A cyber PHA or cyber HAZOP is a safety-oriented methodology to conduct a cybersecurity risk assessment for an industrial control system (ICS) or safety instrumented system (SIS). It is a systematic, consequence-driven approach that is based upon industry standards such as ISA 62443-3-2, ISA TR84.00.09, ISO/IEC 27005:2018, ISO 31000:2009 and NIST Special Publication (SP) 800-39.
The names, Cyber PHA or Cyber HAZOP, were given to this method because they are similar to process hazard analysis (PHA) or the hazard and operability study (HAZOP) studies that are popular in process safety management, particularly in industries that operate highly hazardous industrial processes (e.g. oil and gas, chemical, etc.).
The cyber PHA or cyber HAZOP methodology reconciles the process safety and cybersecurity approaches and requires instrumentation, operations and engineering disciplines to collaborate. Modeled on the process safety PHA/HAZOP methodology, a cyber PHA/HAZOP enables cyber hazards to be identified and analyzed in the same manner as any other process risk, and, because it can be conducted as a separate follow-on activity to a traditional HAZOP, it can be used in both existing brownfield sites and newly constructed greenfield sites without unduly meddling with well-established process safety processes.[1]
The technique is typically used in a workshop environment that includes a facilitator and a scribe with expertise in the Cyber PHA/HAZOP process, as well as multiple subject matter experts who are familiar with the industrial process, the industrial automation and control system (IACS) and related IT systems. The workshop team typically includes representatives from operations, engineering, IT and health and safety. A multidisciplinary team is important in developing realistic threat scenarios, assessing impacts and achieving consensus on the realistic of the threat, the known vulnerabilities and existing countermeasures.
The facilitator and scribe are typically responsible for gathering and organizing all of the information required to conduct the workshop (e.g. system architecture diagrams, vulnerability assessments, and previous PHA/HAZOPs) and training the workshop team on the method, if necessary.
A worksheet is commonly used to document the cyber PHA/HAZOP assessment. Various spreadsheet templates, databases and commercial software tools have been developed to support the cyber method. The organization's risk matrix is typically integrated directly into the worksheet to facilitate assessment of severity and likelihood and to look up the resulting risk score. The workshop facilitator guides the team through the process and strives to gather all input, reach consensus and keep the process proceeding smoothly. The workshop proceeds until all zone and conduits have been assessed. The results are then consolidated and reported to the workshop team and appropriate stakeholders.
Another popular safety-oriented methodology for conducting ICS cybsersecurity risk assessments is the cyber bowtie method. Cyber bowtie is based on the proven Bow-tie diagram Bow-tie diagram technique but adapted to assess cybersecurity risk.