A framework for complying with conflicting safety and security standards within critical infrastructure organisations

Date

2023-06

Advisors

Journal Title

Journal ISSN

ISSN

DOI

Volume Title

Publisher

De Montfort University

Type

Thesis or dissertation

Peer reviewed

Abstract

Safety and security risks to critical infrastructure organisations are well known, and incidents in both fields have taken place. To help critical infrastructure organisations manage these areas, safety and security standards have been created. The standards can vary from general standards to industry-specific standards. Complying with both safety and security standards within critical infrastructure organisations can be difficult due to the conflicting requirements in the standards between safety objectives and security objectives and controls for information technology cannot always be applied to operational technology.

The main aim of the thesis was to identify and remediate conflicts and issues between information technology, operational technology, safety, and security, while also creating processes that can combine safety and security compliance to standards to reduce duplication of work and allow one process to manage both areas. The main output of the thesis is the creation of the Safety and Security Standards Framework for Critical Infrastructure (SSS Framework for CI) that can be used by critical infrastructure organisations to produce a Safety and Security Management System (SSMS). To achieve this a case study was created and multiple safety and security standards were analysed to see what processes and controls they required. Questionnaires, workshops and experiments with safety and security professionals were conducted to inform and validate the framework. The SSS Framework for CI has 14 processes, 22 control areas and over 1000 conflicts, issues and resolutions for those conflicts and issues. Other findings were that conflict resolution and risk management are critical to successfully creating a SSMS and both need to be in place and designed to consider both safety and security objectives.

The thesis has demonstrated that safety and security can be managed together, and it can bring benefits to critical infrastructure organisations both in efficiency of processes and resources and also in terms of managing the risk of safety and security incidents. It is not simple to manage both areas and the respective teams will need to work collectively and changes to the implementation and maintenance of controls will be needed to ensure compliance can be achieved to multiple standards and overall risk is managed to an acceptable level.

Description

Keywords

Citation

Rights

Research Institute

Collections