ISA recently published Security PHA Review for Consequence-Based Cybersecurity by Edward Marszal, PE, and James McGlone – two globally recognized experts in process safety, industrial cybersecurity, and the ISA/IEC 62443 series of IACS security standards. In this Q&A feature, McGlone highlights the focus, importance, and differentiating qualities of the book.
Q. What is a Security PHA Review and how does it help ensure industrial cybersecurity?
A. The first step is applying a methodology for assessing the potential risks posed by a cyberattack on process plants. In the process industries, the most widely accepted process for identifying hazards and assessing risk is the Process Hazard Analysis (PHA) method, most commonly performed through hazard and operability studies (HAZOPs)
A Security Process Hazards Analysis (PHA) Review is a practical and inexpensive analysis method that can verify if critical industrial automation processes and machinery are protected or if they could be damaged through cyberattack.
By analyzing the cause of and safeguards for cybersecurity weaknesses, it’s possible to determine consequences that are potentially unaffected by the safeguards and those that could be caused by malicious intrusion, such as hacking.
This book reviews the most common methods for PHA of process industry plants and explains how to supplement those methods with an additional Security PHA Review (SPR) study to determine if there are any cyberattack vectors that can cause significant physical damage to the facility. If these attack vectors are present, then the study methodology makes one of two recommendations: (1) modify one or more of the safeguards so that they are not vulnerable to cyberattack or (2) prescribe the appropriate degree of cyberattack safeguarding through the assignment of an appropriate security level. SPR examples provide insight for implementing these recommendations.
Any consequence that is not protected by existing safeguards or that can be caused by a cybersecurity attack is assigned an ISA/IEC 62443-based Security Level Target to be implemented or it is assigned an alternative safeguard or redesign to eliminate all or some of the cybersecurity risk.
Blog Author Q&A Free Bonus! Click this link to download a free 47-page excerpt from Security PHA Review for Consequence-Based Cybersecurity.
Q. What makes this book different than other books on cybersecurity? Why were you compelled to write it?
A. We were prompted to write the book because the industry and cybersecurity practitioners are still unsure of what to do and why. The prevailing approach in industrial cybersecurity focuses on network devices such as computers, Level 3 switches, and firewalls instead of on the process and machines that could be damaged or cause damage if control is lost.
By focusing on hazard and operability studies (HAZOPs) designated scenarios, it is possible to identify hackable scenarios, rank them appropriately, and design non-hackable safeguards-such as relief valves and current overload relays-that are not vulnerable to the cybersecurity threat vector. Where inherently secure safeguard design is not feasible, the appropriate cybersecurity countermeasures must be deployed.
Q. What types of automation and process industry professionals would benefit most by reading the book?
A. The book will be useful to a wide range of automation and process industry professionals, including:
- Instrumentation and control system engineers and technicians
- Network engineers
- Process safety, health and safety, cybersecurity, and maintenance personnel
- Executives focused on risk reduction
Q. Why does the cover of your book depict springs and gears? How are they related to the content of the book?
A. The book shows how to evaluate each cause and safeguard in a “node” to discover if the consequence can be generated by a cyberattack. If a consequence is vulnerable to a cyberattack, then you can select a Security Level Target for the zone where the cause and safeguard reside or you can modify or redesign the cause and safeguard so they are not vulnerable to the cyberattack. The modifications or redesign involves choosing a different type of technology to remove the cyberattack vulnerability. In many cases, the redesign or modification might involve a device with a spring or gear instead of a microprocessor.