Cookie consent(s)
We use cookies on our website to personalize content and ads, to provide social media features and to analyze traffic to our website. Please click "ACCEPT ALL" to enable us to offer you the best possible experience on our website. By doing so, you consent to the processing and sharing of your information with our social media, advertising and analytics partners. You can revoke your consent at any time on the cookie settings page​.
Privacy statement

Cyber SafePS: A Solution That Identifies the Cyber Security Risks to the Plant

Cyber security in Process Plant Safety

Process plants have industrial control systems (ICS) embedded in the various levels of the company’s digitalisation. But no system is invulnerable; a technology malfunction can lead to asset damage, environmental consequences, financial losses, and even injury or loss of life.

Digitalisation, automatic control systems and other technological advanced tools are used to optimise industrial processes; all process plants have industrial control systems (ICS) embedded in the various levels of the company’s digitalisation, from field devices (instruments, actuators etc) to PLCs as complex logic controllers. These systems can even be used to remotely monitor and control worksites, acquiring and transmitting data without requiring personnel to travel long distances. The devices that make up an ICS can open and close valves and breakers, collect data from sensor systems and monitor the local environment; within a plant. An ICS can centrally control the various phases of production, gather and share data for quick access, and find and notify faults while minimising their overall impact.
However, no system is invulnerable and in an industrial context, a technology malfunction can lead to financial losses, asset damage, environmental consequences and even injury or fatalities. The scale of the consequences can be enormous and can also be the result of criminal activity that targets vulnerabilities in these automated, centralised cyber systems. The scope of the damage that can be done when organisations fail to establish robust, resistant cyber protections can be far greater than covered in the original design. When a plant fails, or struggles financially, when the air or water is polluted, or employees’ health and safety is compromised the effects are far reaching.
Given the risks and subsequent consequences, organisations must understand that cyber threats are just as potent as all other 'traditional' safety risks, and cyber attacks can hijack the conventional safety measures they have put in place. Alarms can be disabled, controls can be manipulated, and the signals workers rely upon to ensure safety, are all vulnerable to tampering via cyber attack. Prevention of the consequences of cyber attack is covered by IEC62443 for process plant and IEC61511 for safety systems.
When exploring Cyber Security within a plant, the main questions to consider include:
  • If a cyber attack succeeds, what is the ultimate risk to your people, plant, environment?
  • What are your defences against attack?
  • Have you identified the essential barriers to a cyber attack and labelled them as cyber critical safeguards and subjected them to consistent Cyber Safety Management?
  • Have you checked for defence in depth and diversity amongst your safeguards and barriers, for major accident hazards caused by these attacks?

Importance of Cyber Security and Protection

Cyber security tends to focus on protecting computers, I.T. networks and data highway; however, ICS' are just as vulnerable to cyber-attack and the consequences can be far more devastating than the breach of personal data that is typically seen. Simply putting things out of reach is a major part of the results of any Cyber Risk Assessment work.
Organisations therefore need barriers that are genuinely INDEPENDENT and barriers to PROTECT the data highway.
  • Have you identified the areas vulnerable to cyber attack?
  • Have you identified what Major Accidents might be caused by a cyber attack?
  • Do you have clearly defined safeguards that require controls (cyber-security) to prevent remote access?
  • Where are your independent barriers?
  • Can you confidently answer HSE questions?

Which standard should I choose?

Cyber security is a topic that is now covered by the standards for safety instrumented systems (SIL rated systems using IEC61511). In the UK those same standards are referenced by the ‘Government safety Inspectors' - the Health and Safety Executive (HSE) - guidance on the application of DSEAR with specific Cyber as well.
The two main standards covering the subject of cyber security are:
  • ISO standards for I.T system safety.
  • IEC standards (IEC62443 European norm) for process plant safety with I.T.
True to our values and role as trusted advisors, we listen carefully to our clients to ensure that our approach is adapted to their needs. Our Process Safety experts work in close partnership with clients to establish the most appropriate path to take when considering cyber security in a plant context.

Our Approach

The main points to consider when assessing cyber attack risk are:
  • Need to establish MAH (Major Accident Hazards): All MAH that could be caused by a cyber attack must be established;
  • Necessary to highlight all valid safeguards and barriers: It is vital to highlight all valid safeguards and barriers within the plant that would prevent such devastation;
  • Must create a schedule of all the Cyber-critical independent safeguards: To comply with the standards, a schedule of all Cyber-critical independent safeguards must be created;
  • Should produce a schedule of all MAH for which there are no independent safeguards: A schedule of all MAH for which there are no independent safeguards and for which you must rely upon computer protection systems alone should be produced.
The DEKRA Cyber SafePS approach ensures the right balance between INDEPENDENT barriers and computer and data highway PROTECTION; it is a risk assessment that is not a HAZOP study and you as the client will chose whether to assess the risk to people, environment or assets. The DEKRA Cyber SafePS assessment identifies all barriers against cyber attack that are genuinely independent and guides clients through protection for:
  • People
  • The environment
  • Assets
Our experts assess the risks to produce a Cyber Assessment Report; this report will include a number of schedules that will ensure all Cyber Critical safeguards are identified and labelled:
  • First schedule: lists of all cases that could result in a fatality and the independent barriers that prevent it;
  • Second schedule: lists independent barriers that prevent cases that might result in fatalities;
  • Final schedule: lists cases that might result in a fatality but have no independent safeguards.
Having the above enables clients to have the "defence in depth” and “diversity” in protections required by the HSE.
Why DEKRA?