In 2016, the global functional safety standard, IEC 61511, was updated to include two requirements regarding the security of a SIS. The first requirement states, “a security risk assessment shall be carried out to identify the security vulnerabilities of the SIS.” The second requires “the design of the SIS shall be such that it provides the necessary resilience against the identified security risks.”
While this and other standards such as ISA TR84.00.09, ISO/IEC 27001:2013, and IEC 62443-2-1:2010 recognize the importance of securing SIS, they don’t offer specific direction. Standards will give best practices and guidance, but ultimately an asset owner really needs to select a security risk assessment methodology tailored toward assessing ICS and SIS applications.
A user simply needs a good framework, methodology and guidance to get started. That is exactly where a cyber PHA, or cyber HAZOP, comes into play. A cyber PHA is a detailed cybersecurity risk assessment methodology for ICS & SIS that conforms to ISA/IEC 62443-3-2 security standard. The name, Cyber PHA, was given because it is similar to the Process Hazards Analysis (PHA) or the hazard and operability study (HAZOP) methodology used in process safety management, particularly in industries that operate highly hazardous industrial processes like oil and gas and chemicals.
A cyber PHA is typically performed in phases, is scalable, and can be applied to individual systems, or entire facilities or enterprises. There are six phases to a cyber PHA:
- Kickoff: Kicking off a project effectively puts both the site personnel and the assessment team on the same page.
- Assess: The purpose is to gather information about the SIS and its connections to identify vulnerabilities.
- Analyze: Analyzing the data allows the team to document potential vulnerabilities that may be exploited during a cyber event.
- Cyber PHA Workshop: The cyber PHA workshop is the heart of the process, where all of the information gathered and analyzed in Phases 1-3 is integrated with threat scenarios to develop a complete picture of risk.
- Report: Once the Cyber PHA is completed, a comprehensive report is produced showing the risks to the enterprise and a plan to mitigate risk to the organization’s acceptable level.
- Mitigate: An effective remediation plan includes a prioritized list of actions, budgetary estimates, schedule and resource requirements, which provides levels of resiliency.
The connection between safety and security has become even tighter. aeSolutions is here to provide you with a quick look at a proven methodology that safety and security professionals can take to meet the security requirements in 61511. Click here for a more detailed look at “Addressing the Security Requirements in Functional Safety Standard IEC 61511-1:2016.”