The industrial manufacturing sector is experiencing a profound transformation driven by unprecedented levels of connectivity.
With such connectivity, the integration of advanced connected devices has enabled industrial manufacturers to optimize operations and better serve customer needs. However, it has also introduced a host of new safety and security challenges.
Get your subscription to Control Design’s daily newsletter.
In the age of interconnected electronics and the Industrial Internet of Things (IIoT), addressing these concerns requires a new perspective—a critical point where functional-safety and cybersecurity strategies intersect at the system level to enhance safety and maintain uptime in industrial operations.
The intersection of functional safety and cybersecurity
Machine builders and system integrators must pay close attention to how functional safety and cybersecurity can collaborate and maintain safety and security.
Industry 4.0 marks a shift toward connectivity and software. This evolution involves integrating a vast array of devices and products, once isolated and now interconnected in ways previously unimaginable. While this connectivity offers enhanced control and functionality, it simultaneously exposes systems to new safety and security vulnerabilities, inviting malicious actors to exploit these networks.
Over the past two decades, the trend has been to connect any product with an Ethernet port, driven by a desire for immediate data access. However, this convenience often blinds us to the accompanying risks. Traditional manufacturing environments, including robotics, which historically operated in isolated conditions, now face these new exposures.
Industrial systems must now prioritize mitigating these risks. The integration of functional safety and cybersecurity standards and frameworks becomes essential in navigating this new landscape.
Understanding risks and delegating roles
Implementing safeguards in the industrial sector presents a significant challenge: staying ahead of emerging threats.
This process begins with a rigorous risk analysis to identify potential scenarios and hazards. Both functional safety and cybersecurity depend on this foundational step.
For any project—whether it involves product development, assessment or testing—understanding the risk is crucial. This understanding dictates the rigor required for effective mitigation. The greater the risk, the more robust the mitigation must be to confirm that residual risk remains within acceptable limits for society and regulatory standards.
Functional safety and cybersecurity share this common ground from systems engineering: a foundation built on risk assessment that informs requirements-based engineering. By comprehensively understanding the operational context and designing in accordance with relevant regulations, standards and identified risks, we aim to create cyber-physical systems that are resilient and robust.
The subsequent challenge for manufacturers, particularly those with a history rooted in mechanical or electrical engineering, is developing new capabilities and competencies. This evolution requires time and a deep integration of industry knowledge with technological expertise. Traditional companies must introduce new roles and responsibilities, while new entrants must familiarize themselves with industry specifics. This convergence of knowledge and expertise is a gradual process, and each organization must decide how to best build these capabilities.
The industry's progression hinges on harmonized industry-consensus standards. These standards provide a unified approach to risk mitigation, enabling companies, regardless of their starting point, to develop safer and more secure systems. Developing capabilities and competency often begins with a fundamental knowledge of the applicable standards. This alignment is crucial for fostering resilience in the face of evolving risks and maintaining a robust industrial future.
Reconciling functional safety and cybersecurity roles and responsibilities
Outsiders in the industrial sector frequently conflate information technology (IT) with operational technology (OT). The distinction is critical: OT encompasses the systems and controls specific to industrial operations, whereas IT pertains to general information systems and networks. The most effective approach involves industry insiders—those who comprehend the use cases and products—guiding the assessment of OT-related risks, while IT experts provide technical cybersecurity knowledge, which is often independent of the industry.
Particularly in cybersecurity, the ideal candidate is someone with an industrial background who also possesses the necessary skills in networking and data communication protocols. Finding individuals who blend these competencies is challenging.
To develop this capability within an organization, it tends to be easier to teach industry standards to someone with a technical background than to impart a four-year computer science education to an industry expert. Consequently, many companies leverage their domain expertise by bringing in IT specialists to build centers of excellence in cybersecurity and functional safety. Conversely, technology firms often lack industrial domain knowledge and seek it through acquisitions or external consultants.
Merging these two knowledge bases is essential for progress. This is why educational programs and professional certifications are so valuable; they bridge the gap between IT cybersecurity and its application in industrial settings and equip professionals with the necessary understanding to transition from general IT security to specialized industrial cybersecurity.
Create a culture with safety and security at the forefront
To forge a path forward, a most effective start is to build a culture that shifts safety and security to the front of the development process.
Many organizations mistakenly see regulations and standards as belonging at the end of a development process and sometimes a hindrance to enabling innovation. Build a culture of safety, while concurrently building a culture of security at the forefront.
It starts with a basis in quality and systems engineering to understand how to take high-level requirements, regulations, standards and risks and cascade it all down into something design teams can take and be able to implement effectively, so traceability is a huge part of that.
Secondly, it requires stakeholders within the development process to have a requisite knowledge of what level of engineering rigor they are committing to when it comes to safety and security. That's where training comes into play: whether that's conducted internally or externally, being able to have the foresight to know that these standards and regulations require additional steps in your development process.
Many manufacturers delay compliance until the end of the development process, but a proactive approach can save time and money in the long run. The upfront development of quality processes, and reliability is an investment that will reduce the cost of noncompliance and speed up the process of approval and certification. A proactive approach develops a safety and security culture that will leave a positive impact on an organization overall.
Building a strong culture around safety and security and then a foundation of knowledge cascading through the organization are two key pieces that lead to success in most companies.