Safety and Security interoperability must be considered when developing safety and security systems to protect against process and system vulnerabilities. Prevention is the highest level of safety and security and should be the overarching principle for protection of human capital and facility assets. Access control information should be multi-layered, site-specific information, verified at access control entry points to verify compliance with site safety and security requirements.
Safety and Security Systems Interoperability
Safety and Security both deal with PREVENTING failures from system and process vulnerabilities. The emphasis should be placed on PREVENTION! Creating a culture of PREVENTION is the genesis of a robust safety and security program. Establishing the Business Culture to require and establish the Goals, Objectives, Strategies and Measures is critical to mission success. A strong Business Culture demands a plan for success and establishes the expectations.
What are vulnerabilities? Vulnerabilities are any system characteristic(s), known or unknown, that may cause a system failure. Vulnerabilities may be intrinsic to the system or process or extrinsic and can be introduced into the operation well past development and implementation of the process or system. If the process and system requirements are not well defined and understood, vulnerabilities can be introduced into the process or system because of poor design, implementation, deployment, or operation. These vulnerabilities my not materialize for a long period of time after operations commence.
Designing the safety and security system interoperability is the future of defending our critical infrastructure from vulnerabilities. Establishing the controls required to guard against vulnerabilities should be the highest order of priority. Assessing vulnerabilities by a team that understands your business-critical operations is the first step to success. As a safety and security consultant, I often see these assessments performed in department “silos” and vulnerabilities and controls are department specific without considering the overarching business-critical interoperability of systems. This is especially true when the safety functions, security functions, risk management functions, procurement functions and information technology functions are separate systems and processes and managed as separate business units.
These “silos” create barriers to sharing information and resources that may inhibit the development of proper controls. What is the impact of a single vulnerability on each part of the organization and then what is the impact on the business-critical functions of the organization collectively? The culture of the organization will determine the organization’s ability to work interoperability into all processes and ensure the maximum benefit that can be realized by the correct controls.
Robust Access Control is the foundation to successful safety and security interoperability. Technology today is creating systems to incorporate safety and security interoperability into a single management system with the capability to define minimum access requirements for entering business-critical infrastructure. This infrastructure may be “facilities”, or it may be business-critical computer networks. Managing controlled access to business-critical infrastructure is becoming more important each day as we see more “attack” by criminals and terrorists.
Behavioral failures are widely recognized as the leading cause of business-critical disruptions. These behavioral failures often lead to injuries to personnel, contractors and sometime to the public. These behavioral failures can lead to catastrophic accidents. Catastrophic accidents motivate the regulatory authorities to create legislation and regulation such as the Process Management Requirements in OSHA 29 CFR 1910.119 and EPA Requirements found in 40 CFR Part 68. These rule making authorities create rules to require organizations to create organizational process to prevent failures to vulnerabilities. These rules establish a framework for a management system, but organizations must develop and implement these systems effectively.
Conditions may contribute to some business-critical disruptions, but, when carefully analyzed with a robust “root cause analysis” most conditions can be traced back to behavioral failures.
The business-critical ecosystem, when assessed properly, will demonstrate that the interrelationship between safety, security, risk management, information technology and procurement must be considered simultaneously when designing, developing, implementing, and managing business-critical systems.
The goal of “attacks” on safety-critical processes and systems is to cause some form of physical harm to achieve their goal of ransom or revenge. Their goal can be achieved by exploiting vulnerabilities in operational aspects of the system.
Creating access control strategies to limit access to these safety-critical process and systems is necessary. Create multi-layered site requirements for positive human identification, site safety and security requirements for background checks. Other requirements should include contractual requirements, insurance requirements, training requirements, and other site-specific requirements for entering premises of critical infrastructure. Safety-critical sites may include office buildings, manufacturing facilities, chemical plants and refineries, hospitals and medical facilities, schools, or other public venues where people gather. All these sites should be reviewed for access control requirements.
Organizations should not rely on government controls such as the Social Security Administration’s E-Verify or Transportation Safety Administration’s Transportation Worker Identification Program since these programs have been identified as failed programs.
Developing system interoperable for safety, security, risk management, information technology, and procurement is essential. Preventing failures due to realized or unrealized vulnerabilities must be considered for all business-critical operations. Contact Clear to Work for more information. www.clr2wrk.com