Cyber PHA

A cyber PHA or cyber HAZOP is a safety-oriented methodology to conduct a cybersecurity risk assessment for an industrial control system (ICS) or safety instrumented system (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018, ISO 31000:2009 and NIST Special Publication (SP) 800-39.

The names, Cyber PHA or Cyber HAZOP, were given to this method because they are similar to process hazard analysis (PHA) or the hazard and operability study (HAZOP) studies that are popular in process safety management, particularly in industries that operate highly hazardous industrial processes (e.g. oil and gas, chemical, etc.).

The cyber PHA or cyber HAZOP methodology reconciles the process safety and cybersecurity approaches and requires instrumentation, operations and engineering disciplines to collaborate. Modeled on the process safety PHA/HAZOP methodology, a cyber PHA/HAZOP enables cyber hazards to be identified and analyzed in the same manner as any other process risk, and, because it can be conducted as a separate follow-on activity to a traditional HAZOP, it can be used in both existing brownfield sites and newly constructed greenfield sites without unduly meddling with well-established process safety processes.2018 AIChE Spring Meeting and Global Congress on Process Safety Proceedings
/ref>

The technique is typically used in a workshop environment that includes a facilitator and a scribe with expertise in the Cyber PHA/HAZOP process, as well as multiple subject matter experts who are familiar with the industrial process, the industrial automation and control system (IACS) and related IT systems. The workshop team typically includes representatives from operations, engineering, IT and health and safety. A multidisciplinary team is important in developing realistic threat scenarios, assessing impacts and achieving consensus on the realistic of the threat, the known vulnerabilities and existing countermeasures.

The facilitator and scribe are typically responsible for gathering and organizing all of the information required to conduct the workshop (e.g. system architecture diagrams, vulnerability assessments, and previous PHA/HAZOPs) and training the workshop team on the method, if necessary.

A worksheet is commonly used to document the cyber PHA/HAZOP assessment. Various spreadsheet templates, databases and commercial software tools have been developed to support the cyber method. The organization's risk matrix is typically integrated directly into the worksheet to facilitate assessment of severity and likelihood and to look up the resulting risk score. The workshop facilitator guides the team through the process and strives to gather all input, reach consensus and keep the process proceeding smoothly. The workshop proceeds until all zone and conduits have been assessed. The results are then consolidated and reported to the workshop team and appropriate stakeholders.

References

External links

Safety requires cybersecurity

Security process hazard analysis review

Cyber Security Risk Analysis for Process Control Systems Using Rings of Protection Analysis

Building Cybersecurity into a Greenfield ICS Project

Intro to Cyber PHA

Video: Cyber PHA Overview Video


Video: Cyber Process Hazards Analysis (PHA) to Assess ICS Cybersecurity Risk presentation at S4x17

Video: Consequence Based ICS Risk Management presentation at S4x19

How Secure are your Process Safety Systems?

Process Safety & Cybersecurity

Securing ICS


Safety Requires Cybersecurity

The Familial Relationship between Cybersecurity and Safety

Cybersecurity Depends on Up-to-Date Intelligence

Cybersecurity Risk Assessment

Dale Peterson Unsolicited Response Podcast: Truth or Consequences

{{Information security

Impact assessment
Evaluation methods
Process safety
Risk analysis methodologies
Management cybernetics