Integrated Safety Management and Cybersecurity Resilience in Seveso Plants
Abstract
Due to the increasing digitalization of hazardous plants and the growing convergence of IT and OT systems, cybersecurity risks no longer pose a challenge solely in the realm of information security; they can also have a direct impact on operational safety, business continuity, and the health of the surrounding population and wildlife. While the Seveso regulations are traditionally based on a safety-oriented approach, the NIS2 Directive and its associated cybersecurity requirements primarily reflect a predominantly IT-focused approach, which does not always align directly with the operational characteristics of safety-critical OT environments. The study presents an integrated security management approach that supports the development of risk-proportionate requirements across the organization’s technological, operational, and governance domains by applying a governance, risk management, and compliance (GRC) approach. The model aims to strengthen comprehensive organizational resilience and develop the ability to respond flexibly to security risks and operational challenges. During the research, the authors analyzed the domestic and international regulatory environment, relevant management systems, and cybersecurity frameworks, with particular attention to recommendations for establishing adequate protection of the cyber-physical environment. The study presents an integrated approach that supports the development of comprehensive resilience in Seveso establishments.
References
K. Stouffer , M. Pease, C. Tang, T. Zimmerman, V. Pillitteri, S. Lightman, A. Hahn, S. Saravia, A. Sherule és M. Thompson, „Guide to Operational Technology (OT) Security,” NIST SP 800-82 Rev. 3, 09 2023. [Online]. Elérhető: https://csrc.nist.gov/pubs/sp/800/82/r3/final. (10.12.2023)
Z. Wang, J. Wang, Z. Wei, W. Ye és L. Zhang, „Safety integrity level assessment for safety instrumented system in oil and gas station with cyber threat,” Reliability Engineering & System Safety, 1. évfolyam 265 szám Part B, 01 2026.
International Society of Automation (ISA), „ISA-62443-1-1 Seurity for indusrtial automation and control systems, Part 1-1: Terminology, concepts, and models,” ISA, 2007.
International Electrotechnical Commission (IEC), 61511-1:2016 Functional safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and application programming requirements, Geneva: IEC, 2016.
IBM X-Force, „X-Force Threat Intelligence Index 2026,” IBM Corporation, 25 02 2026. [Online]. Available: https://www.ibm.com/reports/threat-intelligence. (2026.03.11.)
K. Tamás, Szerző, ICS/OT kiberbiztonság Bevezetés az OT csodálatos világába. [Előadás]. 2026.
OCEG, GRC Capability Model, OCEG, 2024.
National Institute of Standards and Technology, „NIST Special Publication 800-53 Revision 5 Security and privacy controls for information systems and organizations,” U.S. Department of Commerce, 2020.
CISCO Talos, „2025 year in review,” CISCO, Online, 2025.
ISO/IEC, 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements, Geneva, CH: ISO copyright office, 2022.
ISO, „ISO 45001:2018 Occupational health and safety management systems — Requirements with guidance for use,” International Organization for Standardization, Geneva, 2018.
Center for Chemical Process Safety (CCPS), Risked Based Process Safety Overview, USA, New York, NY: American Institute of Chemical Engineers, 2014.
ISO/IEC, „ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls,” International Organization for Standardization / International Electrotechnical Commission, Geneva, 2022.
Joint Task Force, „Security and Privacy Controls for Information Systems and Organizations- NIST Special Publication,” National Institute of Standards and Technology, https://doi.org/10.6028/NIST.SP.800-53r5, 2020.
Miniszterelnöki Kabinetiroda, „Magyar Közlöny / Nemzeti Jogszabálytár,” 2024. [Online]. Elérhető: https://njt.hu (2026.06.26.)
Miniszterelnöki Kabinetiroda, „Magyar Közlöny / Nemzeti Jogszabálytár,” 2025. [Online]. Elérhető: https://njt.hu. (2026.06.26.)
National Institute of Standards and Technology, „The NIST Cybersecurity Framework 2.0,” National Institute of Standards and Technology, https://doi.org/10.6028/NIST.CSWP.29, 2024.
ISO, „ISO 31000:2018 Risk management — Guidelines,” International Organization for Standardization, Geneva, 2018.
International Organisation for Standardization (ISO), ISO 22301-2019: Security and resilience - Business continuity management systems - Requirements, Geneva: ISO, 2019.
MITRE, „MITRE ATT&CK,” 2024. [Online]. Elérhető: https://attack.mitre.org/matrices/ics/.
Stouffer, Keith, Pease, Michael, Tang, CheeYee, Zimmerman, Timothy, Pillitteri, Victoria, Lightman, Suzanne,
Hahn, Adam, Saravia, Stephanie, Sherule, Angela és Thompson, Michael, „Guide to Operational Technology Security - NIST Special Publication,” National Institute of Standards and Technology, https://doi.org/10.6028/NIST.SP.800-82r3, 2023.
ISACA, COBIT 2019 Framework: Governance and Management Objectives, Schaumburg: ISACA, 2018.
Souppaya, Murugiah és Scarfone, Karen, „Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology - NIST Special Publication,” National Institute of Standards and Technology, https://doi.org/10.6028/NIST.SP.800-40r4, 2022.
CMMI Institute, „CMMI Model V2.0,” CMMI Institute, https://cmmiinstitute.com, 2018.
ISO/IEC, „ISO/IEC 27004:2016 Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation,” International Organization for
Standardization / International Electrotechnical Commission, Geneva, 2016.
Copyright (c) 2026 Defence Science

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

