When safe isn’t secure – why IEC 61511 mandates cybersecurity for SIS

Staff Editor 2026-02-10
When safe isn’t secure – why IEC 61511 mandates cybersecurity for SIS

When safe isn’t secure – why IEC 61511 mandates cybersecurity for SIS

http://www.hazardexonthenet.net/article/220333/When-safe-isn-t-secure-why-IEC-61511-mandates-cybersecurity-for-SIS.aspx

Publish Date: 2026-02-10 10:08:00

Source Domain: www.hazardexonthenet.net

Author : Denrich Sananda, Managing Partner, Arista Cyber

10 February 2026

For years, process safety professionals have taken comfort in a familiar equation: if a Safety Instrumented System (SIS) meets its required Safety Integrity Level (SIL), then the risk is under control. HAZOPs are complete, layers of protection are verified, proof tests are planned, and the compliance box is ticked. But that equation no longer holds.

Image: Arista

(Click here to read article in digital edition)

As operational technology (OT) systems have become more connected, more digital, and more accessible, the idea that a system can be functionally safe – without it also being cyber secure – has been quietly undermined. Much of the industry has missed the formalisation of this point. Ten years ago, the second edition of IEC 61511 introduced Clause 8.2.4, a requirement that many still overlook or misunderstand, which mandated a Security Risk Assessment (SRA) specifically for the SIS. Not as optional guidance or as best practice. But as a requirement.

That short clause represents one of the most important shifts in process safety thinking in decades. It recognises that cybersecurity weaknesses can act as credible initiating causes of major accidents, in the same way as mechanical failure, human error, or poor design. In practice, this is still an area where many plants rely on assumptions made years ago, before today’s levels of connectivity, but cyber risks must be treated with the same seriousness as any other.

The digitalisation of safety

When IEC 61511 was first written, most SIS architectures were physically isolated. Engineering access was local, communications were simple, and cyber risk, at least as we understand it today, barely featured in plant design. Fast forward to today, and the landscape looks very different.

Modern SIS platforms use Ethernet-based communications. Engineering workstations run commercial operating systems with widely known vulnerabilities. Remote, often…

Source

More Stories

Opal Security Raises Million for AI-Native Identity Governance

Opal Security Raises $23 Million for AI-Native Identity Governance

Staff Editor 2026-06-06
Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Staff Editor 2026-06-06
Franklin Student is a Cyber Security Champ at Bridgewater State

Franklin Student is a Cyber Security Champ at Bridgewater State

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy