Institute of Measurement and Control. Functional Safety 2016
Page 2
editions of IEC61508 and IEC61511 have both been updated to contain specific requirements
regarding the need to consider and address security.
Rise in Cyber threats
Historically we have seen an accelerated evolution of cyber threats, with the paradigm changing
every 3 years or so. From “Hacking for fun” by hobbyists the focus has shifted to “Hacking for money
Cybercrime” by organized criminals followed by “Hacking for political and economic gains” by
“Hacktivists” and state sponsored agents. Today we see further refinement of Cybercrime, with
Ransomware and Cyber extortion. Juniper research recently predicted that the rapid digitization of
consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion
globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.
1
The future
looks even more alarming with emerging signs of increasing attempts at Cyber-warfare.
The focus on industrial security started seriously in July 2010 because of Stuxnet, which was the first
high profile case where a cyber attack specifically targeted a control system for the purpose of
industrial sabotage. This was followed by increased focus on industrial security at Security
Conferences such as Blackhat and DEFCON in 2010 and 2011. Presently we see emerging dangers
posed by automated tools exploiting SCADA vulnerabilities like "Metasploit" or scanning engines to
detect industrial equipment in the Internet like "Shodan". The Increased know-how of security
researchers has seen publicity-seeking presentations turn into more serious and realistic technical
presentations such as those seen at Blackhat and DEFCON 2013. This comes in the climate of
increasing commercial and political exploitation of security vulnerabilities.
<HOLD- Maybe add something a bit more contemporary such as the Ukraine Blackout>
Comparison of Safety and Security
Safety and security in this context are defined as follows:-
Safety
“Freedom from unacceptable risk of physical injury or of damage to the health of people, either
directly or indirectly as a result of damage to property or to the environment.”
IEC 61508-4
Security
“Prevention of illegal or unwanted penetration of or interference with the proper and intended
operation of an industrial automation and control system”
IEC 62443-1-1
There are many similarities in the approaches adopted by functional safety standards and cyber-
security standards and some key differences
1
Anon(2015) Cybercrime will Cost Businesses Over $2 Trillion by 2019 Juniper Research Online:
http://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion