Why asset owners should take cyber security into account in their safety assessment
Often plants have machinery commissioned in different eras of technological development and regulations. The safety inspections concentrate mostly on occupational safety and the cyber security aspect is not in focus. A cultural change is necessary to make sure that asset owners appreciate the importance of cyber security in plants. The solution for this is changing the processes and methods related to safety starting from placing cyber security as a part of the plant’s technical safety assessment.
Regulations are not the end-all
Cyber security threats to business continuity are growing. Cyber security regulations such as NIS2 and the new Machine Regulation give guidance to organizations on how to control and manage these threats. Nevertheless, taking cybersecurity into account requires more from organizations.
“Taking cyber security into account when assessing technical safety requires a change in culture and in the way we are doing things currently,” says Jari Laurila, manager of safety operations at Etteplan. “It’s possible and even essential to make the correct changes in advance and already at the equipment buying stage.”
Technical Risk assessments for machines and equipment is a routine activity for asset owners. Unfortunately, cyber security is often forgotten at this stage. A mixed machine base from different eras doesn’t help.
“Machines are commonly updated through USB sticks and PLC’s have free entry in production facilities. The traditional ways of doing things leave significant cyber security risks on the table,” continues Jari.
Safety concept including cyber security
Etteplan’s safety concept is used for creating detailed information about workplace safety conditions. The service is a focused way to produce a machine or production line based and detailed risk assessment. Updating existing assets, machinery and production lines safety to comply with currently standing local legislation.
Figure 1. Safety Concept in different phases of the value chain and basic process
Figure 1. shows how the safety concept is an important part of each phase of the process whether that phase belongs to machine manufacturer, system integrator or asset owner. Safety Concept reveals critical safety defects from the machines, processes or production lines. It gives a starting point for detailed engineering including technical realization proposals. Safety Concept is performed by Etteplan’s safety experts together with the customer. Etteplan also adds cyber security assessment to be a part of the general risk assessment.
“Cyber security is important in all phases but is usually forgotten in the phases allocated to the asset owner. As a part of our Safety Concept we implement a detailed cyber security risk assessment and provide proposals for managing these risks,” continues Jari. “By looking at the process from the aspect of cyber security and repeating the process continuously, asset owners can bring cyber security into the everyday functions of their plant.”
Do you need help with safety and cyber security assessments in your plant? Don’t hesitate to contact us.