Process hazard assessments (PHA) are a well-established practice in process safety management.  These assessments focus on failures (aka deviations) that are typically caused by equipment failures or human error.  By design, PHAs do not consider cyber threats to industrial control systems (ICS).  However, cyber threats represent additional failure modes that may lead to the same health, safety and environmental consequences identified in the PHA.  Functional safety (i.e. ISA 84 / IEC 61511) and industrial cybersecurity standards (i.e. ISA/IEC 62443) recognize this issue and provide guidance on how to integrate these two disciplines to ensure that cyber incidents cannot impact process safety.  This presentation will discuss the guidance provided in industry standards regarding ICS cyber risk assessments (aka Cyber PHA) and the benefits and business justification for performing them.

Marco Ayala

Process hazard assessments (PHA) are a well-established practice in process safety management.  These assessments focus on failures (aka deviations) that are typically caused by equipment failures or human error.  By design, PHAs do not consider cyber threats to industrial control systems (ICS).  However, cyber threats represent additional failure modes that may lead to the same health, safety and environmental consequences identified in the PHA.  Functional safety (i.e. ISA 84 / IEC 61511) and industrial cybersecurity standards (i.e. ISA/IEC 62443) recognize this issue and provide guidance on how to integrate these two disciplines to ensure that cyber incidents cannot impact process safety.  This presentation will discuss the guidance provided in industry standards regarding ICS cyber risk assessments (aka Cyber PHA) and the benefits and business justification for performing them.