Some time ago, we wrote about the not-so-apparent connection between cyber attacks and HSE risk. As cyber attacks grow in number and sophistication, their reach and impacts are also evolving. The November 2015 issue of Financier Worldwide Magazine includes a feature focused specifically on the unique aspects of cyber attacks on the energy and natural resources sector. One of the contributors to the discussion panel stated:
Whilst the target of cyber attacks on most companies is data theft, energy and natural resources companies face the additional threat of attacks designed to control or damage their physical facilities. These are wholly different threats requiring wholly different responses.
Given this statement (which mirrors the story we told in our earlier article), the linkage between cyber risk and HSE incidents is clear. Safety mechanisms could be circumvented causing unanticipated startup of equipment while employees are conducting maintenance or repairs. Operational controls could be bypassed allowing for runaway reactions, inaccurate or nonfunctioning monitoring equipment or equipment to operate beyond physical or legal limitations. Clearly, employee safety, environmental compliance and catastrophic releases are all at risk.
What are some of the “different responses” as referred to above? First and foremost, recognition of the linkage of HSE and IT security. We recommend that HSE staff spend time with IT personnel to understand the extent of computerized operational controls to understand what systems and processes are dependent on IT systems. From there, conduct an HSE risk assessment in order to develop potential responses and risk controls. Appropriate controls should not be limited to IT security solutions to prevent occurrences, but should also include risk mitigation and responses in the event that an HSE incident occurs as a result of a breach. Another panelist in the Financier Worldwide article states:
… consider other risk strategies such as transfer through insurance and mitigating the level of impact or the probability of occurrence.
We agree. But it begins with recognizing the connections between computer security and the potential HSE impacts.