Cyber PHA
   HOME

TheInfoList



Click Here for Items Related To - Cyber PHA
OR:
Cyber PHA on:   [Wikipedia]   [Google]   [Amazon]

A cyber PHA or cyber HAZOP is a safety-oriented methodology to conduct a cybersecurity risk assessment for an industrial control system (ICS) or safety instrumented system (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018,
ISO 31000 ISO 31000 is an international standard that provides principles and guidelines for risk management. It outlines a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring and communicating risks across an organization. ...
:2009 and NIST Special Publication (SP) 800-39. The names, Cyber PHA or Cyber HAZOP, were given to this method because they are similar to process hazard analysis (PHA) or the hazard and operability study (HAZOP) studies that are popular in
process safety management Process safety management (PSM) is a practice to manage business operations critical to process safety. It can be implemented using the established OSHA scheme or others made available by the EPA, AIChE's Center for Chemical Process Safety, or ...
, particularly in industries that operate highly hazardous industrial processes (e.g. oil and gas, chemical, etc.). The cyber PHA or cyber HAZOP methodology reconciles the
process safety Process safety is an interdisciplinary engineering domain focusing on the study, prevention, and management of large-scale fires, explosions and chemical accidents (such as toxic gas clouds) in process plants or other facilities dealing with haza ...
and cybersecurity approaches and requires instrumentation, operations and engineering disciplines to collaborate. Modeled on the process safety PHA/HAZOP methodology, a cyber PHA/HAZOP enables cyber hazards to be identified and analyzed in the same manner as any other process risk, and, because it can be conducted as a separate follow-on activity to a traditional HAZOP, it can be used in both existing brownfield sites and newly constructed greenfield sites without unduly meddling with well-established process safety processes.2018 AIChE Spring Meeting and Global Congress on Process Safety Proceedings
/ref> The technique is typically used in a workshop environment that includes a facilitator and a scribe with expertise in the Cyber PHA/HAZOP process, as well as multiple subject matter experts who are familiar with the industrial process, the industrial automation and control system (IACS) and related IT systems. The workshop team typically includes representatives from operations, engineering, IT and health and safety. A multidisciplinary team is important in developing realistic threat scenarios, assessing impacts and achieving consensus on the realistic of the threat, the known vulnerabilities and existing countermeasures. The facilitator and scribe are typically responsible for gathering and organizing all of the information required to conduct the workshop (e.g. system architecture diagrams, vulnerability assessments, and previous PHA/HAZOPs) and training the workshop team on the method, if necessary. A worksheet is commonly used to document the cyber PHA/HAZOP assessment. Various spreadsheet templates, databases and commercial software tools have been developed to support the cyber method. The organization's
risk matrix A risk matrix is a matrix that is used during risk assessment to define the level of risk by considering the category of likelihood (often confused with one of its possible quantitative metrics, i.e. the probability) against the category of cons ...
is typically integrated directly into the worksheet to facilitate assessment of severity and likelihood and to look up the resulting risk score. The workshop facilitator guides the team through the process and strives to gather all input, reach consensus and keep the process proceeding smoothly. The workshop proceeds until all zone and conduits have been assessed. The results are then consolidated and reported to the workshop team and appropriate stakeholders. Another popular safety-oriented methodology for conducting ICS cybsersecurity risk assessments is the cyber bowtie method. Cyber bowtie is based on the proven Bow-tie diagram Bow-tie diagram technique but adapted to assess cybersecurity risk.


References


External links


Safety requires cybersecurity

Security process hazard analysis review

Cyber Security Risk Analysis for Process Control Systems Using Rings of Protection Analysis

Building Cybersecurity into a Greenfield ICS Project

Intro to Cyber PHA

Video: Cyber PHA Overview Video

Video: Cyber Process Hazards Analysis (PHA) to Assess ICS Cybersecurity Risk presentation at S4x17

Video: Consequence Based ICS Risk Management presentation at S4x19

How Secure are your Process Safety Systems?

Process Safety & Cybersecurity

Securing ICS

Safety Requires Cybersecurity

The Familial Relationship between Cybersecurity and Safety

Cybersecurity Depends on Up-to-Date Intelligence

Cybersecurity Risk Assessment

Dale Peterson Unsolicited Response Podcast: Truth or Consequences
{{Information security Impact assessment Evaluation methods Process safety Risk analysis methodologies Management cybernetics