For decades, the worlds of Information Technology (IT) risk assessment and Process Hazard Analysis (PHA) have operated in parallel universes. One side focused on data integrity and network security, and the other on preventing catastrophic physical events like explosions and toxic releases. Today, as Operational Technology (OT) and industrial control systems (ICS) become increasingly connected, this separation is no longer realistic.
The most critical and technically challenging trend in industrial safety today is the integration of cyber risk directly into the PHA framework. This shift isn’t just about updating a spreadsheet, it represents a fundamental change in how we define, assess and mitigate industrial risk. It’s about recognizing that the “keyboard” can now be an ignition source and the line of code can be a deadly failure point.
“Hackable” Barriers: When Software Becomes the Last Line of Defense
In traditional safety assessments, a PHA is a method of identifying potential hazards like runaway reaction or overpressure or the layers of protection or the safety barriers that are intended to mitigate or prevent incidents from occurring. These barriers can be mechanical like a relief valve or human like an operator procedure or automated like an alarm. The problem now lies in the increasing reliance on software-based barriers specifically, those found within Safety Instrumented Systems (SIS).
The Anatomy of a Vulnerable Barrier
An SIS is an independent, dedicated system designed to bring a process to a safe state when pre-defined conditions are violated. It is the last line of automated defense. Components include:
Sensors: Detect unsafe conditions like high temperature and high pressure.
Logic Solver: The controller is often a specialized PLC that executes the safety logic.
Final Elements: Actuators like safety valves that physically move to stop the hazard.
While the hardware components are robust and certified, the logic solver and its communication pathways are fundamentally digital and therefore, hackable.
The Critical Vulnerability: A cyberattack may not aim to simply steal data, it may be designed to bypass, disable or maliciously manipulate the safety logic within the SIS. For example, an attacker could force a sensor to report a false normal reading, preventing the logic solver from triggering the emergency shutdown when a real hazard exists. Integrating cyber risk into PHA means every single protective layer, particularly those governed by software or network communication must be assessed for its susceptibility to compromise.
The Mandate from Above: IEC 61511 and Functional Safety
This paradigm shift is no longer optional, it is becoming a regulatory and standards-based necessity. The connection between cybersecurity and safety is formally defined in two major international standards, ISA/IEC 62443 for Industrial Control Systems security and IEC 61511 for Functional Safety.
The Evolving Role of IEC 61511
IEC 61511 (Functional Safety): Safety Instrumented Systems for the Process Industry Sector is the bedrock standard for designing and managing SIS. The latest revisions of this standard now mandate a cybersecurity assessment.
The standard requires that organizations address the possibility of a malicious or unauthorized action that could compromise the integrity of the safety system. Specifically, it demands:
Cyber Security Risk Assessment: A formal assessment must be conducted to identify cyber threats relevant to the SIS and its supporting infrastructure including all interconnected networks and assets.
Security Requirements Specification: The output of this assessment must be a detailed set of requirements integrated into the SIS design and operational procedures to mitigate identified cyber risks.
Lifecycle Management: Cybersecurity must be considered throughout the entire safety lifecycle from initial conceptual design through operation, maintenance and eventual decommissioning.
In essence, security is now a pre-requisite for safety. A system cannot be considered functionally safe if it is demonstrably cyber-vulnerable.
The New Question: Framing Cyber as a Safety Issue
Perhaps the most impactful conceptual change is the shift in the core question guiding the assessment.
The Old Question (IT- Centric):
- “Can a hacker get into our network?”
- “Can a hacker steal proprietary data?”
These are important questions for IT security but they miss the point in a safety-critical context. They frame the risk as purely an IT or commercial problem.
The New Question (Safety- Centric):
- “Can a hacker prevent the emergency shutdown system (SIS) from activating?”
- “Can a malicious actor cause a Safety Integrity Level (SIL) 3-rated safety function to fail on demand?”
This reframing forces the PHA team to analyze cyber threats not just as a breach of a firewall, but as a potential “initiating event” or “enabling condition” for a major accident scenario.
Applying the “What If” to Cyber
When conducting a PHA often using a technique like HAZOP(Hazard and Operability Study), the team traditionally asks “What if the cooling pump fails?” or “What if the control valve sticks open?”
The integrated approach adds the cyber dimension:
By analyzing cyber risk through the lens of consequence severity like the catastrophic potential of the safety incident, rather than just security impact like the cost of the breach, organizations prioritize their defenses where they matter most, that is human life and environmental protection.
Practical Steps for Integration
Successfully merging cyber risk into PHA requires a multi-disciplinary effort and a clear methodology:
- Define the Scope: Clearly identify all OT assets, including SIS components, Basic Process Control System (BPCS) and any transient connections like vendor laptops.
- Multi-Disciplinary Team: The PHA team must expand to include not only process engineers and operations personnel but also OT Security Specialists and Functional Safety Engineers.
- Cyber-Informed HAZOP: During the PHA, systematically introduce cyber-based “guidewords” and scenarios. For example, for every node/line/vessel, ask:
- What if a cyberattack prevents safe shutdown?
- What if an attack leads to false data injection?
- What if a malicious program causes unauthorized control action?
- Prioritize by SIL: Focus remediation efforts on the cyber-vulnerabilities of barriers assigned the highest Safety Integrity Level (SIL), as these are the most critical for accident prevention.
- Develop Integrated Safeguards: Mitigation strategies should address both traditional process risk and cyber risk, often resulting in Defense-in-Depth strategies that combine network segmentation, access control, and physical safety mechanisms.
Conclusion
Industrial safety is entering a new phase where digital risk and physical risk can no longer be separated. When a line of code can influence the same outcomes as a valve or sensor, cybersecurity becomes part of the hazard itself. Bringing cyber scenarios into the PHA process helps teams see where a digital compromise could trigger a real-world incident and strengthens the protective layers that keep operations stable.
With sharper scoping, better coordination between engineering and security teams and structured cyber-informed assessments, organizations can close the gaps that allow silent failures in software-based barriers. Plants that treat cyber threats as potential initiating events build stronger safeguards, reduce the risk of hidden vulnerabilities and move toward safer and more resilient operations.
