Jump to content

Cyber PHA

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Cusimanoja (talk | contribs) at 21:11, 16 June 2020. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

A cyber PHA (also styled cyber security PHA) is a safety-oriented methodology to conduct a cybersecurity risk assessment for an Industrial Control System (ICS) or Safety Instrumented System (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018, ISO 31000:2009 and NIST Special Publication (SP) 800-39.

The name, cyber PHA, was given to this method because it is similar to the Process Hazards Analysis (PHA) or the hazard and operability study (HAZOP) methodology that is popular in process safety management, particularly in industries that operate highly hazardous industrial processes (e.g. oil and gas, chemical, etc.).

The Cyber PHA methodology reconciles the process safety and cybersecurity approaches and allows IT, Operations and Engineering to collaborate in way that is already familiar to facility operations management and personnel. Modeled on the process safety PHA/HAZOP methodology, a cyber PHA enables cyber risks to be identified and analyzed in the same manner as any other process risk, and, because it can be conducted as a separate follow-on activity to a traditional HAZOP it can be used in both existing brownfield sites and newly constructed greenfield sites without unduly meddling with well established process safety processes.[1]

The method is typically conducted as a workshop that includes a facilitator and a scribe with expertise in the cyber PHA process as well as multiple subject matter experts who are familiar with the industrial process, the industrial automation and control system (IACS) and related IT systems. For example, the workshop team typically includes representatives from operations, engineering, IT and health and safety as well as an independent facilitator and scribe. A multidisciplinary team is important in developing realistic threat scenarios, assessing the impact of compromise and achieving consensus on realistic likelihood values given the threat environment, the known vulnerabilities and existing countermeasures.

The facilitator and scribe are typically responsible for gathering and organizing all of the information required to conduct the workshop (e.g. system architecture diagrams, vulnerability assessments, and PHAs) and training the workshop team on the method, if necessary.

A worksheet is commonly used to document the cyber PHA assessment. Various spreadsheet templates, databases and commercial software tools have been developed to support the cyber PHA method. The organization’s risk matrix is typically integrated directly into the worksheet to facilitate assessment of severity and likelihood and to look up the resulting risk score. The workshop facilitator guides the team through the process and strives to gather all input, reach consensus and keep the process proceeding smoothly. The workshop proceeds until all zone and conduits have been assessed. The results are then consolidated and reported to the workshop team and appropriate stakeholders.

References