Rationale

Safety Related Control Systems (SRCS) on attractions have become subject to cybersecurity risks. Today’s SRCS devices are connected via Ethernet and can be connected to computers or other systems. The risk exists for a virus to impact the SCRS and with multiple Ethernet ports in a control system, there are multiple ways the system could be accessed and changes made (intentionally or unintentionally) which could impact safety. A task group has been working to review all the F24 standards to identify where language could be added which would help to prevent and / or detect a change to the safety related control system which could impact safety. The task group has benchmarked language from other industries who are also addressing cybersecurity risks of SRCSs, and has decided we will initially work on language in four areas of F24: Lifecycle/3559, Design/2291, Risk Assessment/3959, and Operations/770. We will work on the language in that order. Starting with non-mandatory language in Lifecycle Guide, we will then work on mandatory language in Design, Risk Assessment, and then Operations standards. Our goal is to make small language additions, which add requirements, to guide designers in developing SCRSs with cybersecurity in mind, and enable owner/operators to have the tools and information to maintain their SCRSs, and minimize the risks of a cybersecurity event. Everyone in the lifecycle of an attraction will have a part in enabling a secure system, just like everyone has a part in ensuring safety. A designer does not have knowledge or visibility during use as to how a system is connected to other systems, how the system is accessed or maintained. Thus, some responsibility will be with designers and some responsibility will be with owners/operators. (For example, think about purchasing a new computer system. It will need updates and virus scans over time as technology advances. That responsibility falls on the user to maintain the computer. A SRCS is also a computer system and can have the same security maintenance needs.) Our task group is comprised of a mixture of designers and owners/operators, so we balance the responsibilities appropriately.