[ Bron: VTT Technical Research Centre of Finland, ISBN 978-951-38-8746-9, https://doi.org/10.32040/2242-122X.2021.T386 ]
This is the final report summarises the main results of the research project on Integrated Management of Safety and Security Synergies in Seveso plants (SAF€RA 4STER). The objectives of the research project were the following: 1) To gain insights into synergies and tensions related to the management of safety and security in Seveso plants. 2) To find a solution to the challenge of managing safety and security in a coordinated manner. 3) To provide guidelines for managing safety and security in an integrated way in Seveso plants. 4) To provide tools for the identification of security scenarios triggered by malicious human intentions.
The research data included literature reviews on concepts and management of safety, security, cybersecurity; interviews with regulators and safety and security experts on Seveso sites; analysis of past accidents induced by malicious human intent both in the form of physical security violence and cybersecurity interference, and survey on cybersecurity awareness and physical security awareness in companies.
Past incident analysis showed that terrorism and cyberattacks were the most important threat categories for Seveso plants. Even though, past incident analysis showed that no major events occurred in chemical or petrochemical facilities due to cyber-attacks, they remain a relevant threat category, and worth paying attention to. This is because of the current trend towards growing digitalisation, automation and blurring boundaries between IT and operational technology (OT) systems in high-risk industries, makes OT systems vulnerable to cybersecurity attacks.
Cybersecurity awareness in Seveso plants was reported to be at a good level. However, survey respondents had seen ignorance and negligence in their companies regarding cybersecurity. It is possible to create technological barriers, e.g., firewalls, anti-virus software, and to design IT systems so that they direct people to act securely without the need for people to make their own choices. Furthermore, human and organizational barriers, such as integrated management and safety and security culture, are needed. Institutional support to integrated management is weak. The Seveso directive does not require integration. Often cybersecurity is dealt with by IT department, and processsafety and cybersecurity risks are handled separately. These do not contribute to integration. The Responsible Care programme and Environment, Health and Safety and Security (EHS&S) management system adopted by many Seveso plants, do combine different standards into the same management system and thus they represent structural integration. However, they are not sufficient to tackle systemic risks, deriving from interconnectedness of technological and organisational systems and related risks. Integrated management would benefit from risk assessments, in which process-safety risks, physical security risks and cybersecurity risks and their significance would be examined together, e.g. in the same Hazop study. The integrated management would require deep understanding of systemic risks, and new safety and security thinking, and close collaboration between different safety and security experts. Both single plants and industrial parks would benefit from Integrated management.