Companies that operate hazardous chemical processes are addressing or are beginning to address industrial control system (ICS) cybersecurity. Or, if they have not, they will soon as regulatory pressures and the next edition of ISA 84/IEC61511 will make that mandatory. However, a big challenge that industry faces is the alignment and integration of ICS cybersecurity processes with their existing process safety processes. One of the reasons for this is that ICS cybersecurity efforts are often led by IT whereas process safety is led by engineering, operations or corporate safety. Regardless, integration is important not only to avoid duplication of effort but also to provide management with a holistic view of their operational risk that includes both cyber and traditional initiating events.
This paper will discuss the process safety lifecycle and the ICS cybersecurity lifecycle and the key touch points where these lifecycles must synchronize in order for the responsible teams to exchange data and provide a common and holistic view of risk to executive management. We will present the ICS cybersecurity risk assessment process defined in ISA 62443, which many refer to as a cyber PHA or cyber HAZOP, and discuss how this process establishes a key linkage between process safety and cybersecurity.