Knowledge/Fundamentals/0.3

Module 0: ICS vs IT mindset(3/4)

Process safety vs cybersecurity: shared vocabulary, different stakes

35 min4 min readRef: IEC 61511, IEC 62443-1-1

title: "Process safety vs cybersecurity: shared vocabulary, different stakes" duration: "35 min"

Two disciplines, one plant

Walk into any petrochemical facility and you will find two teams that both use the word "risk" but mean very different things. The process-safety engineer is worried about overpressure, thermal runaway, and toxic release. The cybersecurity analyst is worried about unauthorised access, lateral movement, and data exfiltration.

IEC 62443 was written to bridge these two worlds. It borrows risk-assessment vocabulary from IEC 61511 (functional safety) and applies it to the cyber domain. Understanding where the vocabularies overlap — and where they diverge — is essential before you touch any risk register.

Shared concepts

ConceptSafety meaningCyber meaning
HazardPhysical condition that can cause harmVulnerability + threat pair that can cause harm
RiskLikelihood × Severity of harm to people/environmentLikelihood × Impact on control-system function
Layer of protectionIndependent safety function (relief valve, SIS trip)Independent security control (firewall, MFA, segmentation)
Defence in depthMultiple barriers preventing a single failure from reaching peopleMultiple controls preventing a single exploit from reaching the process
SIL / SLSafety Integrity Level (IEC 61508/61511)Security Level (IEC 62443)

Key takeaway

Key insight

SIL and SL are structurally analogous but independently assessed. A Safety Instrumented System (SIS) rated SIL 3 may still be at SL 1 if it sits on an unprotected network.

Where the vocabularies diverge

1. Threat actors are intentional

Process safety assumes random failure — a gasket degrades, a sensor drifts, a valve sticks. The failure rate is stochastic and can be modelled with bathtub curves and mean-time-between-failure data.

Cybersecurity assumes intentional adversaries — humans who adapt, learn, and try again. You cannot model a nation-state APT with a Weibull distribution.

2. Common-cause failure has a new source

In safety engineering, common-cause failure means a single root cause defeats multiple barriers (e.g. a flood takes out both the primary and backup pump). In cybersecurity, a single vulnerability in shared firmware can defeat every device of the same model simultaneously. TRITON demonstrated this: the attacker targeted the Triconex safety controller because one firmware exploit gave access to every unit at the site.

3. Confidentiality matters in cyber but not in safety

Process safety has no concept of data secrecy. A relief valve does not care who knows its set-pressure. But a cyber attacker who can read PLC configuration over the network can plan a precision strike.

The SIS problem

The Safety Instrumented System is the last line of defence between a process upset and a catastrophe. IEC 61511 requires the SIS to be independent of the Basic Process Control System (BPCS). But independence is often implemented as a separate controller on the same network.

Worked example

In the 2017 TRITON attack, the adversary moved laterally from the corporate network to the DCS, then pivoted to the SIS network — which was reachable via a shared switch. The SIS was logically independent but not physically isolated.

IEC 62443 addresses this gap through zone separation: the SIS belongs in its own zone with a dedicated conduit whose data-flow policy permits only the minimum traffic the safety function requires.

Diagram

Integrating the two disciplines

When you perform an IEC 62443-3-2 risk assessment (Module 1 of the Risk Assessment track), you must:

  1. Identify safety-critical zones — any zone containing SIS controllers, safety PLCs, or burner-management systems.
  2. Assign the highest SL-T to those zones — typically SL 3 or SL 4.
  3. Validate independence — confirm that no single cyber exploit can defeat both the BPCS and the SIS.
  4. Cross-reference with the SIL assessment — if the SIS is rated SIL 3, the supporting cyber controls must be at least SL 2 to maintain the claimed safety integrity.

Analogy

Think of process safety as the hull of a ship and cybersecurity as the compartment doors. The hull keeps water out under normal conditions. The doors keep a breach in one section from sinking the whole vessel. If someone can open all the doors remotely, the hull alone is not enough.

Key Takeaways

  1. Process safety and cybersecurity share the concepts of risk, defence in depth, and layers of protection.
  2. They diverge on threat modelling: random failure vs intentional adversary.
  3. The SIS must be in its own security zone with the highest SL-T.
  4. SIL and SL are independent assessments that must be cross-referenced.
  5. A cyber exploit that defeats the SIS can negate decades of safety engineering.

Quick check

Your safety engineer says, "The SIS is SIL 3 — it's already hardened." In three sentences, explain why a SIL rating does not guarantee cyber resilience.

Knowledge Check

3 questions — test your understanding before moving on.

  1. Q1.What is the key difference between how process safety and cybersecurity model threats?

    • Process safety uses qualitative methods while cybersecurity uses quantitative methods.
    • Process safety assumes random failure; cybersecurity assumes intentional adversaries who adapt.
    • Process safety is concerned with equipment while cybersecurity is concerned with data.
    • There is no meaningful difference — both use the same risk models.

    Process safety models random, stochastic failures (gasket degradation, sensor drift). Cybersecurity models intentional adversaries who learn, adapt, and try again — you cannot model a nation-state APT with a Weibull distribution.

  2. Q2.What did the TRITON attack demonstrate about the relationship between SIL and SL ratings?

    • A device rated SIL 3 is automatically cyber-secure.
    • SIL ratings replace the need for SL ratings in safety-critical zones.
    • A SIL 3 safety controller can still be at SL 1 if it sits on an unprotected network — the two ratings are independent.
    • SL ratings are always higher than SIL ratings for the same device.

    SIL (Safety Integrity Level) and SL (Security Level) are independently assessed. The TRITON-targeted Triconex controller was SIL 3 rated but reachable from the DCS network without authentication — effectively SL 1 from a cyber perspective.

  3. Q3.According to IEC 62443, which zone should the SIS (Safety Instrumented System) be placed in?

    • The same zone as the BPCS for simplified management.
    • The enterprise zone for visibility by senior management.
    • Its own dedicated security zone with a restrictive conduit and the highest SL-T.
    • The IDMZ, since it bridges safety and operations.

    IEC 62443-3-2 requires the SIS to be in its own security zone with a dedicated conduit whose data-flow policy permits only the minimum traffic the safety function requires. This zone should have the highest SL-T — typically SL 3 or SL 4.