Cyber in Safety Management

Those involved in integrating Cybersecurity into Safety Management Systems should remain aware of a fundamental cultural different in how safety management and security management approach risk. Safety Risks are tied to a specific set of actions or conditions that can be managed as their own isolated entity. Security risks, however, might be described as being tied to a specific outcome for the threat agent.

Let’s consider a situation involving a crane. Under the Safety Management approach, we would look at the crane, its design, its operations, the training of its operators, the environment in which it is used and so on. The key element here is that we are reducing the acts or conditions that lead to hazards associated with the crane. While we may not be able to completely eliminate all risk, we can manage it to a reasonable level (often referred to as being “As Low As Reasonably Practicable”).

Security threats generally focus on an outcome for the threat actor–such as disrupting operations, gaining access, generating wealth, etc. The threat will look at the means and/or opportunities available to meet its intent and, depending on what is found, will pick the one that offers the best chance of success. This means that addressing one aspect of security risk may not result in the mitigation of risk but in the repositioning or shifting of that risk into other areas.

This operates slightly different in the cybersecurity space (for now and for the most part). Unless dealing with an actual attacker, many of the ways that attacks occur involve things that are engineered to perform a certain way. Consequently, we can reduce the opportunities that they have to operate (often referred to as the attack surface). This, however, has not gotten to the root cause of our issue, the threat actor.

This assumption, however, may have a lifespan. As we look at systems that “think” because of neural networking, we may see an intermediary stage between the threat actor and the threat mechanism. This might involve the threat actor either developing or contracting an intermediary that has the ability to conduct its own reconnaissance and, using that information, then look at not one but several threat mechanisms to be used separately or together in the attack. Again, we are at the premise of that the security threat has shifted its attention onto something else and is not actually addressed.

Being cognizant of this different is something that needs to be reinforced as we look at the integration of security controls into safety management. We need to examine the safety risk management philosophy in a way that takes into account this, and other, core differences.