Silent failure: Why cyber risk is a functional safety issue

The process manufacturing space has always understood latent risk. The most dangerous failures are rarely the loud ones, but rather the quiet assumptions that sit unnoticed until the moment they matter. Safety Instrumented Systems (SIS), programmable logic controllers (PLCs) and protection layers exist to intervene when normal operation has already failed. Their value is measured almost entirely in moments that never happen.

This sector is rightly proud of how seriously it takes this responsibility. IEC 61511 is deeply embedded in the way hazardous plants are designed, operated and governed. Hazard and operability studies (HAZOPs), Safety integrity level (SIL) testing and rigorous change management are part of the fabric of the industry. But the environment in which safety systems now live has changed, and these changes have not been fully woven into that fabric.

Most SIS platforms in service today are no longer isolated. They sit on networks, share infrastructure and rely on commercial operating systems to function. Engineering access is remote, vendor access is routine and diagnostics are pulled into wider operational technology environments. All of this is normal, accepted and in many cases unavoidable, and that connectivity fundamentally undermines the assumptions that underpin functional safety.

The new, old standard for safety

For years, safety studies could reasonably treat the SIS as independent, stable and trustworthy by default. If machine logic, hardware and proof testing appeared suitable and correct, it was a protection layer that could be relied upon. But in today's connected plants, that model no longer holds. 

IEC 61511 recognised this shift in 2016. Edition 2 introduced a mandatory Security Risk Assessment for the SIS. This is not guidance, but a requirement that places cybersecurity alongside physical safety. The intent of the change was straightforward. If a security weakness could reasonably prevent a safety function from operating on demand, then it becomes a functional safety problem and must be treated as such. Cybersecurity, in this context, is about protecting the integrity and availability of safety functions, not merely data.

This is also where an artificial boundary has developed in many organisations. IEC 61511 defines how functional safety is achieved and governed in the process industries. IEC 62443, by contrast, addresses the security of industrial automation and control systems. In practice, modern SIS sit squarely at the intersection of both. Treating these standards as belonging to separate domains may simplify organizational responsibility, but it does not reflect how contemporary safety systems are designed or exposed to risk.

Common patterns, uncommon safety risks

Across hazardous process industries, we see the same patterns appearing again and again: flat networks with minimal segmentation between control and safety domains; engineering workstations necessarily running outdated platforms for process stability, but which have never been hardened; legacy controllers that cannot be patched and are rarely monitored; and backup regimes that exist on paper but have never been tested under pressure.

None of this looks dramatic. In day-to-day plant operation, most of it would not trigger any kind of alarm. But from a functional safety perspective, these conditions introduce failure modes that sit outside traditional hazard analysis. SIL is a quantified claim about risk reduction; if its assumptions are invalid, the number itself becomes meaningless.

The cyber trust problem

Cybersecurity is not an abstract threat. As IEC 61511 makes clear, it is a process safety issue that often goes unnoticed. Unlike mechanical or electrical failures, cyber-related failure modes are often invisible. Systems may appear to function normally while their integrity has already been compromised. By the time an issue comes to light, the opportunity to intervene cleanly may already be gone.

This exposes a gap in the way safety is currently approached. Cybersecurity should be treated as equal to physical process safety, yet traditional HAZOPs are not designed to surface potential cyber risks unless they are explicitly asked to. Safety cases rarely explore what happens if trust in instrumentation or logic is lost, rather than the instrumentation failing outright. Yet in a connected environment, loss of trust can be just as dangerous as loss of function.

Asking the right questions before things go wrong

IEC 61511 does not require the safety community to invent new tools; it simply asks that existing discipline be applied more broadly. A risk assessment of the SIS is another way of asking familiar questions: What could go wrong? How likely is it? What are the consequences if it does? The answers often point to design decisions that were made years ago, before connectivity was fully understood or implemented. They highlight organizational boundaries between safety, control and IT that no longer reflect technical reality, as well as situations where a system is compliant on paper but fragile in practice. 

This also has implications beyond design and analysis. Incident response in most processing plants is understandably built around physical deviations and equipment failures. Operators know how to respond when pressures spike or flows are lost, but far fewer organizations have rehearsed what to do when the problem is uncertainty itself.

When uncertainty is the incident

A cyber-related incident affecting control or safety systems may manifest as conflicting information, unexpected behavior or simple loss of confidence in what the system is telling you. At that point, deciding whether to continue operating becomes a safety decision, not a technical one. These issues might stem from IT intrusion, but they are a whole-business concern. Shutdown philosophies and emergency procedures need to reflect that reality, and widespread training and buy-in are essential.

Regulators and insurers are already starting to ask questions around responsible cyber governance, and the direction of travel is clear. Demonstrating that cyber risks to safety functions have been identified and managed has become part of what good safety management looks like in high-hazard industries. For an industry that already lives by standards, this should not be controversial. IEC 61511 has done much of the work. The challenge is not a lack of frameworks or guidance. It is a reluctance to fully accept what the standard is already saying.

About Arista Cyber

Arista Cyber protects the world’s critical infrastructure. As a global consulting firm specializing in OT/ICS cybersecurity, Arista Cyber partners with organizations across energy, utilities, manufacturing and other essential sectors to deliver layered security solutions that align to global compliance standards. Combining unrivalled expertise with deep business insight, Arista Cyber is trusted by industries worldwide to provide future-ready end-to-end solutions adapted to operational reality. Arista Cyber’s TÜV Rheinland-certified experts work closely with organizations to secure their most vital assets – protecting the pulse of industrial innovation today, and preparing for the challenges of tomorrow. Find out more: https://aristacyber.io/