Know your risks
Today, both security and safety standards already recognize the link between safety and security risks.
Cybersecurity standard ISA/IEC 62443-1-1 mentions that security breaches can have consequences beyond compromised information. The standard states: “The potential loss of life or production, environmental damage, regulatory violation and compromise to operational safety are far more serious consequences. These may have ramifications beyond the targeted organization; they may grievously damage the infrastructure of the host region or nation.”
Functional safety standard IEC 61508-1 specifies that hazards associated with equipment and control systems must be determined under all reasonably foreseeable circumstances. The standard says: “This shall include all relevant human factor issues and shall give particular attention to abnormal or infrequent modes of operation of the EUC. If the hazard analysis identifies that malevolent or unauthorized action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out.”
Security, like safety, approaches issues based on managing risk, leveraging continuous assessment and baselining to ensure you are managing to a risk threshold. Your level of acceptable risk will vary by industry and potential outcomes.
Considering that most cybersecurity attacks are based on the attacker simply finding a vulnerable target – rather than being specifically targeted due to industry or prominence – a cybersecurity attack is a foreseeable circumstance in virtually every industry. Assessing your cybersecurity risks, determining your level of acceptable risk and mitigating identified risks to an acceptable level are now the basic “reasonable” steps to help protect people from foreseeable misuse and malevolent or unauthorized actions.
As with safety, ignoring cybersecurity and associated risks is the mistaken belief that “if I don’t know about the risk, I can’t be held accountable.” That’s not an acceptable posture, ethically or for compliance purposes, especially when lives are on the line.