Professionals working with safety-related control systems are familiar with new provisions of the functional safety standard for the process industry sector IEC 61511-1 2nd edition that came in 2016 and stipulates in chapter 8.2.4 as follows “A security risk assessment shall be carried out to identify the security vulnerabilities of the SIS” – SIS being the Safety Instrumented Systems.
Basically, this is the requirement from Hazard and Risk Assessment (H&RA) to have the security risk assessment where in the note the reference is made to ISA TR84.00.09 and IEC 62443.
In critical infrastructure or Operators of Essential Services (as per NIS definition) the ICS/OT Cyber Security Risk Assessments became an important part of the design, operate and maintenance activities during the entire safety and security life cycle of the ICS. Many of Operators in Critical Infrastructure started to use new issued, in 2020, IEC 62443-3-2 standard “Security risk assessment for system design” leveraging the Process Safety risk to quantify the OT Cyber Security risk and having as a result their view on the Security Levels targets and what are the necessary steps to be taken to protect ICS against cyber threats and incidents.
So far all goes fine, but there is one small thing: Who are those responsible persons that are in charge for doing this ICS/OT Cyber Security Risk Assessments for the safety-related control systems? And here, coming back to functional safety standards, there is a golden rule stated for the professionals who are doing the H&RA- three principles:
- seniority
- competency
- independency
All in regard to safety-related control systems and functional safety.
Unfortunately, IEC 62443 does not have such requirements imposed for the professionals that are going to do ICS/OT Cyber Security Risk Assessments for safety-related control systems. And in most of the cases, these days, we can find in the market that such assessors are coming manly from the perspective of ISO 27k standards background trying somehow to fit within requirements from IEC 62443-3-2. Which is not really the same thing.
A good description of some mandatory skills for a professional that shall lead an ICS/OT Cyber Security role and being involved in ICS/OT Cyber Security Risk Assessment exercises for safety-related control systems is described in Technical paper from The 61508 Association Cyber Security – An introduction for Functional Safety Systems
“The responsible person(s) for cyber security of the safety-related systems should come from a process or automation background and must have competence in E, C & I and functional safety together with an understanding of IT technology and cyber security. The responsible person(s) must understand the safety requirements and how they can be impacted by cyber security. All personnel involved with SIS and Cyber Security should participate in on-going skill development and training. As skill requirements change due to new equipment or procedures senior technical and management personnel should provide training to ensure the best outcome for their facility’s SIS installations. Cyber security hazards and risk are fast changing therefore the skill sets of the cyber security responsible person must be reviewed frequently.“
Safety first!
AUTHOR
Albert Vartic
CCI Coordinator in Romania
NETWORKING | KNOWLEDGE | EXPERIENCES