(71aq) Integrating Cyber Security Risk Assessments into the Process Safety Management Work Process

Cyber security is rapidly becoming something that process safety can no longer ignore. It is part of the Chemical Facility Anti-Terrorism Standards (CFATS). In addition, the President’s Executive Order – “Improving Critical Infrastructure Cybersecurity,” has drawn attention to the need for addressing cyber security in our plants as it has been demonstrated that in our new world, they are now a source of potential process safety incident. IEC 61508, “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems (E/E/PE, or E/E/PES)” now has a requirement to address cyber security in safety instrumented systems and ANSI/ISA 84.00.01, “Functional Safety: Safety Instrumented Systems for the Process Industry Sector” is looking to include this requirement in the next revision. Currently the industry is playing catch up as there tends to be a gap in understanding between information technologists, traditionally responsible for cyber security, and the process automation and process safety engineers responsible for keeping our plants safe with help from automated controls and safety instrumented systems. As a result, guidance is being developed, but much of it continues to be a work in progress 

IEC 62443-2-1, “Establishing an industrial automation and control system security program,” requires a high level risk assessment, a detailed level risk assessment and a cyber-security vulnerability assessment to be performed. This paper explains the purpose of these assessments and where they fit into the process safety management lifecycle. As the entire cyber-security lifecycle is described, the National Institute of Standards & Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is used to better understand the analysis, design/implement, and operate/maintain phases of the lifecycle. As companies have relatively recently begun to understand the need to address the issue of potential cyber-attacks on the process control and protection system, few have a fully implemented work process. Guidance is provided for existing plants to begin the process and how to fully implement the lifecycle as well as how to approach new projects.