Institute of Measurement and Control. Functional Safety 2016

Page 3

Figure 1 Safety versus security

While comparing Safety and Security it is important to notice one fundamental difference, which

later helps us better assess the applicability of methods. While Safety is implemented to protect

people against machine or plant, the role of Security is to protect machine or plant against people.

Hence we are facing intentional misuse instead of machine/plant/equipment malfunction and we

are typically looking at external rather than internal causes.

In terms of similarities both employ a layered “Defence in Depth” type strategy to prevent incidents.

Both advocate a lifecycle approach and outline all the activities that need to be performed through

that lifecycle. Both require management. Both are increasingly using certified products as building

blocks for solutions.

The other key differences, such as they are, will become fewer as standards become more mature

and accepted and as lessons are shared more extensively across users.

Safety standards like IEC 61508 and IEC 61511 give us a defined lifecycle model which covers all tasks

from analysis through realisation to operation, while superimposing inherent quality measures for

the process itself, through lifecycle planning, functional safety management & assessment,

verification and validation.

Security Management Lifecycle according to IEC 62443 follows similar principles. Here the Security

management process consists of 4 major steps:

·

Risk analysis. Mitigation measures have to be defined depending on the identified threats and risks to the plant.

·

Policies & organizational measures. Setting up of policies and coordination of organizational measures.

·

Technical measures. Implementation and coordination of technical measures

·

Validation and improvement. The achievement and continuous preservation of the necessary security level needs

a consequent security management process containing a regular as well as event-based repetition of the risk

analysis.

Security Management is essential for a well thought-out security concept. Products, plants and

processes have to be compliant with existing due diligence based on laws, standards, internal

guidelines and state of the art.

Information Technology vs Operational Technology

Historically there has been little or no overlap between IT & OT. The Information Technology (IT)

world is different from Operational Technology (OT). It has different priorities and a different

mindset.