The connection between safety and security in the downstream oil and gas industry is not new. Many organisations have been highlighting their growing significance for quite some time. Today, as digital transformation accelerates across the downstream industry, this message feels more urgent than ever. The goal remains clear: to keep the dialogue between safety and cybersecurity strong, relevant, and actionable.
It is important to differentiate: safety focuses on danger coming from within the process, while security focuses on danger that comes from outside the process.
Suppose a hacker from outside an organisation gains access to the safety engineering workstation and modifies the safety application programme within the process, so that it no longer transitions to the safe state.
From a company’s perspective, the challenges regarding safety and security differ.
Installing a safety system is a significant, largely invisible investment that quietly protects the process in the background, intervening only when the control system alone cannot keep operations within safe limits.
Cybersecurity systems are more tangible. Operators can see how many attempts have been made to break into an IT system, the amount of spam and phishing e-mails flooding a company’s mail servers, and how often IT specialists need to be briefed and retrained on the latest methods of security threats.
Legislation, like the European NIS2 directive, gives cybersecurity high priority, so much so that a company’s CEO can be held personally accountable in the event of a hack or ransom demand.
Cybersecurity expenditures are often visible in real time, while safety systems represent an upfront investment whose value appears only when needed. This article will consider the consequences if no safety systems are in place when a process incident occurs or what a hacker could do with access to a programmable safety system.
Consequences
Key themes emerge repeatedly, such as the lasting personal and professional impact on those involved, the scrutiny from investigations and regulators, and the attention from the media (including viral social media coverage). Incidents can lead to prolonged legal proceedings and ongoing reputational consequences. Even when preventative measures exist, the weight of what could have been avoided can stay with individuals and teams for years.
This raises a crucial point: neglecting safety – whether through lapses in procedure, inattention to protective measures, or insufficient systems – can have far-reaching, long-lasting effects that extend well beyond the immediate incident.
Trevor Kletz’s famous quote, “If you think safety is expensive, try an accident” is a classic reminder that the true cost of accidents goes beyond money – today, company reputation joins personal, environmental, and financial impacts as a key consequence.
To read the full article and many more, sign up for your free copy of Hydrocarbon Engineering here now.