Safe and Secure? Part 2 - Setting the Scene

In the previous article? https://www.dhirubhai.net/pulse/safe-secure-combining-safety-security-jon-wiggins-ijvne%3FtrackingId=%252BpnF6XmKR8aDkP5wlo7D3g%253D%253D/?trackingId=%2BpnF6XmKR8aDkP5wlo7D3g%3D%3D the topic of combined safety and security approach was discussed as a top level.? In this part 2 there will be a dive into some more practical measures on achievement of a safe and secure system.

Starting at the beginning

Before the technical measures can be discussed there first needs to be a business discussion on these topics.? Why?? The reason is simple, most hacks and incidents are caused by human interactions.? The business developing these systems is a dense concentration of human interactions and represents a vulnerability which is not checked could lead to a fundamental weakness in the system.

Going back to our system model we must consider the whole system safety and security as two aspects of the whole system integrity.

To ensure this is achieved the organisations and projects involved in the system lifecycle a system should be included as a part of the system. To achieve this the scope of the combined approach is much wider that just the system under consideration.

Starting at the top

Before a system is considered the first and most important consideration is the mindset of the organisation into which the system will be designed or implemented.

The first step therefore is education.? This? has to happen throughout the organisation from senior management who must set business strategies and policies which align to the principle of safety and security though the procurement of goods and services, the welfare and recruitment of staff and the technical staff who design, maintain, and modify systems.? Every member of? staff has a part to play even if it is the observation and reporting of potential incidents before they become a issue.? A proactive approach must be installed into an organisation.

That said the organisation must not become oppressive to work in.? freedom of expression and the ability to challenge are key to successful implementation of safe and secure systems and the empowering of all teams to do this is critical.? Success must also be rewarded as this builds motivation to become better and strive for higher standards.

IEC 61508-1 clause 6 provides requirements for the business and management of functional safety, but these are very broad.? Consider the spirit of the standard in application of these standards.? IEC62443-1-4 provide a more detailed and comprehensive approach for Cybersecurity.? This defined a Holistic protection scheme through the system lifecycle.? Whist aimed at the Asset Owner as defined by the standard as the System operator one should consider that at each stage in the system lifecycle each team which is interacting with the system, or a subcomponent can be considered the system operator at that moment in time.

Appropriate tools and techniques

With the mindset in place the focus now shifts to the tools and techniques required to implement the requirements.? IT is important to stress that requirements are implemented in a reliable and sustainable manner.? A one-off manual approach simply captures a point in time and cannot be effectively sustained. ?Tools at this stage are the tools and competency required through the business to achieve the requirements and sprit of? the standards.? These may be an improved HR system to track and maintain competency, and improved MRP system to track component compliance and usage, an improved static analysis system to increase the test coverage of code.

With these tools comes the consideration of competency to specify the tools.? This may be an area where initial assistance is useful and beneficial to set the business on the right path.?

One should though not see the tools as a substitute for competency rather a method to ensure a competent person can work in a reliable and consistent manner.? To that end it is critical to build competency over time.? This is an investment in people which can only add benefit to the business culture, productivity and reputation in the long run.

Setting the team

With the groundwork laid out the building of a technical team is the next key step.? To work well practitioners of both safety and security should be co-located and working as one team.? The exact skill sets will depend on each project but in general an in depth understanding of the basic standards (IEC61508 and IEC62443 for example) is prerequisite.? Form this an understanding of the sector specific standards may be gained.? An understanding of at what lifecycle phase the expertise lays in is important for overall team balance.? Beyond this a general understanding of the field of work is important as there is only so far a standard can go and application knowledge is important for interpretation.

It is important that the practitioners work from the point of ideation.? This enables potential opportunities and issues to be flagged as early as possible.? This maximises benefit and minimises costs or delays.?

In the early concept phases the involvement will be at the functional level with the implementation requirements very loose.? There will be a focus on functional safety, but functional security must be considered in parallel and constraints on the implantation documented for future phases.

Therefore, the team’s scope will cross departments and skillsets from the systems engineers to the installers and commissioning engineers.? It is critical that there is a balance in the team in terms of lifecycle phase experience.? Each discipline does not necessarily need to have an expert in each phase, but across the team the phases should be covered.

Outside the team the education and awareness raising exercise continues.? This will begin to extend up and down the supply chain as requirements is placed in each direction.? The management of external parties is a separate subject and one to be addressed in a future paper.

Maintain the need

Within the project the need for safety and security (both within the project and the delivers system) must be highlighted and reenforced through the lessons learned as the project progresses.? As the project progresses there will be difficulties, but these are surmountable.

But that as they say is for another time.