Merging Worlds: How Safety Management Meets Digital Security in Cyber-Physical Systems
In modern industrial and critical infrastructure operations, the line between physical processes and their digital counterparts is becoming increasingly blurred. Machines no longer work in isolation and today’s equipment is smart, connected, and integrated with complex software.
This has resulted in what are called ‘Cyber-Physical Systems’.
This convergence between physical and digital brings many benefits but also raises new risks. Fortunately, the most important requirements remain the same:
Safety & Availability.
The Cyber-Physical counterpart of a Safety Management System (SMS) is Cyber-Physical Security Management (CPSM). CPSM is a holistic and integrated approach designed to protect and secure cyber-physical systems while maintaining the dual priorities of Safety and Availability.
Industry standards such as IEC 62443 and NIST SP 800-82 have been developed to share best practices and guidelines for CPSM. To help understand these standards and the concept of CPSM, we can highlight similarities to traditional Safety Management Systems:
Leadership buy-in: Both CPSM and SMS require buy-in of the executive leadership. Without this support and drive for success, these programs will fail. A clear target is mandatory to measure and achieve success.
Resilience and Recovery: CPSM emphasizes system resilience. Systems should be designed to continue its essential operations even under adverse conditions, and to recover quickly from any disruptions. The concept of ‘fail-safe’ is especially important. This can mean ‘fail open’ or ‘fail closed’ – depending on the risk profile of the specific process. Fail safe can be achieved through appropriate configuration of parameters in software and even at the hardware level where some industrial network devices can pass data even in event of a power failure.
Integration with SMS: Recognizing that many organizations already have a Safety Management System in place, CPSM integrates seamlessly with these traditional systems, ensuring no gap between cyber safety and physical safety.
Policies: Both CPSM and SMS revolve around well-defined policies and objectives. While SMS emphasizes machinery safety and human well-being, CPSM focuses on protecting digital assets, maintaining process safety and availability.
Integrated Risk Management: Both adopt proactive stances - SMS identifies operational hazards and implements controls, while CPSM uncovers digital vulnerabilities and sets up safeguards and blockers. Similar to SMS, CPSM needs to extend to all areas of the organization to ensure all potential risks to the operating environment are identified.
Monitoring and Response: Continuous monitoring is important. SMS tracks equipment health and worker behaviors, while CPSM demands real-time monitoring of network activities. Both necessitate swift, coordinated emergency responses.
Human Factor: Training is crucial in both realms. SMS trains on equipment protocols and safety measures, whereas CPSM educates on cyber threats and digital best practices. Many cyber-physical incidents are caused by insiders – either by mistake, or with malicious intent. Therefore, the concepts of least-privilege, credential management and physical access are especially important.
Transparency: Both emphasize open communication. SMS shares safety metrics and incident data. CPSM promotes transparent reporting of cyber threats and breaches. Collaboration needs to extend across job roles and departments.
Audits, Compliance and Standards: Periodic reviews ensure ongoing effectiveness. While SMS involves safety checks and equipment inspections, CPSM entails digital security assessments, vulnerability tests, alignment with Cyber-Physical standards such as IEC 62443 or NIST 800-82, and a culture of continuous improvement.
It is normal for organizations to feel behind and overwhelmed at the rapid pace of digitization and cyber-physical convergence. How is your connected organization managing digital security for your Cyber Physical Systems, ensuring Safety and Availability?
At Kutoa, we understand and listen to the unique challenges of industrial and critical infrastructure environments. We partner with organizations to build cybersecurity capacity, including robust Cyber-Physical Security Management (CPSM) that supports the dual priorities of Safety and Availability.
