When the Process Hazard Is the Network

The chemical industry must change the way it assesses risk as digitalization evolves. Well-practiced hazard and operability studies and safety integrity level, or SIL, assessments depend on clearly defined initiating events and credible failure scenarios. Traditionally, these have centered on physical or electrical faults, such as a transmitter failing low, a valve sticking or a tripped power supply. 

The increase in digital connectivity introduces additional potential risks. Control logic can be altered remotely. Communications can be delayed or disrupted. Configuration files can change without visible hardware impact. Equipment can remain seemingly fully intact while safety functions degrade or behave differently from their validated design assumptions.

If interference hinders a shutdown function or suppresses an alarm, SIL performance can be affected. Yet cybersecurity is still widely treated as an IT support function rather than a defined component of safety assurance.

From a safety perspective, the origin of an event matters less than its effect. What matters most is whether the safety function will operate correctly on demand. IEC 61511 Edition 2 addressed this directly by requiring a security risk assessment of the SIS, acknowledging that availability and integrity form part of functional safety. This is a change that many organizations haven’t fully embraced, even a decade after its publication. 

Creating Practical Assessments

A practical SIS security assessment does not need to be wrapped in low-level detail. It can be effective if kept at a high level. Begin by defining the SIS boundary around safety-instrumented functions and the assets that might be able to influence them. Move on to mapping digital dependencies like engineering access paths, remote support, network segmentation and any gateways or data links.

From there, the assessment should evaluate a set of credible scenarios that could affect either the availability or integrity of the SIS. It must also consider any possible loss of control, unauthorized changes or corruption of communications and timing. Organizations should rank these scenarios based on their likelihood of occurring and potential consequence to determine their risk level.

The final step in the assessment involves the selection of controls that are consistent with IEC 62443 principles. Typically, these include segmentation, least-privilege access, change controls, monitored remote access and tested backups. These should be integrated into management of change processes and policies, with the understanding that no solution remains trusted or static. Everything must be periodically reassessed to ensure all assumptions remain valid, even as the plant’s digital and physical architecture evolves.

Gaps Beyond Traditional Testing

Across chemical facilities, similar technical patterns regularly appear. We see limited segmentation between process control and safety networks, shared authentication credentials across engineering stations, legacy systems maintained for compatibility but not hardened, remote access services left permanently enabled, and backup regimes that exist but are rarely restoration-tested.

None of these conditions automatically produces an incident. A plant can operate for years without visible disruption. But in a shared network, compromise, misconfiguration or routine maintenance errors can affect multiple protection layers simultaneously. What appears independent on a P&ID may share a common digital pathway.

These issues are not the fault of deliberate design. Typically, they are a side-effect of the incremental evolution of plant systems. Engineering teams often inherit architectures that were expanded over many years as connectivity, remote support and vendor tooling were introduced. Each change introduced its own digital dependencies, and these accumulated in a way that standard safety reviews were not designed to evaluate.

In practice, many sites already reassess safety in many different ways. Using a process hazard analysis (PHA), a hazard and operability (HAZOP), layer of protection analysis (LOPA), management of change (MOC), proof testing and SIL verification is increasingly important for maintaining safe operations. But without a structured reassessment, risks may go unnoticed until an event makes them visible. This is a deliberate, periodic and evidence-backed way to check the way the plant’s current digital reality affects its safety and operations efforts.

Reassessing Safety Under Digitalization

Plants must run structured reassessments that intentionally pull every digital change into the safety conversation. In high-level IEC 62443 terms, a structured reassessment must include defined periodic audits, usually annual or biannual, and the capacity to trigger an audit after key digital changes. 

Trigger points might include planned changes like remote access expansion, virtualization migrations or firmware upgrades, but they must also account for unplanned events. Any incident, whether cyber or operational, should be enough to trigger a reaudit.

IEC 62443 also encourages reassessments to be integrated into existing plant governance, placing cyber dependencies into the same disciplined decision-making process as MOC, PHA/HAZOP and SIS lifecycle activities. They become part of plant audits, rather than part of distinct, disconnected IT audits.

Placed within those established engineering frameworks, digital reassessment becomes a natural extension of existing safety management. It ensures that the assumptions made about the effectiveness of protection layers remain valid, even as the plant’s digital and physical architecture continues to evolve.

HAZOPs in a Connected World

There is good reason for these changes, not least of which is familiarity. Chemical engineers are well practiced in examining process deviations through structured analysis. That discipline remains appropriate. Its scope must simply be extended to cover digital pathways. HAZOP and LOPA reviews can reasonably consider loss of visibility caused by network interruption, delayed signal transmission affecting trip timing, unauthorized modification of control parameters, loss of synchronization between redundant systems and loss of access to engineering tools during a process upset.

It is not possible to predict every possible intrusion. The objective is to determine whether safety claims remain valid if digital systems behave outside expected parameters. In practical terms, this means asking whether a safety instrumented function remains effective if supporting communications degrade, if configuration management fails or if remote access is misused. It also means examining whether recovery time from a digital fault introduces secondary risk, since prolonged loss of monitoring can significantly affect decision-making during unstable conditions.

Losing Integrity of Control

Most chemical plants have detailed procedures for mechanical failures, fires and utility outages. Fewer have rehearsed scenarios involving loss of confidence in the control environment itself. In practice, this means defining clear criteria for controlled shutdown where the integrity of control or safety systems cannot be confirmed. Loss of operator visibility, unexplained logic changes or sustained communications failure may introduce unacceptable uncertainty. 

Rehearsing means developing focused whole-plant operational technology incident-response drills. These should bring operations, control engineering, safety, IT and cybersecurity teams together to practice decision-making under the pressure of an uncertain control environment. Realistically, these are not going to seek perfect technical diagnoses. The goal is to generate a disciplined response, confirming what can be confirmed, isolating where practical and applying pre-agreed criteria for switching to manual operation or initiating a controlled shutdown.

Practicing these scenarios in advance reduces hesitation and prevents the plant from operating blind during an abnormal digital event. It is the kind of procedure that helped Swiss specialty chemical and pharmaceutical manufacturer Siegfried, which deliberately halted production at multiple sites and isolated networks for just that reason in 2021 following a malware attack on its IT environment. The shutdown was a safety decision. Until system integrity could be verified, operations could not continue with confidence. 

The Importance of Digital Safety Integration

Facilities that conduct structured security assessments of safety-critical systems are better positioned to demonstrate robust risk management to regulators and insurers. Addressing cyber exposure does not require dismantling existing safety frameworks. Clear demarcation between safety and non-safety networks, time-bound governance of remote access and formal inclusion of digital configuration changes within MOC processes are practical steps consistent with established engineering practice. 

Just as proof testing validates hardware reliability assumptions, recovery testing validates digital integrity assumptions. Accountability must also be explicit. Where responsibility for safety systems and digital infrastructure is divided across departments, the interfaces between them should be formally defined. Ambiguity in ownership creates gaps in risk control, particularly where issues fall between operational and IT teams.

Process Safety in a Digital Context

Chemical manufacturing operates on the understanding that multiple small weaknesses can combine into a major event. Cyber exposure should be evaluated with the same mindset. As connectivity continues to expand, safety assurance must account for the ways digital infrastructure both supports and can undermine protection layers.

Chemical facilities already apply disciplined analysis to equipment, materials and procedures. Extending that discipline to connected control and safety systems is a practical continuation of established safety management principles. Functional safety depends on confidence that protection layers will perform when demanded. In a connected plant, that confidence also depends on how those systems are protected, governed and verified in the digital domain.