Cyber PHA

Information security
This article is part of a series on
Information security (main article)
Related security categories
Internet security Cyberwarfare Computer security Mobile security Network security
Threats
Computer crime Vulnerability Eavesdropping Exploits Trojans Viruses and worms Denial of service Malware Payloads Rootkits Keyloggers
Defenses
Computer access control Application security Antivirus software Secure coding Security by design Secure operating systems Authentication Multi-factor authentication Authorization Data-centric security Firewall (computing) Intrusion detection system Intrusion prevention system Mobile secure gateway

A Cyber PHA (also styled cyber security PHA) is a detailed cybersecurity risk assessment methodology that conforms to ISA 62443-3-2. The name, cyber PHA, was given to this method because it is similar to the Process Hazards Analysis (PHA) or the hazard and operability study (HAZOP) methodology that is popular in process safety management, particularly in industries that operate highly hazardous industrial processes (e.g. oil & gas, chemical, etc.).

The method is typically conducted as a workshop that includes a facilitator and a scribe with expertise in the cyber PHA process as well as multiple subject matter experts who are familiar with the industrial process, the industrial automation and control system (IACS) and related IT systems. For example, the workshop team typically includes representatives from operations, engineering, IT and health & safety as well as an independent facilitator and scribe. A multidisciplinary team is important in developing realistic threat scenarios, assessing the impact of compromise and achieving consensus on realistic likelihood values given the threat environment, the known vulnerabilities and existing countermeasures.

The facilitator and scribe are typically responsible for gathering and organizing all of the information required to conduct the workshop (e.g. system architecture diagrams, vulnerability assessments, PHAs, etc.) and training the workshop team on the method, if necessary.

A worksheet is commonly used to document the cyber PHA assessment. Various spreadsheet templates, databases and commercial software tools have been developed to support the cyber PHA method. The organization’s risk matrix is typically integrated directly into the worksheet to facilitate assessment of severity and likelihood and to lookup the resulting risk score. The workshop facilitator guides the team through the process and strives to gather all input, reach consensus and keep the process proceeding smoothly. The workshop proceeds until all zone and conduits have been assessed. The results are then consolidated and reported to the workshop team and appropriate stakeholders.

References

External links

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.