose objective is to penetrate the security
defences of a third party computer system or network. [ISO/IEC 27002]
– Professional Hackers – an organization funded by a government or other
organization specifically aimed at penetrating security defences.
– Disgruntled Employee - an individual who works for the organization who may be
inclined to do harm resulting from their state of mind regards the organization.
– Well-meaning employee – an individual who works for the organization, who, during
the course of their work, circumvents a security countermeasure in order to “get the
job done”.
– Third-party contractor – an individual or organization that may have privileged
access to the Basic Process Control System (BPCS), Safety Instrumented System (SIS)
and/or other control-related systems through an agreement to operate or maintain
those systems.
– Automated systems (device-to-device) – automated portions of the BPCS, SIS and/or
other control-related systems that have privileged access.
As cyber security is a relatively modern discipline some organisations currently produce guidance
and / or standards, most of which are still to be fully developed. Some of this guidance is for the IT
industry, some is specifically for industrial control systems and some addresses, at least in part, the
requirements for safety-related systems. The most recent versions of the functional safety standards
for the Process Industries (IEC 61508 and IEC 61511) have added a mandatory requirement to
consider cyber security threats and, if any are identified, take the necessary steps to protect against
them. It should also be considered good practice to apply this mandatory cyber security requirement
to functional safety in all other industries, for example machinery (IEC 62061 / ISO 13849).