Isa-tr84.00.09 Now

In the world of industrial control systems (ICS), two documents get all the glory. There’s ISA-62443 (IEC 62443) , the sprawling, multi-part behemoth that serves as the constitution for industrial cybersecurity. And then there’s ISA-84 (IEC 61511) , the bible of functional safety (SIS/SIL). They sit on opposite ends of the engineering bookshelf, rarely speaking to one another.

Cybersecurity wasn’t part of the equation. Why? Because the assumption was that safety networks were air-gapped, proprietary, and obscure. No hacker would bother with a Beckhoff controller or a Triconex when they could go after corporate payroll. isa-tr84.00.09

But lurking in the shadows, often out of print and overlooked, is a technical report that saw the future coming: . In the world of industrial control systems (ICS),

A SIL 3 loop (one failure in 10,000 years) is mathematically robust against random hardware failures—but completely blind to a single malicious write command over Modbus TCP. TR84.00.09 introduced the concept of for security, arguing that a safety function can only claim its SIL if the supporting cybersecurity controls maintain the integrity of the logic, data, and timing. They sit on opposite ends of the engineering

The industry’s answer then was a shrug. The answer today, after TRITON, PIPEDREAM, and a dozen state-sponsored near-misses, is: catastrophe . For decades, functional safety engineers operated under a sacred pact: A safety system (SIS) must be fail-safe, deterministic, and isolated. If you pulled the logic solver’s plug, the valves went to their safe position. If a sensor failed, the system defaulted to shutdown. Safety was about physics, random hardware failures, and reliability.

Published in 2008 (and reaffirmed since), this document—formally titled “Security Countermeasures Related to Safety Instrumented Systems (SIS)” —asked a heretical question at the time: What happens when a cyber attack targets a safety system?