Cybersecurity has always been relevant to OHS professionals tasked with preventing harm in the workplace, according to an expert in the area, who said cybersecurity incidents can cause harm in a number of ways.
Cybersecurity leader Ajoy Ghosh gave a number of examples of potential cybersecurity incidents which have implications for OHS professionals:
- A software “glitch” causing an accident of an automated or autonomous system, such as a car or heavy machinery
- Hacking into a control system and causing a machine to have an accident or do something dangerous, such as overheating and catching on fire, or
- Cyberbullying and harassment in the workplace or of workers.
In Australia, Ghosh said there have been numerous examples of the above, although few have made the media.
“One that did was Vitek Boden who in 2000 hacked into his former employer’s network causing raw sewage to spill and contaminate a large area, including the grounds of the Marriott Hotel,” said Ghosh, who is an Certified Information Security Systems Practitioner (CISSP) as well as author of Standard Australia’s Handbook 171 Guidelines on the Management of IT Evidence and co-author of Handbook 231 Information Security Risk Management Guidelines (now ISO 27005:2011).
“Other not so well publicised examples include, in 2003, accidental changes to the software of a food manufacturer caused excessive iron to be added to a breakfast cereal.
“It was detected before the cereal was shipped but the plant was shut down for about a month whilst they worked out was caused the problem.”
In 2014, Ghosh said a former IT worker hacked into a mine site network to copy some code and accidently caused a drilling rig to suddenly turn, just missing a worker.
A couple of years later, a computer virus caused the building management system of a shopping centre to shut down, trapping and elderly person in a lift where they suffered a heart attack.
Ghosh, who was speaking ahead of a Safety Institute of Australia and Australian Computer Society webinar on cybersecurity and OHS professionals, also said that cybersecurity has become increasingly important for companies and Boards and this year, with cyber representing two of the top five risks in the World Economic Forum’s Global Risk Report.
Since Australia’s new mandatory breach notification legislation came into force on 22 February, entities are now required to report cyber breaches that could cause serious harm. According to the Privacy Commissioner(link is external): “in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.”
Ghosh said that mandatory reporting means that serious cybersecurity incidents and accidents will become well known and publicised in a media that has become hyper-sensitive to cyber safety.
Boards and executives need to take a role in this, with oversight of safety critical systems as well as a responsibility to educate themselves about cybersecurity.
“They can no longer rely on the ‘IT guy’ or the ‘engineer’ to fulfill their corporate obligation,” said Ghosh, who added that there are a number of cybersecurity standards that have become the expected minimum standard, such as ISO 270001 and the NIST cybersecurity framework (which is mandatory for ASX 100).
For safety-critical systems, there are sector-specific standards (including automotive, medical and rail), and more generally, Ghosh said IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems also covers cybersecurity.
“Boards and executives are increasingly expecting that the harm cause by a cybersecurity event is also risk managed by OHS leaders who are responsible for risk managing harm across their organisation,” he said.
“For many, is more than an expectation, it’s a requirement.”
Cyber safety is a familiar term when it comes to bullying and online safety, and Ghosh said it also applies to cyber events which could result in a wide range of real-world accidents and even catastrophe.
“OHS leader need to understand how a ‘cyber’ links to their company’s processes and how a cyber event can cause real-world harm,” he said.
What is the Safety Institute of Australia?
The Safety Institute of Australia is the national association for the health and safety profession. Their vision is for safe and healthy workers in productive workplaces, and pursue this vision by working to build the skills, knowledge and capability of the health and safety profession, and being a voice for that profession.
Where can I get more information?
Want to know more? Then don’t hesitate to get in touch with us >
