[SystemSafety] [EC 61508 and cybersecurity

Christopher Johnson Christopher.Johnson at glasgow.ac.uk
Mon Jun 1 13:02:15 CEST 2015 

I agree with much that Chris says but the problem is that the high level standards bodies often have little practical day to day experience
at the interface between security and safety – indeed most industries are just waking up to the possibilities with ISIL in control of several
refineries and ATM towers (plus associated engineers).

The engineering details often throw up a host of tensions – as a trivial case that Drew mentioned this morning – if you take incident
reporting as a monitoring mechanism from most Safety Management Systems and transfer it into a Security Management System
you have to totally change your mindset – from one where it is critical to disseminate recommendations as widely as possible (safety)
to one in which simply knowing that an incident has occurred can be a strong indication of complicity (security).  I worked on a recent incident
where the systems admin team were all treated as suspects because they identified the intrusion -

This is one example but there are many more.


C

From: Chris Hills <safetyyork at phaedsys.com<mailto:safetyyork at phaedsys.com>>
Organization: Phaedrus Systems Ltd
Reply-To: "safetyyork at phaedsys.com<mailto:safetyyork at phaedsys.com>" <safetyyork at phaedsys.com<mailto:safetyyork at phaedsys.com>>
Date: Monday, 1 June 2015 11:49
To: Martyn Thomas <martyn at thomas-associates.co.uk<mailto:martyn at thomas-associates.co.uk>>, "systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>" <systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>>
Subject: Re: [SystemSafety] [EC 61508 and cybersecurity

I have always though that safety and security are two sides of the same coin.  Often it is just a difference of emphasis or wording  but the requirements are very similar if not the same.
The trouble is “cyber security” is the new buzzword so we need a standard for it…..    Surely it is better build on 61508 for something that is both safe and secure?

Or do you want something that is secure but unsafe?  :)

Regards
   Chris


Phaedrus Systems Ltd Tel:   FREEphone 0808 1800 358
96 Brambling B77 5PG          Vat GB860621831  Co Reg #04120771
Http://www.phaedsys.com<http://www.phaedsys.com/>  chills at phaedsys.com<mailto:chills at phaedsys.com>


From: systemsafety-bounces at lists.techfak.uni-bielefeld.de<mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de> [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Martyn Thomas
Sent: 01 June 2015 10:09
To: systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>
Subject: Re: [SystemSafety] [EC 61508 and cybersecurity

Where can I find details of the content of IEC 62443, and of the IEC workgroup?

Martyn



On 01/06/2015 09:42, RICQUE Bertrand (SAGEM DEFENSE SECURITE) wrote:
There is currently an IEC workgroup on what to do with IEC 61508 and cybersecurity (IEC 62443). The topic is thus not ignored.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20150601/e8dbe15a/attachment-0001.html>

More information about the systemsafety mailing list