Abstract:_ This article, written by JPT Technology Editor Chris Carpenter, contains highlights of paper OTC 35396, “Industrial Cybersecurity, Process Safety, and Human Factors: A Comprehensive 360° Approach,” by Pedro F. Vieira, Lenissa P. Hilgert, and Ilton Majerowicz, Petrobras. The paper has not been peer reviewed. Copyright 2024 Offshore Technology Conference. _ The complete paper presents an integrated view of three key areas of knowledge that are typically addressed individually—cybersecurity, process safety, and human factors—from the perspective of cybersecurity. It discusses information technology (IT) and operations technology (OT) dimensions during the phases of a project: engineering design, procurement, construction and assembly, commissioning, and operation. It also proposes a strategy for implementing such an approach in the oil and gas industry. _ With the aim of forming a holistic safety and security vision, the authors propose a unified analysis integrating cybersecurity, process safety, and human factors, focusing on their interfaces and opportunities presented by risk analysis and the convergence of business procedures. This is referred to in the proposed approach as a high-level integration layer, or the “strategic (outer) circle.” The combination of two concentric circles—strategic (outer) and operational (inner)—forms what the authors term a 360° approach. The Strategic (Outer) Circle The outer circle illustrates the strategic-level interfaces between key processes of cybersecurity, process safety, and human factors from a cybersecurity perspective. Cybersecurity/Process Safety Interface. Integration of Cybersecurity Into Process Safety Management Risk Analyses. One of the most practical examples of integration of cyber/physical attack scenarios into classical risk analyses is the use of layers-of-protection analysis and awareness of degradation of safety integrity level (SIL) barriers. An SIL is used to determine the required performance level of safety-instrumented functions (SIFs) to achieve the required risk reduction. The SIL of an SIF produces a risk-reduction factor that helps calculate the final total risk of a given scenario. Another opportunity to make this integration visible from the beginning of the engineering design is during the hazard and operability (HAZOP) study. The HAZOP study uses guidewords, standardized terms used to stimulate thinking about possible deviations in the established process. The idea is to create new words related to cybersecurity issues in the industrial-automation substrate, such as “data uncertain” (the data may have been corrupted) or “data unavailable” (the last available data is old). Special Cybersecurity Zone for Production-Critical Equipment. It is advisable that the zone and conduit analysis within the ISA/IEC 62443 framework consider segregating assets into distinct cybersecurity zones based on their operational continuity significance within the facility. For instance, a gas-export compressor, typically lacking redundancy, can halt a plant’s production, requiring secondary shutdowns of other systems. Therefore, by establishing a production-critical systems zone within the cybersecurity analysis, the availability of critical equipment and general operational availability can be ensured, and potential secondary effects of shutdowns and restarts can be mitigated. Cyber/Physical Integrated Incident-Response Program. Typically, incident-response programs are disjointed between cybersecurity and process safety, resulting in delays in digital responses to issues that have physical consequences. The formal inclusion of cybersecurity as a technical discipline in any process-safety incident-response program is essential and should be achieved even if it is discarded in the beginning of the analysis of a particular incident.

Industrial Cybersecurity, Process Safety, and Human Factors: A 360° Approach

Insights on Cooperative Defense for Multiple Industrial Security Technologies

Cyber Physical Systems Security for Maritime Assets

Cybersafety: A System-theoretic Approach to Identify Cyber-vulnerabilities & Mitigation Requirements in Industrial Control Systems

Cyber-physical System Security for Networked Industrial Processes.

Cybersecurity of Industrial Cyber-Physical Systems: A Review

The industrial control system cyber defence triage process

Cybersecurity in the Transportation of Energy Resources

Cybersecurity of Industrial Systems—A 2023 Report

Cyber Attacks on Maritime Assets and their Impacts on Health and Safety Aboard: A Holistic View

An integrated system theoretic process analysis with multilevel flow modeling for the identification of cyber‐physical hazards in a process industry

Beyond digital: Protecting public health from water sector cybersecurity risks

Security Challenges in Cyber-Physical Production Systems

A Hybrid Methodology to Assess Cyber Resilience of IoT in Energy Management and Connected Sites

Cyber-Physical Energy Systems Security: Threat Modeling, Risk Assessment, Resources, Metrics, and Case Studies

Cybersecurity Challenges in the Offshore Oil and Gas Industry: An Industrial Cyber-Physical Systems (ICPS) Perspective

Conflict Analysis and Resolution of Safety and Security Boundary Conditions for Industrial Control Systems

Detection and analysis of cybersecurity challenges for processing systems

An Integrated Cyber-Physical Risk Assessment Framework for Worst-Case Attacks in Industrial Control Systems

Design Procedure for Real-Time Cyber–Physical Systems Tolerant to Cyberattacks

Cyber security threats in industrial control systems and protection