Cyber threats to process safety: industry must share lessons
CONCEPTUALLY, process safety and security have long been interlinked but have not necessarily always appeared on each other’s radar. Ultimately, process safety addresses major accident hazards, whereas security is concerned with malicious breaches and attacks. However, attacks may create the conditions that in turn result in a loss of containment and potentially a process safety incident.
Certainly, in the aftermath of 9/11, physical security came to the fore in process safety circles with discussion of security vulnerability assessments. “Thinking the unthinkable” became the new normal – and besides if a passenger plane could be flown into a major city landmark then a truck crashed, for example, into a remote LPG facility was entirely credible.
Fast forward to 2010 and when I first heard about Stuxnet. Admittedly at the time I did not regard the virus attack as process-safety-relevant and had to be nudged to publish the story to the European Process Safety Centre (EPSC) website. Nevertheless, my overriding sense that cyber security lay outside the process safety mainstream was reinforced when in 2011 at a European process safety network meeting a guest speaker gave a fascinating presentation on the vulnerability of high hazards plants to cyberattack. We were told that cyber warfare was now the fifth dimension of warfare but in truth there was little appetite from the process safety professionals in the room to further develop the topic. More like an interesting excursion into the exotic, and file under “emerging risks”.