Cyber PHA: Difference between revisions

This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (June 2017) (Learn how and when to remove this message)

A Cyber PHA (also styled cyber security PHA) is a detailed cybersecurity risk assessment methodology that conforms to ISA 62443-3-2. The name, cyber PHA, was given to this method because it is similar to the Process Hazards Analysis (PHA) or the hazard and operability study (HAZOP) methodology that is popular in process safety management, particularly in industries that operate highly hazardous industrial processes (e.g. oil & gas, chemical, etc.).

The method is typically conducted as a workshop that includes a facilitator and a scribe with expertise in the cyber PHA process as well as multiple subject matter experts who are familiar with the industrial process, the industrial automation and control system (IACS) and related IT systems. For example, the workshop team typically includes representatives from operations, engineering, IT and health & safety as well as an independent facilitator and scribe. A multidisciplinary team is important in developing realistic threat scenarios, assessing the impact of compromise and achieving consensus on realistic likelihood values given the threat environment, the known vulnerabilities and existing countermeasures.

The facilitator and scribe are typically responsible for gathering and organizing all of the information required to conduct the workshop (e.g. system architecture diagrams, vulnerability assessments, PHAs, etc.) and training the workshop team on the method, if necessary.

A worksheet is commonly used to document the cyber PHA assessment. Various spreadsheet templates, databases and commercial software tools have been developed to support the cyber PHA method. The organization’s risk matrix is typically integrated directly into the worksheet to facilitate assessment of severity and likelihood and to lookup the resulting risk score. The workshop facilitator guides the team through the process and strives to gather all input, reach consensus and keep the process proceeding smoothly. The workshop proceeds until all zone and conduits have been assessed. The results are then consolidated and reported to the workshop team and appropriate stakeholders.

• Safety requires cybersecurity
• Core Principles of an ICS Cybersecurity Program
• Security process hazard analysis review
• Understanding the Risk of Cyber Threats to an Industrial Process with a Cyber PHA
• Integrating ICS Cybersecurity and Process Safety Management (PSM)
• Cyber Security Risk Analysis for Process Control Systems Using Rings of Protection Analysis
• aeCyberPHA Risk Assessment Methodology