Safe cyber: Regulating safety for Industry 4.0

Digitalisation brings benefits, but also risks that need managing

AS INDUSTRY adapts with the adoption of new technologies, leading to the fourth industrial revolution, safety and its management must also adapt to address the emerging challenges.

Speaking at IChemE’s Hazards 31, hosted virtually on 16–18 November, Sarabjit Purewal discussed managing the risks posed by digitalisation to safety management. Purewal is a Principal Special Inspector and portfolio lead for cybersecurity and emerging technologies at the UK’s Health and Safety Executive (HSE).

In his plenary presentation Managing Cyber Security Risks: a Regulator’s Perspective, he said that the chemical sector, as many others, is seeing an increase in digitalisation, and “with increased digitalisation comes real benefits”. He listed examples including greater monitoring and control; remote operation; and reduced operation and maintenance costs.

“But it also brings risks that need to be managed, and if you don’t manage those risks many of those benefits can be lost.”

He explained that “with open protocols…while that means that you can interconnect every device to every other device, everybody knows how these protocols work”. Hackers can therefore exploit these weaknesses and infiltrate systems through malware and cause destruction, damage, and make ransomware attacks. Purewal noted industrial examples including the cyberattack on Colonial Pipeline – which supplies refined products to the US East Cost. The May attack saw the pipeline shut down for several days, resulting in fuel shortages and panic buying. It also cost operator Colonial Pipeline Company a US$5m ransom payment to take back control of its systems.

“The steps that we take to reduce this risk is what is known as cybersecurity,” he said, an area which HSE has been working on in the past few years to ensure that risks are managed to “tolerable levels”.

“To manage risk…you need to look at people, processes, and the technology that you are applying to control it.”

“You will hear this quite a lot, that people are your weakest link, and the point I want to make is that you want to turn that round to make people your strongest link – people are your first and your last line of defence.”

Purewal said attacks often occur through social engineering, where cyberattackers use pretence to convince staff to click a malicious link, commonly posing as suppliers.

“But if people are trained to ensure to look out for that, then that weakness can be removed.” He added that two key factors needed to help reduce human weakness are designing systems that better suit human capabilities and skills.

He said we can borrow important lessons learned in functional safety during the transition from electronics to computer-based systems. He told TCE that by “electronics” he referred to “control systems comprising of non-programmable electronic systems using analogue circuits”. These were hard-wired and relied on “facia alarms”, which were expensive and therefore carefully limited to those that were essential.

After the transition, “we suddenly found that you could have hundreds of alarms at no extra cost…and of course that’s what we did, we had hundreds of alarms presented to the operators through…screens.

“And what happened was that when there was an incident, all of these alarms came up and the operator did not know how to react because they had so much information that they couldn’t possibly process in the time that they had. Now, exactly the same situation applies to cybersecurity.”

He used the example of having multiple, overcomplicated passwords, though added that the situation has improved. “Just when you got to a point where you could remember them you had to change it. Well people find ways round because they want to do their job,” explaining to TCE that he meant people would write the passwords down.

“The systems that we design around cybersecurity should be…within the capability of the human,” he reiterated.

On technology, Purewal discussed basic cyber hygiene controls. He said these could have prevented “80% of the attacks that we know about”. They are used to prevent unsophisticated, untargeted attacks and include understanding systems and how they are connected, removing unnecessary connections, controlling access, keeping security up to date, and backing up systems.

For guidance on managing risks, Purewal pointed to the HSE’s OG 86 Cyber Security for Industrial Automation and Control Systems. This operational guidance note covers governance, risk and asset management, and training and competency. The second edition, which is being used as the benchmark for compliance in an ongoing inspection programme, is aimed at basic cybersecurity – slightly higher than cyber hygiene. It covers Control of Major Accident Hazards (COMAH) and Network & Information Systems (NIS) regulations. HSE is also working on a third edition that will address higher-level risk.

“To do that we need to develop more detail about how you do risk assessments, and there are some issues around that particularly around how do you determine likelihood. How do you determine likelihood that you will be attacked when these hackers are worldwide and motivations [are] changing frequently and regularly…also, what do proportionate controls to that higher level of risk look like? And we’re working with NCSC to address this and hopefully sometime next year, we will be in a position to produce this.”

NCSC – the National Cyber Security Centre – provides UK organisations with cybersecurity guidance and support.

Purewal also took time to talk about the work HSE is doing around regulating artificial intelligence (AI), which he said is now “becoming a practical reality”.

Unlike traditional software, in which “the relationship between inputs and outputs is explicitly defined in the requirements specification and it can be validated prior to use, for AI systems the performance is normally assured in operation”.

This could lead to severe consequences in safety applications if something goes wrong.

To address the management of AI for safety applications, Purewal said that “we don’t believe that we require changes to regulations – these are goal setting. What we need is to develop the detailed guidance on how they can be achieved”.

HSE is working to develop a sector-wide set of agnostic principles for assurance, collaborating with various partners including vendors, research institutions, other government departments and regulators, and the Office for AI. This is a partnership between the Department of Business, Energy, and Industrial Strategy and the Department for Digital, Culture, Media and Sport, which oversees implementation of the UK’s National AI Strategy.

It is also working with standards bodies to develop standards in this area.

Purewal said: “We are very close to starting trials using some real applications, using the set of principles that I’ve described for assurance and as a result of that we’re hoping that we will tease out an initial assurance framework comprising a set of high-level principles for compliance.”

HSE is trying to develop a common approach by linking to other Government departments working in this area, such as the Defence Science and Technology Laboratory, Ministry of Defence, and the UK National Physical Laboratory.

Purewal’s plenary contributed to the digitalisation theme at Hazards 31. Others included clean technologies, cross-sector learning, and lessons learned from the Covid-19 response. Digitalisation is one of the three priority topics established as point of focus by IChemE’s Learned Society Committee.

The Hazards themes are chosen by the IChemE Technical Committee.

Former IChemE President and Technical Committee Chair Ken Rivers said: As a Technical Committee we felt the themes…had both strong alignment with IChemE’s priorities and also had strong external validation ensuring that Hazards 31 would resonate with potential attendees, by addressing the key challenges in the major hazard space.”