energies

Article
Integrated Functional Safety and Cybersecurity Evaluation in a
Framework for Business Continuity Management
Kazimierz T. Kosmowski 1 , Emilian Piesik 1, * , Jan Piesik 2 and Marcin Śliwiński 1

1 Faculty of Electrical and Control Engineering, Gdansk University of Technology, G. Narutowicza 11/12,
80-233 Gdansk, Poland; [email protected] (K.T.K.); [email protected] (M.Ś.)
2 Michelin Polska Sp. z o.o., St. W. Leonharda 9, 10-454 Olsztyn, Poland; [email protected]
* Correspondence: [email protected]

Abstract: This article outlines an integrated functional safety and cybersecurity evaluation approach
within a framework for business continuity management (BCM) in energy companies, including those
using Industry 4.0 business and technical solutions. In such companies, information and communica-
tion technology (ICT), and industrial automation and control system (IACS) play important roles.
Using advanced technologies in modern manufacturing systems and process plants can, however,
create management impediments due to the openness of these technologies to external systems and
networks via various communication channels. This makes company assets and resources potentially
vulnerable to risks, e.g., due to cyber-attacks. In the BCM-oriented approach proposed here, both
preventive and recovery activities are considered in light of engineering best practices and selected
international standards, reports, and domain publications.

Keywords: functional safety; cybersecurity; BCM; Industry 4.0; information technology; industrial
control system

Citation: Kosmowski, K.T.; Piesik, E.;

Piesik, J.; Śliwiński, M. Integrated
1. Introduction
Functional Safety and Cybersecurity
Evaluation in a Framework for Industrial companies nowadays, including those implementing Industry 4.0 smart
Business Continuity Management. technologies, face potential safety and security problems due to their use of open systems
Energies 2022, 15, 3610. https:// and networks for communication and control [1–3]. The same concerns exist with respect
doi.org/10.3390/en15103610 to the energy systems within critical infrastructure such as power plants for producing
electricity and/or heat from various energy sources, including coal, oil, natural gas, biogas,
Academic Editor: Marko Mladineo
and renewable energy sources.
Received: 17 March 2022 In order for power plants and distributed industrial systems to be economically effec-
Accepted: 12 May 2022 tive, they should be reliable in continuous operation mode, or with the highest achievable
Published: 15 May 2022 availability when their operation is required on demand (e.g., during peak load of the
Publisher’s Note: MDPI stays neutral
electrical grid or during an abnormal state due to dependent or cascade failure leading
with regard to jurisdictional claims in
to emergency conditions). These issues can be considered from a business continuity
published maps and institutional affil- management (BCM) [4,5] point of view.
iations. A traditional RAMS&S (reliability, availability, maintainability, safety, and security)
methodology [6,7] can support elements of BCM in the life cycle, however, it insufficient
due to its need to consider various impact factors, including the human and organizational
factors. Certain aspects of BCM can be analyzed regarding performability engineering, as
Copyright: © 2022 by the authors. analysed and emphasised by Misra [8]. An interdisciplinary review of business continuity
Licensee MDPI, Basel, Switzerland. issues from the perspective of information systems, directed towards proposing an inte-
This article is an open access article grated framework, was published by Niemimaa [9]. These issues are lately of increasing
distributed under the terms and attention to insurance companies [10,11].
conditions of the Creative Commons Relatively new aspects in BCM analysis are connected to information and communica-
Attribution (CC BY) license (https://
tion technology (ICT) and industrial control systems (ICS) that operate within computer
creativecommons.org/licenses/by/
systems and networks using wired or wireless communication channels. These systems
4.0/).

Energies 2022, 15, 3610. https://doi.org/10.3390/en15103610 https://www.mdpi.com/journal/energies

Energies 2022, 15, 3610 2 of 21

and networks have been considered in several publications and research reports from the
perspective of systems engineering [12–15] and cyber-physical systems [16,17]. Several
research projects have been undertaken concerning the integrated analysis of ICS safety
and security [18,19]. Interesting research works have been published concerning business
continuity management, for instance an article [20] and monograph [21]. The functional
safety and cybersecurity issues of industrial automation and control systems (IACS) have
lately been emphasized as especially important in the design and operation of hazardous
industrial plants and critical infrastructure systems [22–25].
Several security-related issues of the industrial automation and control system (IACS)
have been considered in the context of protection solutions proposed for improving IACS
security as proposed in the IEC 62443 standard [26]. The dependability and safety integrity
of the safety-related part of the ICS are discussed with regard to the generic functional
safety standard IEC 61508 in [27].
The remainder of this article is structured as follows. Section 2 provides a basic
overview of functional safety and cybersecurity aspects related to business continuity
management and the basic requirements in the context of risk evaluation within the life
cycle; in addition, a BCM framework is proposed for business continuity planning in
industrial companies. Section 3 outlines an integrated dependability, safety, and security
management framework for industrial companies, including BCM aspects. In Section 4, a
case study is presented to demonstrate the application of the proposed integrated approach.
In the conclusions, the significance of adequately treating ICT and IACS within BCM
activities in Industry 4.0 is emphasized.

2. Brief Presentation of the Framework and Components

2.1. Overview of IT and OT Systems and Their Convergence
The convergence of information technology (IT) and operational technology (OT)
creates both new opportunities and new challenges. The data flows outside and into plant
networks inevitably lead to additional threats and increased security-related risks. One
of the biggest challenges facing the industrial sector is understanding the risks involved
in potential cyberattacks, which are already being observed; these risks can emerge when
companies adopt Industry 4.0 technologies, including Industrial Internet of Things (IIoT)
technologies and tools. The management staff of industrial companies are becoming more
aware about the magnitude of the gap between the priorities recognized by teams responsi-
ble for operational technology (OT) and those recognized by information technology (IT)
professionals. This gap often impacts new cybersecurity initiatives.
In order to explain the issues involved, it is necessary to begin with a model industrial
system. The traditional reference model is based on the ISA99 series of standards derived
from the generic model of ANSI/ISA-95.00.01 (Enterprise-Control System Integration), and
represents the manufacturing system using five functional and logical levels (Figure 1).
These levels are often assigned to two classes, namely, Operational Technology (OT) and
Information Technology (IT), with their own relevant security zones. The zero level de-
fines the actual physical processes. The first level of activities involved in sensing and
manipulating physical processes include intelligent devices. The second level includes
control systems (e.g., Programmable Logic Controllers). The third level, site manufacturing
and control, includes an ICS/SCADA system with a relevant Human–System Interface
(HSI) and the Manufacturing Execution System (MES). The fourth level, enterprise busi-
ness planning and logistics, comprises an Enterprise Resource Planning (ERP) system for
effectively management and coordination of the business and enterprise resources required
for manufacturing processes. Finally, the fifth level is the enterprise network for business
and logistics activities, which can now be supported using applications based on Cloud
Technology (CT) [28,29].
Energies 2022, 15, 3610

Energies 2022, 15, 3610 3 of 21

Enterprise DMZ Time-frame:

Security Zone months
Level 5: Enterprise Network
weeks
IT Level 4: Site Business Planning & Logistics
days
DMZ
shifts
Manufacturing Level 3: Site Manufacturing and Control
Security Zone hours
Cell Security Zone
Level 2: Area Control minutes
OT
Level 1: Sensing and Basic Control seconds

Level 0: Manufacturing Processes, I /O Devices milliseconds

Figure 1. Traditional reference model of an industrial system based on the ANSI/ISA95 standard.
Figure 1. Traditional reference model of an industrial system based on the ANSI/ISA95 sta
In an open manufacturing system, assigning safety and security-related requirements
requiresInthe
anspecial
openattention
manufacturing
of designerssystem, assigning
and operators safety and security-related
[3,30,31].
ments requires the special attention of designers andrequirement
From an information security point of view, an important operators and solution
[3,30,31].
is to prioritize segmentation of the complex industrial computer system and network,
From an information security point of view, an important requirement and
distinguishing cell security zones and designing a Demilitarized Zone (DMZ), as illustrated
isFigure
in to prioritize
1. segmentation of the complex industrial computer system and netw
tinguishing
The DMZ is cell security
sometimes zonestoand
referred designing
as a perimeter a Demilitarized
network Zoneand
or screened subnet, (DMZ),
is a as ill
physical or
in Figure 1. logical subnetwork for controlling and securing internal data and services from
an organization’s external services using an untrusted (usually larger) network such as a
The DMZ is sometimes referred to as a perimeter network or screened subne
corporate-wide area network (WAN), the Internet, or a cloud technology (CT).
a physical
Thus, theor logical
purpose of asubnetwork
DMZ is to addfor controlling
a layer of security and
to an securing internal
organization’s data and
local area
from an(LAN);
network organization’s
an external external services
network node usingonly
can access an untrusted (usually
what is exposed in thelarger)
DMZ, netw
as a corporate-wide
while area network
the rest of the organization’s network(WAN), the Internet,
is firewalled [1,30]. or a cloud technology (CT
An actual list of internal and external influences,
Thus, the purpose of a DMZ is to add a layer of security hazards, and threatstoshould be
an organizatio
Energies 2022, 15, 3610
considered during the design and operation of the OT and IT systems and networks.4Basic of 21
area network (LAN); an external network node can access only what is expose
features of these systems are presented in Figure 2.
DMZ, while the rest of the organization’s network is firewalled [1,30].
An External
actual business
list of and
internal and external
environmental influences influences, hazards, and threats should
sidered during the design
Organisational and operation
and human factors of the OT and IT systems and network
features of these systems are presented in Figure 2.
While the expected lifetime of OT systems is typically evaluated in the rang
20 years, OT this
networkdrops to only 3–5 years IT network
in the case of IT systems [23]. In characteri
Lifetime 10-20 years Lifetime 3-5 years
OT system, the AIC triad (Availability, Integrity, and Confidentiality) is often use
AIC triad
oritize basic(prioritizing):
requirements, while CIAthetriad CIA
(prioritizing):
triad (Confidentiality, Integrity, and A
1. Availability / Reliability 1. Confidentiality
ity) is used to characterize
2. Integrity / Safety the IT network.
2. Integrity
3. Confidentiality
The safety and security of 3.both Availability
OT and IT systems and networks are depen
various external and internal influences, including organizational and human fact
Traditionally, a general MTE (Man-Technology-Environment) approach has be
Functional / technical specifications; Inspection and testing plans
posed formaintenance
Preventive systemicstrategy;
analyses and
Incident management
management proceduresin the life cycle of industrial insta
Business Continuity Management
An interesting framework for dealing with complex technical systems is offered
tems engineering (SE) [13]. The industrial automation and control system (IACS
Figure
Figure 2.2. Basic features
features characterizing
characterizing OT
OT and
and IT
IT systems
systems and
and networks
networks [23].
[23].
can be considered as a cyber-physical system [17,34,35].
2.2. Functional Safety of OT Systems
For high dependability and safety of the OT system, an operational strategy within
BCM should be elaborated that includes inspections and periodical testing of safety-re-
lated control systems, for instance, electrical/electronic/programmable electronic (E/E/PE)
Energies 2022, 15, 3610 4 of 21

While the expected lifetime of OT systems is typically evaluated in the range of

10–20 years, this drops to only 3–5 years in the case of IT systems [23]. In characterizing the
OT system, the AIC triad (Availability, Integrity, and Confidentiality) is often used to priori-
tize basic requirements, while the CIA triad (Confidentiality, Integrity, and Availability) is
used to characterize the IT network.
The safety and security of both OT and IT systems and networks are dependent on
various external and internal influences, including organizational and human factors [32].
Traditionally, a general MTE (Man-Technology-Environment) approach has been proposed
for systemic analyses and management in the life cycle of industrial installations. An
interesting framework for dealing with complex technical systems is offered by systems
engineering (SE) [13]. The industrial automation and control system (IACS) [26,33] can be
considered as a cyber-physical system [17,34,35].

2.2. Functional Safety of OT Systems

For high dependability and safety of the OT system, an operational strategy within
BCM should be elaborated that includes inspections and periodical testing of safety-related
control systems, for instance, electrical/electronic/programmable electronic (E/E/PE)
systems [27] and safety instrumented systems (SIS) [36], including their sensors and the
equipment under control (EUC).
The operational equipment of manufacturing lines (machinery, drives, operational
control systems, etc.) requires an advanced preventive maintenance strategy to be imple-
mented in order to achieve the required high OT availability and reduce the risk of outages
and related production losses. Incident management procedures must be developed to
reduce the risk of potentially hazardous events leading to major losses.
A set of safety functions are implemented in the safety-related ICS of required safety
integrity levels (SILr), determined in the risk assessment process in relation to the criteria
defined [12], to be assigned, for instance, to the E/E/PE or SIS systems (see the OT block in
Figure 3).
Two different requirements must be specified to ensure an appropriate level of func-
tional safety [37]:
• The requirements imposed on the performance of safety functions designed for
hazard identification;
• The safety integrity requirements, i.e., the probability that a safety function will be
performed in a satisfactory way when a potentially hazardous situation occurs.
Safety integrity is defined as the probability that a safety-related system, such as the
E/E/PE system or SIS, will satisfactorily perform a defined safety function under all stated
conditions within a given time. For safety-related ICS in which a defined safety function is
implemented two probabilistic criteria must be defined, as presented in Table 1 for four
categories of the SIL [27], namely:
• The probability of failure on demand average (PFDavg ) of the safety-related ICS in
which the considered safety function is implemented, operating in a low-demand
mode (LDM); or
• The probability of dangerous failure per hour (PFH) of the safety-related ICS operating
in a high- or continuous-demand mode (HCM).
ies 2022, 15, 3610
Energies 2022, 15, 3610 5 of 21

CT
APP
Cloud
Remote Remote
access access
Edge cloud
WAN Internet

IT
Internet/CT Web/Mail Business Business and
Firewall
DMZ Servers Servers operation
management
HSI Firewall

Operation Application SCADA Domain Enterprise

DMZ Servers Server Controller LAN

Firewall Firewall OT
Supervisory
SCADA/ICS SCADA/ICS LAN
BPCS/HMI/AS BPCS/HMI/AS Supervision,
production
and control
PLC / RTU PLC / RTU processes
Safety PLC Safety PLC
E/E/PE, SIS E/E/PE-SIS Control /
Plant I/O, EUC Plant I/O, EUC Safety LAN

Figure 3. Typical ICT and ICS architecture including OT, IT, and CT.
Figure 3. Typical ICT and ICS architecture including OT, IT, and CT.
Table 1. Categories of SIL and probabilistic criteria to be assigned to safety-related ICS operating in
LDM or HCM.
Table 1. Categories of SIL and probabilistic criteria to be assigned to safe
SIL
LDM or HCM. PFDavg PFH [h−1 ]
4 [10−5 , 10−4 ) [10−9 , 10−8 )
3 [10−4 , 10−3 ) [10−8 , 10−7 )
SIL 2 PFD avg
[10−3 , 10−2 ) [10−7 , 10−6 )
1 − 2
[10 ,−5 − 1
10 ) −4 [10−6 , 10−5 )
4 [10 , 10 ) [
3 [10−4, 10−3)
The SIL requirements assigned for the safety-related ICS to be designed for imple-
[
menting2 a specified safety function stem [10
from−3 , 10
the −2) of the risk analysis and evaluation
results [
meant to reduce the risk of losses by sufficiently considering specified risk criteria, namely,
1 risk and/or group or societal
for individual [10risk
−2, 10−1)
[27]. [

The SIL requirements assigned for the safety-related ICS to

menting a specified safety function stem from the results of the ri
tion meant to reduce the risk of losses by sufficiently considerin
Energies 2022, 15, 3610 6 of 21

If societal risk is of interest, analyses can generally be oriented on three distinguished

categories of loss, namely [27,36,38], health (H), environment (E), and material (M) damage;
then, the SIL required (SILr ) for a particular safety function is determined as follows:

SILr = max (SILrH , SILrE , SILrM ) (1)

As mentioned above, SIL verification can generally be carried out for either of two
operation modes, namely, LDM or HCM. The former is characteristic of the process indus-
try [36], while the latter is typical for machinery [39], railway transportation systems, and
the monitoring and real-time control of any installation using an ICS/SCADA system.
Management of the OT system and IACS, including safety-related lifecycle ICS, can be
challenging; in industrial practice, it is difficult to achieve the above-specified requirements
concerning the AIC triad (see Figure 3) for various reasons. Nevertheless, these systems con-
tribute significantly to the realization of required quality and quantity of products in time,
and influence overall equipment effectiveness (OEE). No less important are the functional
safety and cybersecurity issues regarding the requirements and criteria discussed above.
The following items should be specified for implementation in industrial practice:
• A plan for operating and maintaining E/E/PE safety-related systems or SIS;
• Operation, maintenance, and repair procedures for these systems over their whole
life cycle;
Implementation of these items must include initiation of the following actions:
• Implementing procedures;
• Following maintenance schedules;
• Maintaining relevant documentation;
• Periodically carrying out functional safety audits;
• Documenting any modifications to the hardware and software in E/E/PE systems.
Thus, all modifications that have an impact on the functional safety of any E/E/PE
safety-related system must initiate a return to an appropriate phase of the overall E/E/PE
system or software safety lifecycles. All subsequent phases must then be carried out in
accordance with the procedures specified for the specific phases regarding the requirements
in the above-mentioned standards.
For each phase of the overall functional safety lifecycles, a plan for verification and
validation should be established concurrently with the development of consecutive phases.
The verification plan must document or refer to the criteria, techniques, and tools to be
used in verification activities.
Chronological documentation of operation, repair, and maintenance of safety-related
systems should be maintained and must include the following information:
• The results of functional safety audits and tests;
• Documentation on the time and cause of demands on E/E/PE safety-related systems
in actual operation the performance of the E/E/PE safety-related systems when subject
to those demands, and any faults found during routine testing and maintenance;
• Documentation of any modifications made to safety-related ICS, including equipment
under control (EUC).
The requirements concerning chronological documentation should be sufficiently
detailed for the specific context of safety-related ICS operations [27,36,39].

2.3. Cybersecurity of IT Systems

From a cybersecurity perspective, the systems and networks used within the business
environment (level 4 of the ISA95 model in Figure 1) should be considered as potentially
insecure, as they contain complex interdependent hardware and software (see simplified
architecture in Figure 3), remote access paths, and external communications. Therefore,
IT and OT systems with the access to the Internet and/or a wide area network (WAN),
or when the cloud technology (CT) is used, should be secured at the required security
Energies 2022, 15, 3610 7 of 21

assurance level (SAL) for assignment to respective zones [26]. It has been postulated that
the SAL assigned to the relevant domain should be included when verifying the safety
integrity level (SIL) of safety-related ICS in which a specified safety function is to be
implemented [12,40].
Security-related risks can be mitigated through the combined efforts of component
suppliers, the machinery manufacturer, the system integrator, and the machinery final end
user (with the company owner responsible) [26,33]. Generally, the response to a security
risks should be as follows [41]:
(a) Eliminate the security risk by design (avoiding vulnerabilities);
(b) Mitigate the security risk by risk reduction measures (limiting vulnerabilities);
(c) Provide information about residual security risks and measures to be adopted by
the user.
The IEC 62443 standard [26] proposes an approach to dealing systematically with
security-related issues in IACS. Four security levels (SLs) have been defined, under-
stood as a confidence measure for ensuring that the IACS is free from vulnerabilities
and will function in the intended manner. These SLs are suggested in the standard
IEC 63074 [41] for dealing with the security of safety-related ICS designed for the operation
of manufacturing plants.
These levels (numbered from 1 to 4, see Table 2) represent a piece of qualitative
information addressing the relevant protection scope of the domain or zone considered in
the evaluation against potential violations during safety-related ICS operation in a zone.

Table 2. Security levels and protection description of the IACS domain [26,41].

Security Levels Description

SL 1 Protection against casual or coincidental violation
Protection against intentional violation using simple means with low
SL 2
resources, generic skills, and low motivation
Protection against intentional violation using sophisticated means with
SL 3
moderate resources, IACS-specific skills, and moderate motivation
Protection against intentional violation using sophisticated means with
SL 4
extended resources, IACS-specific skills, and high motivation

The relevant SL number from 1 to 4 should be assigned to seven consecutive founda-

tional requirements (FRs) relevant within the domain considered [26]:
FR 1—Identification and authentication control (IAC);
FR 2—Use control (UC);
FR 3—System integrity (SI);
FR 4—Data confidentiality (DC);
FR 5—Restricted data flow (RDF);
FR 6—Timely response to events (TRE);
FR 7—Resource availability (RA).
Thus, it is suggested that dependability and security-related evaluations apply a
defined vector of relevant FRs from those specified above. Such a vector might be defined
for the security-related requirements for a zone, conduit, component, or system. It contains
the general integer numbers characterizing the SL from 1 to 4 (or 0 if not relevant) to be
assigned to consecutive FR.
A general format of the security assurance level (SAL) to be evaluated for a given
domain is defined as a function of [FRs] [26]:

SAL × ([FRs] domain) = f [IAC UC SI DC RDF TRE RA] (2)

Energies 2022, 15, 3610 8 of 21

2.4. Integrated Functional Safety and Cybersecurity Evaluation

Assigning the SAL to the domain or zone as an integer number from 1 to 4 [37,42] can
present problems. To overcome this difficulty, the security indicator SIDo for a domain (Do)
can be defined [40] to determine security levels SLi for a set (Re) of relevant fundamental
requirements (FRi ) with relevant weights wi evaluated based on the opinions of ICT and
ICS experts. This indicator is a real number from the interval (1.0, 4.0) calculated using the
following formula:
SI Do = ∑ wi SLi , ∑ wi = 1 (3)
i ∈Re i

Four intervals of the domain security index SIDo (from SIDo1 to SIDo4 ) are proposed in
the first column of Table 3 for assigning an SAL category integer number from 1 to 4. This
approach corresponds with that used in earlier publications for attributing an SAL to the
domain based on the dominant SLi for the relevant fundamental requirements, FRi .

Table 3. Proposed correlation between SIDo /SAL for the evaluated domain and final SIL to be
attributed to the safety-related ICS of a critical installation.

SIL Verified According to IEC 61508 *

Security Indicator SIDo /SAL
1 2 3 4
SIDo1 ∈[1.0, 1.5)/SAL 1 SIL 1 SIL 1 SIL 1 SIL 1
SIDo2 ∈[1.5, 2.5)/SAL 2 SIL 1 SIL 2 SIL 2 SIL 2
SIDo3 ∈[2.5, 3.5)/SAL 3 SIL 1 SIL 2 SIL 3 SIL 3
SIDo4 ∈[3.5, 4.0]/SAL 4 SIL 1 SIL 2 SIL 3 SIL 4
* verification includes the architectural constraints regarding SFF and HFT of subsystems.

Three types of vectors describing SLi for consecutive FRi of a domain can be distin-
guished [24]:
• SL-T (target SAL)—Desired level of security;
• SL-C (capability SAL)—Security level that the device can provide when properly
configured;
• SL-A (achieved SAL)—Actual level of security of a particular device.
Proposed correlations between the security index to be assigned to the domain
SIDo /SAL and the final SIL attributed to the safety-related ICS in a hazardous installa-
tion are presented in Table 3. It was assumed that SILs were verified according to IEC
61508 requirements based on the results of probabilistic modelling [12,43], regarding po-
tential common cause failures (CCFs) and the influence of the human and organizational
factors regarding architectural constraints for the evaluated SFF and HFT of the E/E/PE
subsystems (see explanations above). Thus, SIL verification requires probabilistic mod-
elling of the safety-related ICS of the proposed architecture regarding the SFF and HFT of
the subsystems.

2.5. Scope of BCM

Business continuity management (BCM) is usually understood as the capability and
specified activity of an organization to continue delivery of products and/or services of
required quality within acceptable time frames at a predefined capacity relating to the scale
of potential disruptions [4].
A disruption is defined as an incident, whether anticipated or unanticipated, that
causes an unplanned negative deviation from the expected delivery of products and services
according to an organization’s objectives. An objective is the result to be achieved. The
objective can be strategic, tactical, or operational.
The objective can be expressed in other ways, e.g., as an intended outcome, a purpose,
an operational criterion, or using other words with similar meaning (e.g., aim, goal, or
target). Objectives can relate to different disciplines (such as financial, health and safety, and
 Energies 2022, 15, 3610 9 of 21

environmental objectives) and can apply at different levels (such as strategic, organization-
wide, project, product, and process).
Energies 2022, 15, 3610 The BCM can be considered an integral part of a holistic risk management that safe-
guards the interests of the organization’s key stakeholders, reputation, brand, and value by
creating activities through [10]:
• Identifying potential threats that might cause adverse impacts on an organization’s
business
An eventoperations,
can and
be associated
an occurrencerisks; or change in a particular set of circu
• Providing a framework for building resilience for business operations;
•could have capabilities,
Providing several causes and
facilities, severaland
processes, consequences.
elaborated actionAn
taskabnormal
lists, etc., forevent d
or threat
effectiveisresponses
considered a riskand
to disasters source.
failures.An emergency is a result of a sudden, u
unexpected
An event canoccurrence or event
be an occurrence requiring
or change immediate
in a particular set of action. It is athat
circumstances disruptio
could have several causes and several consequences. An abnormal event
that can be anticipated or prepared for, although seldom exactly foreseen [ due to a hazard
or threat is considered a risk source. An emergency is a result of a sudden, urgent, usually
Theoccurrence
unexpected organization
or eventmust implement
requiring and maintain
immediate action. a systematic
It is a disruption or condition risk as
cess.
that canSuch a process
be anticipated could for,
or prepared be although
carriedseldom
out, for instance,
exactly foreseen in accordance with
[44–46].
The organization must implement and maintain
standard. As shown in Figure 4, an organization should: a systematic risk assessment process.
Such a process could be carried out, for instance, in accordance with the ISO 31000 standard.
(a)shown
As Identify risks
in Figure 4, an of disruption
organization to the organization’s prioritized activities
should:
(a) porting
Identify risksresources;
of disruption to the organization’s prioritized activities and their sup-
porting resources;
(b) Systematically analyze and assess risks of disruption;
(b) Systematically analyze and assess risks of disruption;
(c)
(c) Evaluate
Evaluate risksrisks of disruptions
of disruptions that requirethat require
adequate adequate treatment.
treatment.

Establishing Scope and Context of

Communication the risk management processes Monitoring,
and recording,
consultation Risk evaluation reporting
and reviewing
in context of Hazards & threats identification
Preliminary ranking of risks for proactive
legal system, safety and
good practices, security
expectations of Risk analysis management
stakeholders,
and with
criteria for risk Risk assessment consideration of
evaluation defined KPIs
including BCM and relevant
requirements organizational
factors
Risk treatment

Figure
Figure4. Risk management
4. Risk process (based
management on [47]).
process (based on [47]).
Risk evaluation is considered an overall process of hazard/threat identification, risk
Risk
analysis, andevaluation
risk assessment is considered an overall is
[28,47]. Risk management process
a processofofhazard/threat
coordinating iden
activities in order to direct and control an organization regarding risk.
analysis, and risk assessment [28,47]. Risk management is a process of coor
The general purpose is to reduce an industrial system’s vulnerability as required
ities
in orderintoorder
increasetoitsdirect and
resilience as control an organization
justified considering regarding
current legal risk.
and/or regulatory
The general
requirements regardingpurpose is cost–benefit
the results of to reduceanalyses.
an industrial
Relevant system’s vulnerability
protection measures
should
order to increase its resilience as justified considering current legalorand/or
be proposed that adequately safeguard and enable an organization to prevent
reduce the impact and consequences of potential disruptions.
quirements regarding the results of cost–benefit analyses. Relevant protec
should be proposed that adequately safeguard and enable an organization
reduce the impact and consequences of potential disruptions.
After a major disruption, the recovery process is to be undertaken in o
Energies 2022, 15, 3610 10 of 21

After a major disruption, the recovery process is to be undertaken in order to restore

system operation in a timely manner and improve activities, operations, facilities, and other
key determinants of the affected organization where appropriate in order to increase its
business resilience for the future.

2.6. BCM in Energy Companies

There have been various approaches proposed to apply the BCM concept in industrial
practice. The standard BS 25999-1 [29] provided a proposal based on the concept of good
practice. It was intended for use by anyone with responsibility for business operations or
the provision of services, from top management through all levels of the organization. It
was in principle foreseen for a single-site BCM or, with a more global presence, ranging from
a sole trader through a small-to-medium enterprise (SME) to a large company employing
thousands of people. However, this standard was withdrawn and replaced in industrial
practice in favor of the ISO/DIS 22301 [4], which describes the basic requirements to be
assigned in developing modern BCM systems.
As previously mentioned, BCM includes the recovery, management, and continuation
of business activities in situations of business disruption as well as integrated management
of the overall program through training, exercises, audits, and reviews to ensure that the
business continuity plan stays current and up to date [48–50].
When analyzing energy and industrial companies, including their control systems [15,51,52],
it is suggested that the following categories of potential disruptions be considered:
• Failures in logistics chains, delays in delivery of raw materials or semi-finished prod-
ucts by business partners, and/or delays in providing services, spare parts etc.
• Failures in electric energy distributed systems
• Power transformer station failures fires, cyberattacks, etc.
• Physical or cyberattack
• Failures and outages of ICT and CT (cloud technology) systems and networks designed
using wired and/or wireless technology
• Failures and outages of OT systems and networks, including production lines and
storage, and/or malfunctions of industrial automation and control systems (IACS)
• Extreme environmental phenomena, lightning storms, heavy rain, local flooding, flood,
hurricane, or tornado, extremely high or low temperature, and heavy snowfall or icing
• Disturbances in critical infrastructure objects and systems needed to deliver water,
electricity, gas etc.
• Fire or explosion
• Extreme emission of pollutants and/or dangerous substances
• Destruction due to potentially critical events in physical surroundings or infrastructure
installations
• Earthquake and/or tsunami (at sites close to the shore)
• Sabotage, terrorism, or cyberterrorism against critical infrastructure objects/systems
inspired by an external principal or agent
• Legislative changes
Only selected categories of potential disruptions will be discussed in the presented approach.
The consequences of an incident may vary significantly and can be far-reaching,
including major accidents with both internal and external losses. These consequences
might involve loss of life, environmental losses, and loss of assets or income due to the
inability to deliver products and services on which the organization’s strategy, reputation,
or even economic survival might depend.
The importance of shaping the organizational culture and related safety and security
culture is essential. It is a fundamental prerequisite both of successful activities and of
avoiding failures in any organization, including a modern industrial company present
within a competitive market.
Expected outcomes of an effective BCM program implemented in an energy or indus-
trial company are as follows [4,49]:
Energies 2022, 15, 3610 11 of 21

• Key products and services are identified and protected, ensuring their continuity;
• Incident management capability is enabled to provide an effective response;
• The company understands its relationships with cooperating companies/organizations,
relevant regulators and authorities, and emergency services;
• Staff are trained to respond effectively to an incident or disruption through
appropriate exercises;
• Stakeholders’ requirements are understood and able to be delivered;
• Staff receive adequate support and communications in the event of a disruption;
• The company’s supply chain is better secured;
• The organization’s reputation is protected and remains compliant with its legal and
regulatory obligations.
In the energy sector, it is crucial to have maintain the operation of infrastructure
equipment. This is supported by the correct application of BCM. As previously mentioned,
there are many factors affecting the operation of any plant, including a power sector plant.
These various factors are multidisciplinary and can be applied to different industry sectors.
Several indicators are used for decision-making in BCM, for instance [48], RTO (recov-
ery time objective), the recovery time of a process or the required resources, and MTPD
(maximum tolerable period of disruption), the maximal tolerable downtime which, when
exceeded, seriously threatens the medium-term or long-term survival of the process or the
organization. The maximum time for recovery (RTO) must be smaller than the maximum
tolerable period of disruption (MTPD).
A formal set of procedures should be established to deal with information security
incidents and identified weaknesses, which may have a physical component. This should
encompass [44,49,50]:
• Detection of all information security incidents (and weaknesses) and related escalation
procedures and channels;
• Reporting and logging of all information security incidents and weaknesses;
• Logging all responses and preventive and corrective actions taken;
• Periodic evaluation of all information security incidents and weaknesses;
• Learning from reviews of information security incidents(and weaknesses and making
improvements to security and to the information security incident and weakness
management scheme.
Service providers should ensure that all ICT systems essential for disaster recovery
are tested regularly to ensure their continuing capability to support DR plans. Tests should
be conducted whenever there are any significant changes in organizational requirements
and/or changes in service provider capacity and capability that affect services to organi-
zations. Examples of such changes include relocation of DR sites, major upgrades of ICT
systems, and commissioning of new ICT systems.
There is an IT infrastructure in the energy sector, and problems with its proper opera-
tion contribute to power outages; information transmission deficiencies can cause blackouts
in certain cases.
Several sets of various characteristics influencing performance and key performance
indicators (KPIs) are listed [11] for use in evaluations and audits within the BCM of
the industrial plant to support relevant decisions. Recovery Point Objective (RPO) and
Recovery Time Objective (RTO) are two of the most important parameters of a disaster
recovery or data protection plan. The RPO and RTO, along with a business impact analysis,
provide the basis for identifying and analyzing viable strategies for inclusion in the business
continuity plan of the BCM in relation to the previously discussed standards [4,48,50].
An objective of the recovery target time can be set, for instance, in the following cases:
• Resumption of product or service delivery after an incident, or resumption of a
performance activity after an incident;
• Recovery of the ICT (information and communication technology) system or computer
application after an incident, such as a hacker attack, or IT-OT system failure or
Energies 2022, 15, 3610 12 of 21

functional abnormality, such as abnormal performance of the industrial automation

and control system (IACS).
The BCM approach outlined above is based on esteemed reports and international
standards, including current legal and regulatory requirements.
Energies 2022, 15, 3610 12 of 21
The energy sector is critical to the operation of everything from households to crit-
ical infrastructure. In the current consideration of BCM, there are no specific explicit
requirements for a particular sector, including the energy sector.
3. Proposed Integrated Functional Safety and Cybersecurity Evaluation in the
3. Proposed of
Framework Integrated
BCM Functional Safety and Cybersecurity Evaluation in the
Framework of BCM
In the approach presented below, current research issues are considered from the
In the
general approach
perspective ofpresented
BCM regarding below,thecurrent research safety,
dependability, issues are
andconsidered
security of thefrom ICT the
general
and ICS,perspective
including the of SCADA
BCM regarding the dependability,
(supervisory control and data safety, and security
acquisition) of the
system. TheirICT
and ICS, including the SCADA (supervisory control and data acquisition)
required functionality and architectures are discussed, distinguishing between infor- system. Their
required functionality
mation technology (IT)and
andarchitectures are discussed,
operational technology (OT)distinguishing between
in relevant systems andinformation
networks
technology (IT) and operational technology (OT) in relevant
[40]. These systems require effective convergence for advanced manufacturing systems and networks
function- [40].
These systems require effective convergence for advanced manufacturing
ality and improved effectiveness in the realization of advanced manufacturing and busi- functionality and
improved effectiveness in the realization of advanced manufacturing
ness-related processes. In this article, an approach is proposed for integrated functionaland business-related
processes. In this article,analysis
safety and cybersecurity an approach is proposedover
and management for the
integrated functional
whole life cycle basedsafety
on de-and
cybersecurity analysis and management over the whole life cycle based
termining and verifying the safety integrity level (SIL) of the safety-related ICS system on determining
and verifying
regarding the the safety
security integritylevel
assurance level(SAL)
(SIL) of the safety-related
assigned ICS security
to the relevant system regarding
domain. the
security assurance level (SAL) assigned to the relevant security domain.
The main objective is to outline a conceptual framework for including the above-
The main
mentioned objective and
technologies is tosystems
outline within
a conceptual
business framework
continuityfor including the
management above-
activity.
mentioned technologies and systems within business continuity
The proposed holistic management process identifies potential hazards and threats to an management activity.
The proposedand
organization holistic
their management process identifies
impact on manufacturing potentialprocesses
and business hazards that,
and threats to an
if realized,
organization and their impact on manufacturing and business processes
might cause disruptions and related losses. The purpose of the system is to provide a that, if realized,
might
frameworkcausefordisruptions and related losses.
building organizational The purpose
resilience of the effective
and preparing system isresponse,
to provide as a
framework for building
such safeguards organizational
are important resilience
for company owners, andkeypreparing effective
stakeholders, response,and
regulators, as such
lo-
safeguards are important for company owners, key stakeholders, regulators,
cal authorities [29,48–50] as well as crucial for brand, reputation, and value-creating ac- and local
authorities
tivities. [29,48–50] as well as crucial for brand, reputation, and value-creating activities.
The proposed
The proposed BCM BCM framework
frameworkemphasizes
emphasizesthe thesignificance
significanceofofa abusiness
businesscontinuity
continuity
plan (BCP) for industrial companies (Figure
plan (BCP) for industrial companies (Figure 5). 5).

(1) Conducting:
Policy, Goals
Business Impact Analysis
Requirements A. Physical
Assessment of risks for
potential hazards / threats resilience / security

(2) Establishing: Criteria B. ICT

Business Recovery Priorities Risk evaluation resilience / security
Requirements & Timescale and reduction

(3) Business Continuity C. ICS/SCADA

Strategy Formulation Integrated resilience / security
Business
Continuity
(4) Business Continuity Plan Management D. Safety-related ICS
Development System integrity (safety functions)
including
Safety /
(5) Business Continuity Plan Security E. Installation integrity
Testing aspects Process safety

(6) Business Continuity Plan Audits F. Infrastructure integrity

Awareness Evidence Energy and materials
Results of
modelling
G. Equipment availability
(7) Ongoing Business Maintenance strategy
Continuity Plan Updating

Figure 5. Proposed
Proposed BCM
BCM framework
frameworkfor
forbusiness
businesscontinuity
continuityplanning
planningininindustrial
industrialcompanies.
companies.

The left side of Figure 5 consists of seven specified discrete stages adapted from the
standards in [44,50]; these are aimed at developing a comprehensive business continuity
plan that will meet a company’s business requirements, including the service providers.
This is useful in developing recovery procedures (RP) for abnormal situations, failure
Energies 2022, 15, 3610 13 of 21

The left side of Figure 5 consists of seven specified discrete stages adapted from the
standards in [44,50]; these are aimed at developing a comprehensive business continuity
plan that will meet a company’s business requirements, including the service providers.
This is useful in developing recovery procedures (RP) for abnormal situations, failure events,
or disaster recovery plans (DRP) [44] for cases of major disruptions and potential disasters.
In the middle part of this figure, basic elements of the approach to integrated BCM
are specified, including the dependability, safety, and security aspects. The management
activities are based on domain knowledge, current information, evidence, and results of
modelling in the following areas:
• Formulating policies, goals, and domain, including legal and regulatory requirements
and relevant standards and publications of good practice;
• Criteria for risk evaluation and reduction concerning dependability, safety, and security
aspects, including domain key performance indicators (KPIs);
• Updated evidence, results of audits in design and plant operation, and results of
modelling to support relevant decisions.
Audits can be (1) a first-party audit using internal resources, (2) a second-party audit
initiated by a supplier, customer, contractor, and/or insurer, or (3) a third-party audit
performed by an independent body against a recognized standard, i.e., ISO 9001.
On the right side of Figure 5, seven areas are specified and proposed by the authors for
inclusion in the process of business continuity planning for a modern plant that requires
relevant technical and organizational solutions in the following areas:
A. Physical resilience and security of company resources and assets;
B. Information and communication technology (ICT) resilience and security manage-
ment over the whole life cycle;
C. Adequate resilience and security of the industrial automation and control system
(IACS) and supervisory control and data acquisition (SCADA) system in a specific
industrial network/domain and required security assurance level (SAL) [26];
D. Safety-related control systems designed and operated according to the functional
safety concept with the required safety integrity level (SIL) [27];
E. Industrial installations and processes with the required physical and functional
protection measures;
F. Infrastructure integrity for delivery of raw materials and energy (electricity, gas, oil)
needed for production processes;
G. Equipment reliability/availability adequately maintained according to the strat-
egy developed to achieve, for instance, a satisfactory level of overall equipment
effectiveness (OEE).
These systems and networks require special attention during the design and operation
of Industry 4.0 manufacturing systems due to their complexity, advanced functionality,
and external communications. Their architectural complexity and openness make them
susceptible to malfunctions and failures as well as vulnerable to external cyberattacks.
According to published data, the probability of such attacks on various industrial systems
and networks in most European countries is relatively high.
Due to the scope of the problems outlined above, only selected issues will be discussed.
In the following sections fundamental aspects related to the Industry 4.0 concept are
presented, namely, ICT systems and networks (B in Figure 5), ICS/SCADA resilience
and security (C), and safety-related ICS (D) designed for implementing the defined safety
functions [27,42,53,54] of the required safety integrity level (SIL) of a safety function in
order to reduce relevant risks. The determined SIL is then verified using a probabilistic
model of the safety-related ICS of the architecture, including communication conduits.
To better illustrate the authors’ new approach, Figure 6 shows five framework elements
that directly extend the BCM process.
rgies 2022, 15, 3610
Energies 2022, 15, 3610 14 of 21 14 of

(1) Preparation:
(8) Ongoing Business Continuity Plan Updating
Definition of BCM framework
Inititate BCM programme
New audit
Identify the Organisation (7) Business Continuity Plan Awareness elements

Assign BCM and Incident Responsibilities

(6) Business Continuity Plan Testing
Define BCM Policy
Determing types of tests
Safety & Security
Writing Test Plan IT&OT
(2) Conducting: risk evaluation
test plan
Business Impact Analysis
Conducting Plan
Assessment of risks for potential hazards / threats

Analyse of results Providing a summary test report

Definition of Critical Resource Replacement

(5) Business Continuity Plan Development

(3) Establishing: Incident Response Plan IT&OT

Safety & Security
Business Recovery Priorities impact included recovery plan
Requirements & Timescale Incident Management Plan

Business Recovery Plan

(4) Business Continuity Strategy Formulation

FigureFigure 6. Impact
6. Impact of the
of the proposed framework
proposed framework onon
thethe
BCM process.
BCM process.
The first element of the new approach is to first incorporate the safety and security
The first
aspects element
discussed of the
above intonew approach
the risk analysis andis tothen
first incorporate
throughout the safety
the Business and secur
Impact
aspects discussed
Analysis process.above
The aiminto the risk analysis
of information and then throughout
security management thespecified
(ISM) is to fulfill Business Imp
requirements concerning the CIA triad (Figure 4) of the ICT systems regarding
Analysis process. The aim of information security management (ISM) is to fulfill specifi information
storage, transfer, and related services. When an organization implements an ISMS (infor-
requirements concerning the CIA triad (Figure 4) of the ICT systems regarding inf
mation security management system), the risks of interruptions to business activities for
mation
anystorage, transfer,
reason should and related
be identified services.
and evaluated When an organization implements an ISM
[20,55].
(information
In thesecurity
third stepmanagement
of the BCM processsystem), the risks the
(Establishing), of interruptions
conclusions of Stepto business
2 should activit
be considered,
for any reason should including new safety and
be identified andcybersecurity aspects.
evaluated [20,55].
During development of the Business Continuity Plan, the dependencies of IT on OT
In the third step of the BCM process (Establishing), the conclusions of Step 2 shou
and their impact on functional safety must first be considered; second, the impact of these
be considered,
events on the including newmust
recovery plan safety and cybersecurity
be assessed. Planning for aspects.
business continuity, fallback
During development
arrangements of the
for information Business
processing, andContinuity
communication Plan, the dependencies
facilities become beneficialof IT on O
and their impact on functional safety must first be considered; second, the impact of the
during periods of minor outages and are essential for ensuring information and service
availability
events during a major
on the recovery planfailure
mustorbe disaster that requires
assessed. Planningcomplete and effective
for business recovery fallba
continuity,
of activities over a period of time.
arrangements for information processing, and communication facilities become benefic
The fourth important link in the proposed framework is the inclusion of aspects
during periods
of the of minor
risk analysis andoutages and recovery
the prepared are essential
plan infortheensuring
process ofinformation and serv
periodic testing
availability during a major failure or disaster that requires complete and effective reco
and verification.
The last over
ery of activities new element
a period appears in the final two steps of the BCM cycle. As previously
of time.
mentioned, audits are of key importance in any management system, especially in a haz-
The fourth important link in the proposed framework is the inclusion of aspects
ardous industrial plant. Previous authors have examined audit documentation prepared
the risk
and analysis
used by anand the prepared
industrial company asrecovery plan in the
part of a third-party auditprocess of periodic
in a refinery testing a
concerning
verification.
The last new element appears in the final two steps of the BCM cycle. As previou
mentioned, audits are of key importance in any management system, especially in a h
ardous industrial plant. Previous authors have examined audit documentation prepar
 Energies 2022, 15, 3610 15 of 21

Energies 2022, 15, 3610 15 of 21

the design and operation of safety-related ICS in relation to defined generic and plant crite-
ria [56]. The audit results and conclusions were then discussed with the staff responsible
order to assure safety
for functional a satisfactory
to furtherlevel of business
mitigate continuity, safety,
risks by implementing and security.
the indicated This
technical andcan be
achieved thanks solutions.
organizational to the implementation in industrial
An important objective practice of aadvanced,
in implementing consistent and
BCM in a hazardous
plant isBCM
effective to satisfy the expectations of stakeholders and insurance companies [10,11] in
systems.
order
Thus, the BCM is useful level
to assure a satisfactory of business
in taking continuity,
a systemic safety, andapproach
and proactive security. This can be with
to dealing
achieved thanks
dependability, to theand
safety, implementation in industrial
security issues. practice
It specifies of advanced,
various consistent
interrelated and
process-based
effective BCM systems.
activities and procedures for the identification of hazards and threats in order to evaluate
Thus, the BCM is useful in taking a systemic and proactive approach to dealing
relevant risks, supporting safety and security-related decision-making in changing condi-
with dependability, safety, and security issues. It specifies various interrelated process-
tions and over theand
based activities whole plant life
procedures forcycle.
the identification of hazards and threats in order to
evaluate relevant risks, supporting safety and security-related decision-making in changing
4. Case Study
conditions and over the whole plant life cycle.
4.1. Safety Aspects
4. Case Study
4.1.The riskAspects
Safety analysis phase of a plant’s BCM takes into account the continuity of the me-
dia supply, which
The risk is directly
analysis linked
phase of to the
a plant’s BCM plant’s gas account
takes into boiler room. As part of
the continuity ofthe
themedia
functional
safety andwhich
supply, cybersecurity
is directly risk
linkedanalysis, analyses
to the plant’s were room.
gas boiler performed
As partasofa the
basis for this risk
functional
analysis. In this
safety and example, only
cybersecurity one of the
risk analysis, safetywere
analyses functions is presented.
performed as a basisAfor safety function
this risk
of high-pressure monitoring
analysis. In this example, onlyoperating
one of the in the functions
safety low demand mode in
is presented. Aa process
safety installation
function of
high-pressure
is presented. Themonitoring operating
high pressure of theinsteam
the lowindemand modeloop
the process in a provokes
process installation
the safety is func-
presented. The high pressure of the steam in the process loop provokes
tion to drop power to a pair of solenoid valves, which leads to venting to a pneumaticthe safety function
to drop power to a pair of solenoid valves, which leads to venting to a pneumatic actuator,
actuator, placing a pair of valves into their failsafe position. From the risk evaluation, the
placing a pair of valves into their failsafe position. From the risk evaluation, the safety
safety integrity level of this function was determined to be SIL 3. The safety function to be
integrity level of this function was determined to be SIL 3. The safety function to be
implemented
implementedininthe thesafety-related ICSarchitecture
safety-related ICS architecture is shown
is shown in Figures
in Figures 7 and7 8.
and
The 8.related
The related
at BCM
at BCMframework,
framework,including thesafety
including the safetyandandsecurity
security aspects,
aspects, is shown
is shown in Figure
in Figure 9. 9.

Solenoid Globe
Pressure Safety I Card Safety-PLC Safety O Card valve and
valves
Transmitters 1734-IE4S 1756-L71S 1734-OB8S actuator

I unit I channel I channel I channel I unit I unit

Ethernet Ethernet

II unit II channel II channel II channel II unit II unit

Input Logic Output

Figure 7. 7.
Figure The architecture
The architectureof
of the ICS
ICSsystem
systemwith
withimplemented
implemented safety
safety function.
function.

In In theanalysed
the analysedexample,
example, the
the 4–20
4–20mA mAtwo-wire
two-wire pressure transmitters
pressure are directly
transmitters are directly
wired into analog input modules. The safety controller and the input and output cards are
wired into analog input modules. The safety controller and the input and output cards are
connected on an EtherNet/IP network. The final control elements of this safety function
connected on an EtherNet/IP network. The final control elements of this safety function
are the combination of solenoids, actuators, and globe valves. The controller and safety I/O
aremodules
the combination of solenoids,
have a built-in HFT = 1 (twoactuators, and
field signals areglobe
used).valves. Theand
The sensors controller and safety
final elements
I/Orequire
modules have ahardware
redundant built-in HFT
in the=1oo2
1 (two field signals
configuration are the
to meet used). The HFT
required sensors
= 1. and
The final
elements
data forrequire redundant
evaluating hardware
the probability in the
of failure on 1oo2
demandconfiguration
average PFDtoavgmeet
of the required
subsystems was HFT
calculated by the authors based on data provided by manufacturers of the
= 1. The data for evaluating the probability of failure on demand average PFDavg of sub-components
(Table 4).
systems was calculated by the authors based on data provided by manufacturers of the
components (Table 4).
Energies 2022, 15, 3610

Energies 2022, 15, 3610 16 of 21

CT APP
Cloud
Remote
access
Edge cloud
Internet

Security
Business Business and
IT Firewall
Servers operation
management
HSI Firewall

Application SCADA Enterprise

Servers Server LAN

Firewall

OT SCADA/ICS
BPCS/HMI/AS Supervision,
production
and control
PLC / RTU processes
Safety PLC
E/E/PE-SIS Control /
Safety Plant I/O, EUC Safety LAN
Energies 2022, 15, 3610

Figure
Figure 8. 8. Analysed
Analysed objectobject architecture.
architecture.

Security
Table 4. Reliability data Functional
for safety-related Safety
ICS components for implementing the sa
BCM Management Management
Subsystem
IT OT SIL PFD
Risk Security Safety
A. Input subsystem
analysis
Pressure transmitter
SAL SIL SIL 4 3.1 ×
Analog Input Card
B. Logic subsystem
Business
Risk assesment SIL 4 3.5 ×
Impact Safety PLC
Analysis
C. Output subsystem
Digital Output Card
Disaster Risk Risk
RecoverySolenoid valve SIL 4 4.6 ×
treatment treatment
Plan Globe valve &

Pneumatic Actuator
… … …

The value of PFDavg for the considered safety-related ICS is calculated

Figure
Figure 9. 9.
mula [39]: Diagram
Diagram of relations
of relations of BCM framework,
of BCM framework, including safetyincluding
and securitysafety
security as aspects.and

A B C
4.2. Safety-Related ICS Aspects PFDavg ≅ PFDavg + PFDavg + PFDavg
Considering the domain of the safety-related ICS in which the safety
Thus, in this case study, PFDavg ≅ 11.2 × 10−5; the safety integrity leve
implemented, including the communication conduits, the SL-A vector wa
obtained via the results of probabilistic modelling, with the interval criteria
Energies 2022, 15, 3610 17 of 21

Table 4. Reliability data for safety-related ICS components for implementing the safety function.

Subsystem SIL PFDavg

A. Input subsystem
Pressure transmitter SIL 4 3.1 × 10−5
Analog Input Card
B. Logic subsystem
Safety PLC
SIL 4 3.5 × 10−5

C. Output subsystem
Digital Output Card
Solenoid valve SIL 4 4.6 × 10−5
Globe valve &
Pneumatic Actuator

The value of PFDavg for the considered safety-related ICS is calculated from the
formula [39]:
PFDavg ∼ A
= PFDavg B
+ PFDavg C
+ PFDavg (4)

Thus, in this case study, PFDavg ∼

= 11.2 × 10−5 ; the safety integrity level of SIL 3 was
obtained via the results of probabilistic modelling, with the interval criteria presented in
the second column of Table 1 and the architecture constraints presented in the IEC 61508
series standard.

4.2. Safety-Related ICS Aspects

Considering the domain of the safety-related ICS in which the safety function was
implemented, including the communication conduits, the SL-A vector was evaluated as
follows: (3 4 3 3 3 3 4). Assuming that weights of all SLi are equal (wi = 1/7), using
Equation (3) the obtained result is SIDo = 3.28 and the assigned security assurance level is
SAL 3. From column 4 of Table 3, the final safety integrity level validated regarding the
security aspects in the domain of interest is SIL 3, the same as required. Therefore, in this
case there is no need to propose improvements to the safety-related system [40]. If the SAL
obtained for another less secure domain was lower, e.g., SAL 2, then the assigned safety
integrity level should be lower, i.e., SIL 2 (see Table 3).

4.3. Risk Treatment

From a risk management point of view, it would be justified to consider changing
the configuration of the sensor subsystem shown in Figure 7 from 1oo2 to 2oo3 in order
to reduce the probability of spurious operation of this safety-related ICS. It is known that
while the 2oo3 configuration has a slightly higher PFDavg , it has a much lower probability of
spurious operation than configuration 1oo2. Probabilistic modeling of the safety-related ICS
consisting of the 2oo3 configuration, including the influence of CCFs and the architectural
constrains on subsystems regarding their HFT and SFF , is described in detail in [25,43].

4.4. Business Continuity Management Impact

Based on the information previously mentioned in the example above, the team can
assess the impact of system architecture and functional and cybersafety safeguards on
the criticality of the gas boiler, which translates into the BCM of the entire plant. This in
turn allows the enterprise to engage in Business Continuity Planning-wide planning, e.g.,
creating the capacity to produce a range of products in several factories.
The next stage of BCM is to create a business recovery plan that includes both IT and
OT infrastructure. As IT practices are well known, we omit the related description. As
far as OT is concerned, especially in terms of functional safety, it is necessary to highlight
the creation of backup programs of drivers and safety drivers, knowledge of firmware
versions of devices of control systems, protection of spare parts of control elements which
Energies 2022, 15, 3610 18 of 21

can be destroyed or infected, description of procedures verifying damage, and procedures

allowing for the restarting of production after replacement of damaged or infected elements.
The final stage of the BCM process, enriched with new analysis elements, is the
test plan. At this stage, it is necessary to equip maintenance personnel with appropriate
procedures and instructions to test the disaster event and production recovery in a safe
way for the continuity of production in the scope resulting from the risk analysis enriched
with functional safety elements for OT and IT.
The frequency of performing a backup depends directly on the Recovery Point Objec-
tive (RPO) indicator assumed during the analysis. However, the size of the stock of key
spare parts depends on the adopted Recovery Time Objective (RTO)

4.5. Summary
This example demonstrates that in a modern industrial plant equipped with both safety
functions and IT networks, these two functionalities intermingle and create interactions that
have a direct impact on BCM analyses. Their consideration is essential for a comprehensive
analysis of all risks and the creation of an appropriate action plan.

5. Conclusions
In this article, an integrated functional safety and cybersecurity evaluation approach is
proposed in a framework for business continuity management (BCM) to deal systematically
with vulnerabilities that could influence an industrial plant’s dependability, safety, and
security. Industrial energy companies, including those using Industry 4.0 business and
technical solutions, have to pay attention to shaping their resilience regarding existing
and emerging hazards and threats, including cyberattacks. This issue concerns the energy
sector, power plants, and distributed renewable energy stations.
In such energy plants, information and communication technologies (ICT) and in-
dustrial automation and control systems (IACS) play important roles. Using advanced
technologies in modern energy manufacturing systems and processing plants can result
in management impediments due to their openness to external systems and networks
through various communication channels. This makes company assets and resources
potentially vulnerable to risk, e.g., due to cyberattacks. In the BCM-oriented approach
proposed here, both preventive and recovery activities are considered in light of engineer-
ing best practices and following suggested selected international standards, reports, and
domain publications.
Potential impediments in energy industrial practice have been identified related
to OT security when this technology consists of devices (hardware and software) from
several different producers/suppliers. This can cause substantial difficulties in pathing
software within relevant computer systems and networks. Thus, this issue requires special
attention during the design, implementation, and maintenance of business continuity
management systems.
The dependability and security of safety-related ICS in which defined safety functions
are implemented can be influenced by both technical and organizational factors. These are
related to the quality and reliability of hardware and software. These aspects require further
research, especially in the context of the design and operation of highly complex hazardous
industrial installations and their ICS, as these must be designed with regard to the defense
in depth concept when justified in the context of the risk evaluation results obtained.
Traditionally, manufacturing installations include both information technology (IT)
and operational technology (OT). More recently, cloud technology (CT) is often considered
to improve data transfer and storage in the context of business management in distributed
Industry 4.0 companies.
Advanced automation and control systems are currently in development, based, for
instance, on the open platform communication unified architecture (OPC UA) protocol for
improved network scalability and implementing new AutomationML concepts [49]. These
technologies enable advanced production flexibility and effectiveness. The IT, OT, and
Energies 2022, 15, 3610 19 of 21

IACS, including safety-related ICS, can be considered more generally as a cyber-physical

system (CPS). Additional research should be undertaken in order to deal systematically
with distributed co-operating manufacturing systems, including their dependability, safety,
and security aspects, regarding an advanced BCM system for improving effectiveness
and resilience over the whole plant life cycle. Our future research work will further
develop BCM topics in the energy sector related to hydrogen storage and renewable energy
technologies. With respect to these topics it is extremely important to include an integrated
approach to functional safety and cybersecurity analysis.

Author Contributions: Conceptualization, K.T.K.; methodology, K.T.K. and M.Ś.; validation, J.P. and
E.P.; formal analysis, E.P., J.P. and M.Ś.; investigation, K.T.K., M.Ś., J.P. and E.P.; resources, E.P. and
M.Ś.; writing—original draft preparation, K.T.K.; writing—review and editing, E.P., J.P. and M.Ś.;
visualization, K.T.K.; supervision, M.Ś., J.P. and E.P. All authors have read and agreed to the published
version of the manuscript.
Funding: This research was supported by Gdańsk University of Technology.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Data Availability Statement: Not applicable.
Conflicts of Interest: The authors declare no conflict of interest.

References
1. SIEMENS Industrial Security. Available online: https://new.siemens.com/global/en/products/automation/topic-areas/
industrial-security.html (accessed on 10 June 2021).
2. Abdo, H.; Kaouk, M.; Flaus, J.M.; Masse, F. Safety and Security Risk Analysis Approach to Industrial Control Systems. Comput.
Secur. 2018, 72, 175–195. [CrossRef]
3. Li, S.W. Architecture Alignment and Interoperability, an Industrial Internet Consortium and Platform Industry 4.0. Available
online: https://www.iiconsortium.org/pdf/JTG2_Whitepaper_final_20171205.pdf (accessed on 10 June 2021).
4. ISO/DIS 22301; Security and Resilience—Business Continuity Management Systems—Requirements. International Organization
for Standardization: Geneva, Switzerland, 2019.
5. Xing, J.; Zio, E. An Integrated Framework for Business Continuity Management of Critical Infrastructures; CRC Press: Boca Raton, FL,
USA, 2016; pp. 563–570.
6. Lundteigen, M.A.; Rausand, M.; Utne, I.B. Integrating RAMS engineering and management with the safety life cycle of IEC 61508.
Reliab. Eng. Syst. Saf. 2009, 94, 1894–1903. [CrossRef]
7. Saraswat, S.; Yadava, G.S. An overview on reliability, availability, maintainability and supportability (RAMS) engineering. Int. J.
Qual. Reliab. Manag. 2008, 25, 330–344. [CrossRef]
8. Misra, K.B. (Ed.) Handbook of Advanced Performability Engineering; Springer Nature: Cham, Switzerland, 2021.
9. Niemimaa, M. Interdisciplinary Review of Business Continuity from an Information Systems Perspective: Toward an Integrative
Framework. Commun. Assoc. Inf. Syst. 2015, 37, 4. [CrossRef]
10. Goł˛ebiewski, D.; Kosmowski, K. Towards Process-Based Management System for Oil Port Infrastructure in Context of Insurance.
J. Pol. Saf. Reliab. Assoc. 2017, 8, 23–37.
11. Kosmowski, K.T.; Goł˛ebiewski, D. Functional Safety and Cyber Security Analysis for Life Cycle Management of Industrial Control
Systems in Hazardous Plants and Oil Port Critical Infrastructure Including Insurance. J. Pol. Saf. Reliab. Assoc. 2019, 10, 99–126.
12. Kosmowski, K.T. Systems engineering approach to functional safety and cyber security of industrial critical installations. In
Safety and Reliability of Systems and Processes; Kołowrocki, K., Bogalecka, M., Dabrowska,
˛ E., Torbicki, M., Eds.; Gdynia Maritime
University: Gdynia, Poland, 2020; pp. 135–151.
13. Systems Engineering Fundamentals; Defense Acquisition University Press: Fort Belvoir, VA, USA, 2001.
14. Białas, A. Semiformal Common Criteria Compliant IT Security Development Framework; Studia Informatica; Silesian University of
Technology Press: Gliwice, Poland, 2008.
15. Kriaa, S.; Pietre-Cambacedes, L.; Bouissou, M.; Halgand, Y. Approaches Combining Safety and Security for Industrial Control
Systems. Reliab. Eng. Syst. Saf. 2015, 139, 156–178. [CrossRef]
16. CISA Assessments: Cyber Resilience Review. Available online: https://www.cisa.gov/uscert/resources/assessments (accessed
on 10 February 2020).
17. Leitão, P.; Colombo, A.W.; Karnouskos, S. Industrial Automation Based on Cyber-Physical Systems Technologies: Prototype Imple-
mentations and Challenges. Comput. Ind. 2016, 81, 11–25. [CrossRef]
Energies 2022, 15, 3610 20 of 21

18. MERGE. Safety & Security, Recommendations for Security and Safety Co-Engineering, Multi-Concerns Interactions System Engineer-
ing. ITEA2 Project No. 11011. Available online: https://itea4.org/project/workpackage/document/download/2837/D3.4.4.%20
MERgE%20-%20Recommendations%20for%20Security%20and%20Safety%20Co-engineering%20v3%20partA.pdf (accessed on 1
June 2021).
19. Integrated Design and Evaluation Methodology. Security and Safety Modelling; Artemis JU Grant Agr., No. 2295354. Available on-
line: http://sesamo-project.eu/sites/default/files/downloads/publications/integrated-design-and-evaluation-communication-
material.pdf (accessed on 5 June 2018).
20. Boehmer, W.J. Survivability and business continuity management system according to BS 25999. In Proceedings of the IEEE 3rd
International Conference on Emerging Security Information, Systems and Technologies, Athens, Greece, 18–23 June 2009; Volume
1, pp. 142–147.
21. Zawiła-Niedźwiecki, J. Operational Risk Management in Assuring Organization Operational Continuity; Edu-Libri.: Kraków, Poland,
2013. (In Polish)
22. Cyber Security for Industrial Automation and Control Systems, Health and Safety Executive (HSE) Interpretation of Current Standards
on Industrial Communication Network and System Security, and Functional Safety 2015. Available online: https://www.hse.gov.uk/
foi/internalops/og/og-0086.pdf (accessed on 5 May 2021).
23. Kosmowski, K.T. Functional safety and cybersecurity analysis and management in smart manufacturing systems. In Handbook of
Advanced Performability Engineering; Krishna, B.M., Ed.; Springer Nature: Cham, Switzerland, 2021.
24. Kościelny, J.M.; Syfert, M.; Fajdek, B. Modern Measures of Risk Reduction in Industrial Processes. J. Autom. Mob. Robot. Intell.
Syst. 2019, 1, 20–29. [CrossRef]
25. Kosmowski, K.T. Functional Safety and Reliability Analysis Methodology for Hazardous Industrial Plants; Gdansk University of
Technology Publishers: Gdańsk, Poland, 2013.
26. IEC 62443; Security for Industrial Automation and Control Systems. Parts 1–14 (Some Parts in Preparation). The International
Electrotechnical Commission: Geneva, Switzerland, 2018.
27. IEC 61508; Functional Safety of Electrical/ Electronic/ Programmable Electronic Safety-Related Systems, Parts 1–7. The Interna-
tional Electrotechnical Commission: Geneva, Switzerland, 2016.
28. Gabriel, A.; Ozansoy, C.; Shi, J. Developments in SIL Determination and Calculation. Reliab. Eng. Syst. Saf. 2018, 177, 148–161.
[CrossRef]
29. BS 25999-1; Business Continuity Management—Part 1: Code of Practice. British Standard Institution: London, UK, 2006.
30. SP 800-82r2; Guide to Industrial Control Systems (ICS) Security. NIST: Gaithersburg, MD, USA, 2015.
31. ETSI TS 102 165-1; CYBER Methods and Protocols. Part 1: Method and pro Forma for Threat, Vulnerability, Risk Analysis (TVRA).
Technical Specs; ETSI: Sophia Anthipolis, France, 2017.
32. Kosmowski, K.T.; Śliwiński, M. Organizational culture as prerequisite of proactive safety and security management in critical
infrastructure systems including hazardous plants and ports. J. Pol. Saf. Reliab. Assoc. 2016, 7, 133–146.
33. ISA. Security of Industrial Automation and Control Systems, Quick Start Guide: An Overview of ISA/IEC 62443 Standards; ISA—
International Society of Automation: Alexander, NC, USA, 2020.
34. Saleh, J.H.; Cummings, A.M. Safety in the Mining Industry and the Unfinished Legacy of Mining Accidents. Saf. Sci. 2011,
49, 764–777. [CrossRef]
35. Subramanian, N.; Zalewski, J. Quantitative Assessment of Safety and Security of System Architectures for Cyberphysical Systems
Using NFR Approach. IEEE Syst. J. 2016, 2, 397–409. [CrossRef]
36. IEC 61511; Safety Instrumented Systems for the Process Industry Sector. Parts 1–3. The International Electrotechnical Commission:
Geneva, Switzerland, 2016.
37. Holstein, D.K.; Singer, B. Quantitative Security Measures for Cyber & Safety Security Assurance; ISA: Alexander, NC, USA, 2010.
38. Śliwiński, M.; Piesik, E.; Piesik, J. Integrated Functional Safety and Cybersecurity Analysis. IFAC Pap. OnLine 2018, 51, 1263–1270.
[CrossRef]
39. IEC 62061; Safety of Machinery—Functional Safety of Safety-Related Electrical, Electronic, and Programmable Electronic Control
Systems. The International Electrotechnical Commission: Geneva, Switzerland, 2018.
40. Kosmowski, K.T.; Śliwiński, M.; Piesik, J. Integrated Functional Safety and Cybersecurity Analysis Method for Smart Manufactur-
ing Systems. TASK Q. 2019, 23, 1–31.
41. IEC 63074; Security Aspects Related to Functional Safety of Safety-Related Control Systems. The International Electrotechnical
Commission: Geneva, Switzerland, 2017.
42. Braband, J. What’s security level got to do with safety integrity level? In Proceedings of the 8th European Congress on Embedded
Real Time Software and Systems, Toulouse, France, 27–29 January 2016.
43. Kosmowski, K.T. Safety integrity verification issues of the control systems for industrial power plants. In Proceedings of the
International Conference on Diagnostics of Processes and Systems, Sandomierz, Poland, 11–13 September 2017; pp. 420–433.
44. ISO/IEC 24762; Information Technology—Security Techniques—Guidelines for Information and Communications Technology
Disaster Recovery Services. International Organization for Standardization: Geneva, Switzerland, 2008.
45. ISO/DTR 22100; Safety of Machinery—Guidance to Machinery Manufacturers for Consideration of Related IT Security (Cyber
Security) Aspects. International Organization for Standardization: Geneva, Switzerland, 2018.
Energies 2022, 15, 3610 21 of 21

46. IEC TR 63074; Safety of Machinery—Security Aspects to Functional Safety of Safety-Related Control Systems. The International
Electrotechnical Commission: Geneva, Switzerland, 2019.
47. ISO/IEC 27005; Information Technology—Security Techniques—Information Security Risk Management. International Organiza-
tion for Standardization: Geneva, Switzerland, 2018.
48. BSI-Standard 100-4; Business Continuity Management. Federal Office for Information Security (BSI): Berlin, Germany, 2009.
49. ISO/PAS 22399; Societal Security—Guideline for Incident Preparedness and Operational Continuity Management. International
Organization for Standardization: Geneva, Switzerland, 2007.
50. ISO/IEC 27031; Information Technology—Security Techniques—Guidelines for Information and Communication Technology
Readiness for Business Continuity. International Organization for Standardization: Geneva, Switzerland, 2011.
51. Kanamaru, H. Bridging functional safety and cyber security of SIS/SCS. In Proceedings of the IEEE 56th Annual Conference of
the Society of Instrument and Control Engineers of Japan, Kanazawa, Japan, 19–22 September 2017.
52. Smith, D.J. Reliability, Maintainability and Risk. Practical Methods for Engineers, 9th ed.; Butterworth-Heinemann: Oxford, UK, 2017.
53. Piesik, E.; Śliwiński, M.; Barnert, T. Determining the Safety Integrity Level of Systems with Security Aspects. Reliab. Eng. Syst. Saf.
2016, 152, 259–272. [CrossRef]
54. Kosmowski, K.T.; Śliwiński, M. Knowledge-Based Functional Safety and Security Management in Hazardous Industrial Plants with
Emphasis on Human Factors; Advanced Control and Diagnostic Systems; PWNT: Gdańsk, Poland, 2015.
55. Felser, M.; Rentschler, M.; Kleinberg, O. Coexistence standardisation of operational technology and information technology. Proc.
IEEE 2019, 104, 962–976. [CrossRef]
56. Rogala, I.; Kosmowski, K.T. Audit Document Concerning Organizational and Technical Aspects of the Safety-Related Control System De-
sign and Operation at a Refinery (Access Restricted); Automatic Systems Engineering, Gdańsk and Gdańsk University of Technology:
Gdańsk, Poland, 2012.
Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.