Integrating cybersecurity into the functional safety lifecycle is essential to ensure that safety instrumented systems (SIS) and other safety controls, alarms and interlocks (SCAI) are protected against both random failures and intentional cyber threats. The approach is well-documented in recent technical guidance, which emphasizes the need to address cybersecurity throughout every phase of the safety lifecycle. ISA-TR84.00.09-2024 Part 1, Cybersecurity Related to the Safety Lifecycle , is a document available from ISA.
This technical report aligns cybersecurity practices with established safety standards such as IEC 61511 and ANSI/ISA-61511-1-2018, incorporating key cybersecurity concepts and frameworks like ISA/IEC 62443 and National Institute of Standards and Technology (NIST). Part 2 is under development (see box). In general, it pays to adopt a unified lifecycle approach. Recognize that cybersecurity and safety are interdependent and must be managed together. Best practice is to use the safety lifecycle defined in ANSI/ISA-61511 as the foundation and integrate cybersecurity concepts from the ISA/IEC 62443 standards at each phase.
Traditional process hazard analysis (PHA) often excludes cyber threats. Modern practice requires including cyber risk as part of the overall risk assessment. Consider that cyberattacks are not random and can cause multiple hazards simultaneously, potentially leading to consequences not identified in traditional analyses. At each phase of the process safety lifecycle, standards can provide guidance (see Table 1). The following are relevant standards.
Find more information on each standard online at https://www.isa.org/standards-and-publications/isa-standards.
- Concept/Scope Definition: ANSI/ISA-61511-1, ISA-62443-2-1
- Hazard and Risk Assessment: ANSI/ISA-61511-1, ISA-62443-3-2
- Design and Implementation: ANSI/ISA-61511-1, ISA-62443-2-1, ISA-62443-3-2, ISA-62443-3-3, ISA-62443-4-2
- Operation and Maintenance: ANSI/ISA-61511-1, ISA-62443-2-1, ISA-62443-2-4, ISA-62443-3-3, ISA-62443-4-2
- Management of Change and Decommissioning: ANSI/ISA-61511-1, ISA-62443-2-1, ISA-62443-2-3, ISA-62443-3-3
Recommended practice is to perform cybersecurity assessments (CSA) alongside functional safety assessments (FSA) at critical points: after risk assessment and countermeasure identification, after detailed design, after installation and prior to startup, after operational experience is gained, and after modifications and before decommissioning. Don’t forget to establish policies, procedures and roles for cybersecurity, aligned with safety management. Ensure competency in both functional safety and cybersecurity for all personnel involved and maintain auditable records of training, qualifications, and assessments.
Training and certifications
ISA worked with industry experts who are active on the ISA/IEC 61511 standard committee to develop three certificate exams designed to increase knowledge and awareness of the ISA/IEC 61511 standards. Because ISA/IEC 61511 is a performance-based standard, there is a need for competent and qualified people to develop and monitor the application of the standard to a facility or process. The ISA/IEC 61511 specialist certificates are awarded to those who successfully complete a designated training program, any prerequisites (for Certificates 2 and 3), and pass a multiple-choice exam. ISA also offers industrial cybersecurity training courses and a knowledge-based certificate recognition program based on ISA/IEC 62443.
This program covers the complete lifecycle of industrial automation and control system (IACS) assessment, design, implementation, operations and maintenance. It is designed for professionals involved in IT and control system security roles that need to develop a command of industrial cybersecurity terminology, as well as a thorough understanding of the material embedded in the ISA/IEC 62443 series of standards.
Risk mitigation and recovery plans
Best practice is to use independent protection layers for safety and defense-in-depth for cybersecurity. Assign security levels (SL) to zones and conduits, and ensure countermeasures meet these targets. Also, regularly review and update risk assessments and mitigation strategies as systems and threats evolve. Be sure to develop incident response plans that address both cyber and safety incidents, considering the impact on people, process, equipment, and the environment. Overall, to effectively integrate cybersecurity into your functional safety lifecycle, follow a lifecycle approach that embeds cybersecurity activities and requirements at every phase, guided by ANSI/ISA-61511 and the ISA/IEC 62443 standards.
This ensures that both safety and security objectives are met, risks are managed holistically, and your systems remain resilient against both accidental and intentional threats.
ISA-TR84.00.09: Guidance on Security in the Functional Safety Lifecycle
ISA-TR84.00.09-2024 Part 1, Cybersecurity Related to the Safety Lifecycle , provides guidance on integrating cybersecurity into the safety lifecycle of process safety controls, alarms and interlocks (PSCAI), including safety instrumented systems (SIS). This technical report aligns cybersecurity practices with established safety standards such as IEC 61511 and ANSI/ISA-61511-1-2018, incorporating key cybersecurity concepts and frameworks like ISA/IEC 62443 and National Institute of Standards and Technology (NIST). Available for purchase from ISA, the report covers management, risk assessment, project scope development, detailed design, implementation, operation, maintenance and change management phases.
It emphasizes organizational policies, technical measures and continuous assessment through checklists, KPIs and audits. It also addresses vulnerabilities, system integration, data flow analysis and compensating security measures for legacy or deficient devices. Note: ISA-TR84.00.09-2024 – Part 2 is under development.
Contact [email protected] to learn more. This feature also appears in Automation.com Monthly's 2nd Annual Cybersecurity Trends report (October 2025).
