Process safety professionals have an especially important part to play in protecting the chemical process industries (CPI) from cybersecurity threats.
Cybersecurity is one of today’s most popular buzzwords, and it can be heard in everyday discussions about the internet, corporate networks, cryptocurrency, global affairs, and many other topics. But there is one place where cybersecurity is not discussed as much as it should be: the plant floor.
Automation cybersecurity is a specific branch of cybersecurity that focuses on the prevention of intentional or unintentional interference with the proper operation of automation systems including industrial control, manufacturing, and industrial internet of things (IIoT) systems. Simply put, automation cybersecurity is the protection of systems connected to real-world physical components against unauthorized changes from computers or other networked devices.
This article uses the term industrial control system (ICS) cybersecurity to refer to automation systems, but this is largely synonymous with many other industrial cybersecurity acronyms listed in Table 1.
| Table 1. These common acronyms for automation systems are often used interchangeably. | |
| CSC | Control system cybersecurity |
| ESIACS | Electronic security for industrial automation and control systems |
| IACS | Industrial automation and control systems |
| ICS | Industrial control system |
| OT | Operational technology |
| PCN | Process control network |
| SCADA | Supervisory control and data acquisition |
ICS cybersecurity priorities are fundamentally different from those of traditional information technology (IT) applications. For IT cybersecurity, preventing data leaks and maintaining confidentiality is the most important job. A temporary loss of availability is not a significant concern; as the proverbial IT wisdom goes, “Have you tried turning it off and on again?” For ICS cybersecurity, availability is the number one priority because it is not possible to shut down a batch reactor halfway through a reaction to reset an engineering workstation. Confidentiality is still important, but the potential financial impact of losing proprietary information (e.g., batch recipes) can be quickly outweighed by the cost of unexpected downtime and lost production.
ICSs also have unique constraints that make it more difficult to implement cybersecurity protections. ICSs contain a variety of different technologies, from traditional computers and servers to a mix of embedded devices including distributed control systems (DCSs), packaged programmable logic controllers (PLCs), and safety instrumented systems (SISs). These embedded devices have a much longer lifespan (often 15–20 years) than a laptop or PC (3–5 years).
Originally, ICSs were intended to operate as air-gapped networks: completely isolated, standalone networks with no connectivity to external systems. Over time, these ICSs have continued to evolve and become more interconnected with traditional internet-facing networks. Several drivers have played a role in this shift: the need to transfer process and historian data, the need for more frequent updates to firmware or applications, the use of advanced data analytics and control, and the increased use of remote access. As a result of this greater connectivity, ICSs are now more vulnerable to cyberattacks and must be actively protected, from the business network to the plant floor.
Every team member must play a role in achieving cybersecurity, but process safety professionals have an especially important part to play. With their knowledge of the impacts of a process excursion and involvement in the steps required to prevent unsafe conditions, they are a valuable resource when applying cybersecurity protections to the control system. With all of the activities that process safety professionals are involved in, adding cybersecurity to this list may feel like an overwhelming amount of responsibility. This article will help to jumpstart this process by introducing the top five things that all process safety professionals need to know about cybersecurity:
- Cybersecurity is a credible threat to ICSs
- Cybersecurity incidents can have significant safety consequences
- Cybersecurity incidents can lead to common cause failure of multiple systems
- Cybersecurity needs to be integrated with existing process safety techniques
- People play a major role in cybersecurity...
Would you like to access the complete CEP Article?
No problem. You just have to complete the following steps.
You have completed 0 of 2 steps.
-
Log in
You must be logged in to view this content. Log in now.
-
AIChE Membership
You must be an AIChE member to view this article. Join now.
Copyright Permissions
Would you like to reuse content from CEP Magazine? It’s easy to request permission to reuse content. Simply click here to connect instantly to licensing services, where you can choose from a list of options regarding how you would like to reuse the desired content and complete the transaction.