Integrated management of safety and security in Seveso sites - sociotechnical perspectives

Abstract

The call for integrated management of safety and security (IMSS) derives from intensification of digitalisation development and the increased reliance on information communication technologies (ICT) in high-risk industries, such as the chemical and process industry. This development means tightened interconnectedness between industrial automation and control and information technology systems. As a result, the risk landscape is changed towards a stronger interconnectedness of safety, physical and (cyber)security risks, which may lead to major accidents. The objective of this paper is to examine the motivations for IMSS, the current state of IMSS, the cybersecurity-induced risks, including the actualisation of interconnected risks and some sociotechnical tools for IMSS in Seveso plants. They are plants where certain quantities of dangerous substances are present, which are subject to the requirements of the Seveso III Directive (2012/18/EU). The data considered is open source and related to cyber and physical security-induced accidents; interviews with the representatives of Seveso sites and regulators; and literature. The method is qualitative content analysis. The results show that, despite the ongoing development in IMSS at the Seveso sites, IMSS is still in its infancy. Indeed, cybersecurity is often handled in a separate IT department, and the communication with process-safety experts is often inadequate. Furthermore, safety and security risk identification and assessment are essentially undertaken separately. To achieve a real IMSS, we argue that the co-existence of technical and organisational, including structural, functional and cultural development is a fundamental aspect. The combination of such complementary aspects represents the main novelty of this study.