Professional Documents
Culture Documents
2
Process Hazard Analysis (PHA)
• An organized and systematic assessment of the
potential hazards associated with an industrial process
• Used for decades to assist operators of potentially
hazardous industrial facilities in understanding and ranking
operational risks so they can be properly mitigated
• Mandated in the USA by the Occupational Safety and
Health Administration (OSHA) in its Process Safety
Management regulation for processes that handle highly
hazardous chemicals
Non-uniformity leads
to runaway reaction • Add SIF to chemically control
and possible • High Temperature runaway reaction.
Agitator
explosion. and High Pressure • Add a pressure safety relief valve
No No Agitation motor drive
Agitator failure is Alarm in DCS. • If necessary, add a de-pressurization
fails
indicated by high • Shortstop system. SIF. Use LOPA to determine required
reactor temperature SIL.
and high pressure.
Temperature
High temperature
control failure
could damage
Higher causes High Temperature Alarm • Add high-temperature SIF.
More reactor seals causing
Temperature overheating in DCS. • Use LOPA to determine required SIL
leak. Indicated by
during steam
high temperature.
heating
Reactor becomes
Flow control full, possible reactor
failure allows damage and release. • Add high-level SIF.
More Higher Level High Level Alarm in DCS.
the reactor to Indicated by high • Use LOPA to determine required SIL
overfill level or high
pressure.
Collection
basin
Passive protection
Overpressure
valve, rupture Active protection
disc
Plant
personnel
intervenes Process alarm
Process control
system
Basic
Process
automation value Normal activity
13
Safety Instrumented System (SIS)
A system composed of sensors, logic solvers, and final
control elements for the purpose of taking the process to
a safe state when pre-determined conditions are violated.
PT
PT
1A PT
I/P
FT
Reactor
14
The Problem
• PHA’s / HAZOP’s assume that the control systems and
operators (alarms) will perform their intended function
(layers of protection)
• Additional layers (e.g. safety systems) are added when the
risk is too great
• Modern control systems and safety systems are
software based systems
• It very common for both to sit on the same network
and communicate to the same servers/workstations
• A single vulnerability could disable all layers of
protection!
Plant LAN
PCN
PT
PT
1A PT
I/P
FT
Reactor
16
Layers of Protection
Collection
basin
Passive protection
Overpressure
valve, rupture Active protection
disc
Plant
personnel
intervenes Process alarm
Process control
system
Basic
Process
automation value Normal activity
17
The ICS Cybersecurity Lifecycle
Start with
Risk Assessment
Start with
Risk Assessment
IDENTIFY
(ID)
IDENTIFY
(ID)
25
Risk Assessment Requirements from
ISA 62443-2-1 (formerly 99.02.01)
• Select a risk assessment methodology
• Conduct a high-level risk assessment
• Identify the industrial automation and control systems
• Develop simple network diagrams
• Prioritize systems
• Perform a detailed vulnerability assessment
• Identify a detailed risk assessment methodology
• Identify the reassessment frequency and triggering criteria
• Conduct risk assessments throughout the lifecycle of the
IACS
• Document the risk assessment
Prior audits,
vendors,
vulnerability Identify Vulnerabilities List of vulnerabilities
databases, (Section 4.5.2)
government
sources, etc.
Historical
Data
Qualitative or
Process Hazard quantitative
Assessments (e.g. Determine Impact assessment of
HAZOP) (Section 4.5.4) financial and social
impacts
Qualitative or
Corporate Risk quantitative
Matrix Calculate Risk assessment of
(Section 4.5.5) residual risk
Business LAN
Business
LAN
PCN
Equipment Room
SIS
Engineering DCS Server DCS Server
Workstation BPCS
Engineering
Workstation
PCN
` `
PCN
Field
BPCS HMI