The aeCyberPHA methodology is a practical application of the ISA 62443 cybersecurity risk assessment requirements. The method links realistic threat scenarios with known vulnerabilities and existing countermeasures and couples that with credible consequences from the PHA to determine cyber risk.
Earlier this year, John Cusimano, vice president of cybersecurity at aeSolutions, participated in a panel at the S4X19 conference exploring the strengths and benefits of conducting a Cyber Process Hazard Analysis (CyberPHA) or Consequence-driven Cyber-informed Engineering (CCE) process.
You can now hear the full audio recording of the panel discussion on understanding and reducing the consequence side of the risk equation (risk = consequence x likelihood).
Podcast: Truth or Consequences
Below is video of some excerpts of the discussion along with the accompanying slides regarding the aeCyberPHA process:
Want to learn more? Download our Whitepaper: If it isn’t secure, it isn’t safe here:
If it isn’t secure, it isn’t safe
By John Cusimano and Paul Rostick
The convergence of Information Technology (IT) and Operations Technology (OT) platforms has exposed modern industrial automation systems to increased risk. Cyber threats have the potential to affect multiple layers of protection, including basic process control, process alarms and safety instrumented systems. In certain circumstances it may be possible for a single cyber threat to simultaneously defeat all three layers of protection. Unfortunately, traditional process hazard evaluation and mitigation techniques such as HAZOP and LOPA do not include a requirement to evaluate or mitigate cyber threats. This paper examines two aspects of integrating cybersecurity and process safety risk management.