Industrial safety (or worker safety) is a concept that has been practiced for more than a century. As high-tech and software-based systems have entrenched themselves in the world of industry, process and functional safety have emerged, with a focus on maintaining the safety and reputation of the entire plant and, indeed, the organization as a whole. More recently, the rise of cybersecurity as a critical concern for industry has fostered a conversation about the interplay between cybersecurity and process safety.
For example, the International Society of Automation’s Safety Division, which was formed more than a dozen years ago as a natural outgrowth of the ISA’s Safety listserve, recently rebranded itself as the ISA Safety and Cybersecurity Division. In 2012, the division added cybersecurity to its focus with the aim of enabling collaboration among process safety and industrial cybersecurity professionals.
“I view cybersecurity somewhat as a subset of safety, as both have an impact on the safety and reputation of a company,” says Paul Gruhn, P.E. founding director of the ISA Safety and Cybersecurity Division and global process safety consultant at Rockwell Automation. “They are somewhat independent fields, as each requires its own specialized knowledge, and are usually done by different people and groups within an organization. However, the two groups need to interact and work together.”
The ISA Safety and Cybersecurity Division has more than 1,300 members, and Gruhn says the division’s joint conferences on the topics of process safety and cybersecurity are well attended. That said, this does not mean the idea of collaboration between process safety and industrial cybersecurity is without some inherent obstacles. “People and companies always resist change—no matter what the subject—and these two topics are no different,” says Gruhn.
Muthuraman “Ram” Ramasamy, industry manager for the Industrial Automation and Process Control research unit at Frost & Sullivan, says collaboration among disciplines is always challenging. For example, he says efforts to facilitate collaboration between OT (operational technology) and IT (information technology) cybersecurity professionals have been, at best, limited. Likewise, Ramasamy says he believes it will be a struggle to bring cybersecurity and process safety together to form a functional working relationship—that is, unless there is a regulatory requirement for such a relationship.
“Safety and cybersecurity are very critical,” says Ramasamy. “The best organizations are working to educate their employees on these issues, but if you don’t have a
strong regulatory body behind it, it’s not going to gain the necessary attention in most cases.”
Gruhn notes that there is currently a joint working group between the ISA safety and cybersecurity standards committees, which recently produced the technical report
“ISA-TR84.00.09-2013–Security Countermeasures Related to Safety Instrumented Systems (SIS),” and he is hopeful that best practices will gain acceptance beyond the organizations that are mandated by the government. He also sees industrial cybersecurity gaining momentum, but most likely only after companies have encountered a problem.
“We’ve had [safety] standards since 1996, and they are still evolving,” says Gruhn. “The same is happening in cybersecurity. Usually the first-tier companies are leading the way and following good practices, while the ‘bottom feeders’ are ignoring the issues and hoping that nothing happens to them.”
Matt Migliore is the director of content for Flow Control magazine and FlowControlNetwork.com. He has covered industrial applications and technology for more than 12 years. Matt can be reached at 610 828-1711 or Matt@GrandViewMedia.com.