Cyber Hazard and Operability study (cyber HAZOP) is a safety-based cybersecurity risk assessment on Industrial Automation and Control Systems (IACS): Operational Technologies (OT), Basic Process Control Systems (BPCS), and Safety Instrumented Systems (SIS). It is a systematic analysis of deviations, consequences, safeguards, and risk-reduction actions aligned with industry standards ISA/IEC 62443, ISA/IEC 61511, and NIST Special Publication (SP) 800-39. Cyber HAZOP integrates IT and multiple engineering disciplines and delivers a risk‐ranked mitigation plan.
Cyber HAZOP methodology is an extension of the Hazard and Operability study (HAZOP). Chemical, mining, oil and gas, and nuclear industries utilize HAZOPs for a systematic examination of potential process hazards and operability problems.
The requirement for cyber HAZOP
Cyber HAZOP applies a unified cybersecurity approach to securing SIS, which are the last line of defense against catastrophic accidents. SIS detect dangerous conditions and return hazardous processes to safe operating levels or initiating their shut down.
The second edition of the IEC 61511-1 standard introduced two new clauses regarding the security of SIS:
- Clause 8.2.4 specifies that “A security risk assessment shall be carried out to identify the security vulnerabilities of the SIS.”
- Clause 11.2.12 establishes that “The design of the SIS shall be such that it provides the necessary resilience against the identified security risks.”
These clauses make it necessary for asset owners to perform cybersecurity risk assessments on safety instrumented systems. They aim to address the new reality of converged IACS and cybersecurity due to the steady adoption of new emerging technologies for operational efficiencies. The TRITON malware incident in 2017 at a Middle Eastern petrochemical plant has made this convergence abundantly evident. The malware was able to reach, compromise, and establish control over a network-accessible OT device that had access to the plant’s SIS. It proved that IACS’s cybersecurity risks are integrated and very real.
Challenges for cyber risk assessment
Both IACS and cybersecurity aim to prevent or mitigate catastrophic accidents, such as loss-of-control of energy sources and hazardous materials. Recognizing this convergence is vital when conducting cyber risk assessments on industrial systems. Traditional IT cybersecurity assessments or plant and process engineering risk assessments do not address this convergence.
Traditional IT cybersecurity risk assessments such as Factor Analysis of Information Risk (FAIR) focus on organizational productivity, financial implications, competitive advantage, and corporate reputation. IT cybersecurity risk assessments are used to determine the probable frequency and potential loss due to cyber threats relating to characteristics of the IT assets and their usage.
Traditional plant and process engineering risk assessments such as HAZOP focus on Health, Safety, and Environment (HSE). These risk assessments are used by engineering and operations to search for hazardous processes and operating deviations due to random hardware or systematic software failures.
Not surprisingly, these risk assessments serve different objectives, and neither includes the impact of cyber threats on the availability and reliability of industrial hardware or software. To identify these threats, a thorough and systematic IACS cyber-to-HSE risk assessment is typically conducted in a cyber HAZOP.
Additionally, IACS cyber risk assessments require collaborative multidisciplinary expertise and knowledge: IT, OT, BPCS, SIS engineering, and cybersecurity. The absence of these essential competencies could lead to an incomplete view of the IACS cybersecurity landscape and result in inadequate cyber risk mitigation or allocation of resources and funds.
The cyber HAZOP process
The cyber HAZOP study methodology bridges process safety, process control, and cybersecurity approaches. It allows IT, Engineering, and Operations to collaborate using methods already familiar to the facility operations management and personnel. It also enables cyber risks to be identified and analyzed in the same manner as other process risks. The study applies to all industrial facilities, does not disrupt or interfere with well-established process safety functions, and is a separate follow-on activity to a traditional HAZOP.
A cyber HAZOP study workshop is performed in the following sequence:
- Define the system, its subsections, and nodes. Select the boundaries of the system, divide it into manageable subsections, and identify nodes under consideration.
- Define the problems of interest. Specify the HSSE problems of interest that the analysis will address.
- Apply deviations for each node. Develop meaningful threat scenarios (causes/hazards).
- Examine the consequences. Identify all significant implications for each deviation without regard to any existing safeguards.
- Examine causes. Identify potential vulnerabilities or causes of the deviations.
- Calculate unmitigated cybersecurity risk. Assess the likelihood and impact of this deviation.
- Identify safeguards. Determine the most robust safeguards against each consequence.
- Calculate the residual cybersecurity risk. Re-assess likelihood and impact of deviation with existing safeguards.
- Identify and recommend additional safeguards. Specify other safeguards for risk reduction to acceptable (tolerable) level.
- Calculate the residual cybersecurity risk. Re-assess the likelihood and impact of deviation with additional safeguards.
- Prepare report. Finalize listing of safeguard recommendations in priority sequence.
A facilitator leads the cyber HAZOP workshop. The workshop includes representation from subject matter experts from IT, engineering, operations, health, and safety. Experience and insight together enable the development of credible threat scenarios, assessment of inherent safeguards and the impact of deviations, and achieve consensus towards realistic risk values.
The cyber HAZOP facilitators must be knowledgeable and experienced across IT, cybersecurity, process control, and process safety engineering domains. The facilitators are responsible for arranging the information required to conduct the workshop and engaging with the workshop team to deliver the most credible risk assessment possible.
Benefits of cyber HAZOP
The cyber HAZOP process presents three main benefits to industrial facilities.
- It increases the convergence of IT, engineering, operations, health, and safety disciplines on cybersecurity.
- It provides the management team and the board with a credible baseline risk assessment and practicable safeguards to further cyber risk reduction.
- It demonstrates compliance with ISA/IEC 61511 process industry standard’s cybersecurity requirements.
How ORIGNIX helps
ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial processes. We utilize well-established techniques and templates. CyberHAZOP is an integral part of our cyber Process Risk Assessment (cyberPRA) methodology, which follows ISA/IEC 62443 and ISA/IEC 61511 industry standards. The assessment identifies potential gaps, hazards, vulnerabilities, independent protection layers associated with engineered industrial processes at plant facilities. The identified cyber risks are prioritized based on realistic cost-benefit analysis.
To learn more about how ORIGNIX customers benefit, visit our website.
Authors note: This blog was co-authored between Saif Shariff and Anastasios Arampatzis