Building resilience across industrial sites and critical infrastructure
Critical infrastructure and industrial sites make up the backbone of our society, providing essential services such as energy, water, pharma and chemical, to name just a few. Disruption to these industries can have serious repercussions, so it is vital that those providing these services can maintain business continuity, even if struck by a cyberattack, natural disaster, physical breach, or internal incident or accident.
The evolving regulatory environment
Governments around the world are taking steps to ensure critical assets of the involved industries are resilient to any potential threat, and one key approach has been to use regulation which spread the responsibility across the whole supply chain. This means that all the stakeholders, from end users to suppliers, have a role to play in ensuring the security and resilience of critical infrastructure and industrial sites.
In Europe, regulations such as the cybersecurity-focused NIS2 Directive and the broader Critical Entity Resilience Directive (CER) place significant demands for a long list of industries, now falling under the broad umbrella of “critical infrastructure” or “critical and important entities”, and including their entire supply chains.
These regulations require organizations to implement a range of security measures, including periodic risk assessments and incident response plans. At the very least, any failure to comply will likely result in significant fines. Longer-term costs – potentially greater still – could include impact on brand reputation, loss of production, or damages paid to third parties.
Most large organizations will be aware of the requirements tied to these regulations; however, it is less well known that every organization operating in these sectors, irrespective of size, will need to be aware of the implications and adjust and enhance their business operations accordingly.
A specific challenge for industrial sectors and critical infrastructure
NIS2 and CER apply to a broad range of sectors, where any incidents can potentially have a devastating impact on the health and safety of citizens, economic activity, the environment, and even the functioning of society as a whole.
A number of the sectors, particularly those handling hazardous materials and substances, already need to adhere to existing regulation. These include the Seveso Directive, which covers 12,000 industrial sites across the EU and aims to prevent major industrial accidents and minimize their harmful impacts on human health and the environment. Named after a chemical leak in the Italian town of Seveso in 1976, the Directive is now in its third iteration.
However, the NIS2 and CER Directives raise the regulatory bar significantly, and the industries impacted by these new regulations are running out of time to demonstrate that they align with the requirements. NIS2 needs to be reflected in laws of EU member states by October 2024, and CER by mid-2025.
The CER Directive itself defines resilience as a “critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident”.
In simple terms, this means that critical entities must show that they have taken steps to minimize any potential for an accident to happen and show that they are prepared with contingencies in place in the event an incident does occur.
Resilience is even more important when it comes to some specific area of industrial sites and critical infrastructure, the so called “critical assets” by the means of regulations. Examples include (but are not limited to) control rooms in nuclear plants, chemical storage, power generators, reactors in chemical plants, and furnaces in steel plants. Companies that operate such sites need to demonstrate that they have put the measures in place to monitor and secure all these areas.
Technological solutions for meeting the requirements
The use of smart, connected devices based on video technology, for example, and the data that these can create provides a compelling solution in many areas of industrial sites and critical infrastructure, providing a valuable layer of visual verification and situational awareness, along with object recognition or other analytics. Typical scenarios include:
- Security: secure perimeters and specific areas, deterring crime and helping to protect people and assets.
- Process monitoring and visual verification: monitoring temperature and vibrations, detecting anomalies, monitoring the handling of dangerous substances, and verifying that processes are being followed correctly.
- Health, Safety & Environment (HSE): detecting leaks, monitoring for safety violations, environmental monitoring, smoke and fire detection, and ensuring that employees are wearing the correct Personal Protective Equipment (PPE).
Cameras – previously used mainly for security surveillance – can now also be considered sensors for process monitoring and people protection.
However, not all production areas are easy to monitor. Due to a potentially combustible atmosphere, caused by gas and/or dust, special precaution is necessary when it comes to electrical devices, as they may emit sparks or excessive heat and cause an ignition.
Depending on the probability of an explosion, these areas are divided into zones, each of which require appropriate protection of electronic devices.
Traditionally, explosion-protected cameras have been designed with a stainless-steel enclosure for use in the more hazardous Zone/Division 1. However, the less hazardous Zone/Division 2 usually covers a larger area. Here, a more cost-effective solution is to use explosion-protected cameras specifically designed for Zone/Division 2, allowing the full potential of modern camera technology to be used in areas where the cost previously limited deployment.
Being able to cover a wider spectrum of situations in a cost-efficient way will be a game changer towards resilience.
While using connected technologies and data has its clear benefits, it is important that users are aware of potential security risks. Which is why the EU’s NIS2 Directive aims to ensure that any solutions employed by those operating industrial sites and critical infrastructures are a good fit from a cybersecurity standpoint as well.
Due to their significance in our day-to-day lives, industrial sites and critical infrastructure are an obvious target for cyberattack, and likely to have their vulnerabilities probed. Safeguarding connected devices is therefore a priority. Companies will employ a number of tools to mitigate the risks of cyberthreats including software and devices with built-in cybersecurity-related features, along with best practices in device hardening and addressing vulnerabilities.
Working in partnership to build resilience
Time is of the essence. With NIS2 and CER deadlines approaching, on top of the already existing Seveso Regulation, organizations need to take action. Working with trusted partners will provide the foundation for resilience. Solutions which balance quality, reliability, and cost-effectiveness, based on open standards which will allow future scalability and enhancement, meet the needs today and the future, whatever new regulatory requirement emerge.
As a first step to discovering more about how monitoring hazardous areas supports resilience, download our ebook.