(32bb) Dynamic Barrier Management for the Functional Integration of Safety and Security Domains in Critical Infrastructures: A Management Framework Based on Technical References.

Critical infrastructure, and especially the chemical industry, globally faces two major and complex challenges that jeopardize its operational and business continuity and resilience, with the ability to affect also people and the environment. On the first hand, the industrial cybersecurity domain faces the phenomenon of cybercrime and its instrument of Crime As A Service (which reached in 2023, last year alone, 8.5 trillion USD) while, on the other hand, the process safety domain seeks to manage the integrity of hazardous operating systems and processes, avoiding the affectation (or destruction) of industrial assets and the harm of people and the environment (which impact is estimated, just for the last year 2023, at a loss of around 5 trillion USD and almost 3 million fatalities). Even though both domains converge in protecting comprehensively the same critical industrial assets and ensuring their integrity, at their various levels of complexity existing in any kind of industrial facility, process, or system, to achieve or maintain a safe state, in general, or in respect of a specific hazardous or risk event, the industrial reality shows an isolated, sometimes contradictory, and non-aligned management of the assets (and their vulnerabilities), the hazards and risks, as well as the control solution proposed in each domain, under the applicable (legal and regulatory) requirements framework, which reduces the effectiveness and efficiency (in cost and effort) of such control solutions. In addition, the design and implementation of control solutions include the definition and operation of barriers for both cybersecurity and process safety, designed to block unwanted or non-functional flow (preventing its development or mitigating its consequences) about undesired/accidental (security and/or safety) events. The convergence of both domains becomes even more necessary considering that an industrial cybersecurity incident can be focused or targeted to directly affect process safety as a real mechanism to cause harm to the operation, its assets, the involved people, and the environment. At a technical level, there are more than thirty international technical standards and guidelines, plus some best industry practices, that deal with safety and/or security concepts and functional elements of security and/or safety, as well as with the increasingly complex legal framework on the subject. For this reason, it is necessary to have a reference framework for the chemical industry on which the barriers related to both domains are managed and optimized, dynamically integrating cybersecurity and process safety, to provide a better capacity to react and respond to the current highly changing risk scenarios and future challenges in the industry thinking the operation and its assets, cybersecurity, and process safety, as part of a single infrastructure that must be protected adequately and in a timely manner.