Cybersecurity and Technical Safety – Assessing Risks Together

In the past, IT systems and processes in industrial facilities could be assessed separately for risk. That no longer works. In our interconnected world, cyber threats impact technical safety and vice versa.

The world has changed from a safety threat perspective. Almost all industrial processes are now connected to digital environments, such as various automation and safety systems. For example, if a safety function is meant to prevent chemical leaks, what happens if someone can tamper with the system controlling that function remotely?

Previously, this would not have been possible; in today’s world, it most likely is if protections are not in place. Locked doors and entry permissions are no longer sufficient when someone can disable a supposedly reliable safety function with “one press of a button.” A vulnerability could have been identified and prevented with a cyber threat risk assessment.

Cybersecurity and technical safety are now so tightly intertwined that a lack of cyber expertise has become a process safety risk. This is one reason why we decided to write this blog together. By combining technical and cybersecurity expertise, we can better prepare for today’s interconnected safety threats.

Any industrial facility is an “interesting target”

Global safety threats affect almost all businesses, and no industrial facility is an exception. Any facility can be an “interesting target” when activists, data thieves, or terrorist extremists want to cause harm or gain attention. Sometimes accidents happen as well. Lives have been lost due to cyber-attacks that hit the wrong target.

Chemical safety is one common factor across various industrial operations. It can involve just one LPG cylinder needed for auxiliary functions or a massive tank feeding the entire process. Vandalism or a failure of safety functions can cause, for example, a fire that spreads widely and leads to the explosion of stored gas cylinders.

Therefore, it is crucial to know your operation’s threat factors, real threats, and risks with consequences.

How to prepare for safety threats in the connected world?

Finnish Safety and Chemicals Agency (Tukes) Guide: If you store chemicals, consider reviewing the Tukes guide “Preparation for Safety Threats in Handling and Storing Hazardous Chemicals.” It provides information on chemical legislation and various means of cyber influence. The guide also includes simple checklists to help begin assessing the safety threats of your own operations.

Risk Assessments: Assessing safety threats in industrial operations often requires expert assistance. We can carry out comprehensive risk assessments, starting with identifying threats. Each industrial facility is unique. For example, process safety HAZOP reviews can be combined with cyber threat assessments (SHAZOP).

Risk Inspections: Once risks are identified, regular risk inspections suffice. Inspection frequency can vary based on the facility’s criticality – from quarterly to annually – and during significant changes or anomalies. Regular efforts become increasingly lighter with each cycle. Depending on the scope of operations, the inspection may take hours or a few days. The investment is small given the benefits.

Safety is a Process: The operating environment constantly changes, so preparedness measures remain appropriately scaled only by knowing how current and likely various threats are. For example, increased frequency of cyber-attacks on the industry or new techniques used by criminals, like cryptoware, may require new preparedness actions.

Safety Assessments: Many authorities require verification that safety is monitored and developed properly. Assessment can be done using Sweco’s Safety Index, which easily incorporates various metrics, such as Traficom’s Cyber Meter.

We also organize workshops, joint exercises, and training related to risk assessments, involving a sufficiently broad group of experts from both our and your team. Collaboration improves results. Though IT security experts and process safety professionals don’t usually “speak the same language,” we can act as interpreters.

We have learned to communicate across departmental boundaries, enabling your facility’s responsible personnel to sit at the same table and discuss new safety threats in the interconnected world.

Niko Pikkarainen, Sweco’s Technical Safety Team Leader, niko.pikkarainen@sweco.fi

Cris Puchner, Sweco’s Head of Security, Industry ICT Design Team Leader, cris.puchner@sweco.fi