A Cyber PHA or Cyber HAZOP is a safety-oriented methodology to conduct a cybersecurity risk assessment for an Industrial Control System (ICS) or Safety Instrumented System (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018, ISO 31000:2009 and NIST Special Publication (SP) 800-39.
The names, Cyber PHA or Cyber HAZOP, were given to this method because they are similar to Process Hazards Analysis (PHA) or the hazard and operability study (HAZOP) studies that are popular in process safety management, particularly in industries that operate highly hazardous industrial processes (e.g. oil and gas, chemical, etc.).
The Cyber PHA or Cyber HAZOP methodology reconciles the process safety and cybersecurity approaches and allows IT, Operations and Engineering to collaborate in way that is already familiar to facility operations management and personnel. Modeled on the process safety PHA/HAZOP methodology, a Cyber PHA/HAZOP enables cyber risks to be identified and analyzed in the same manner as any other process risk, and, because it can be conducted as a separate follow-on activity to a traditional HAZOP it can be used in both existing brownfield sites and newly constructed greenfield sites without unduly meddling with well-established process safety processes.[1]
The method is typically conducted as a workshop that includes a facilitator and a scribe with expertise in the Cyber PHA/HAZOP process as well as multiple subject matter experts who are familiar with the industrial process, the industrial automation and control system (IACS) and related IT systems. For example, the workshop team typically includes representatives from operations, engineering, IT and health and safety as well as an independent facilitator and scribe. A multidisciplinary team is important in developing realistic threat scenarios, assessing the impact of compromise and achieving consensus on realistic likelihood values given the threat environment, the known vulnerabilities and existing countermeasures.
The facilitator and scribe are typically responsible for gathering and organizing all of the information required to conduct the workshop (e.g. system architecture diagrams, vulnerability assessments, and PHA/HAZOPs) and training the workshop team on the method, if necessary.
A worksheet is commonly used to document the Cyber PHA/HAZOP assessment. Various spreadsheet templates, databases and commercial software tools have been developed to support the cyber PHA/HAZOP method. The organization's risk matrix is typically integrated directly into the worksheet to facilitate assessment of severity and likelihood and to look up the resulting risk score. The workshop facilitator guides the team through the process and strives to gather all input, reach consensus and keep the process proceeding smoothly. The workshop proceeds until all zone and conduits have been assessed. The results are then consolidated and reported to the workshop team and appropriate stakeholders.
References
External links
- Safety requires cybersecurity
- Security process hazard analysis review
- Cyber Security Risk Analysis for Process Control Systems Using Rings of Protection Analysis
- Building Cybersecurity into a Greenfield ICS Project
- Intro to Cyber PHA
- Video: Cyber PHA Overview Video
- Video: Cyber Process Hazards Analysis (PHA) to Assess ICS Cybersecurity Risk presentation at S4x17
- Video: Consequence Based ICS Risk Management presentation at S4x19
- How Secure are your Process Safety Systems?
- Process Safety & Cybersecurity
- Securing ICS Archived 2020-06-16 at the Wayback Machine
- Safety Requires Cybersecurity
- The Familial Relationship between Cybersecurity and Safety
- Cybersecurity Depends on Up-to-Date Intelligence
- Cybersecurity Risk Assessment
- Dale Peterson Unsolicited Response Podcast: Truth or Consequences