Security PHA Review for Consequence-Based Cybersecurity presents a practical, process-centric method that uses existing process hazard analysis (PHA) outputs, such as hazard and operability (HAZOP) studies, to determine appropriate cybersecurity requirements for industrial process plants. The objective of the security PHA review (SPR) is to identify process hazard scenarios that could be caused by malicious cyber actions and then either recommend non‑hackable safeguards to remove the cyber vector or assign an appropriate ISA/IEC 62443 security level (SL) to guide cybersecurity design and implementation. This approach emphasizes assessing initiating events, reviewing all safeguards (both cyber and non‑cyber) and evaluating consequences in the context of an organization's risk tolerance criteria.
This book explains how SLs apply to security zones and how conduits inherit the highest SL among connected zones and situates SPR within the ISA/IEC 62443 lifecycle. It emphasizes a process‑hazard perspective rather than equipment‑only vulnerability listings, describes practical documentation methods (highlighter annotations, dedicated SPR reports or PHA‑software integration) and highlights common non‑hackable safeguards (such as mechanical relief devices, buckling pins, motor overload relays and external current monitors) that can reduce required SLs when feasible.
Written so that process engineers, control systems professionals, IT professionals and cybersecurity specialists can learn to integrate IT security with process-safety practices without unnecessary duplication of effort. It provides practical, implementable methods, centered on the SPR approach, to identify cyber-enabled process hazards and to assess and reduce risk in real industrial settings.
Table of Contents:
Foreword ix
Preface xi
About the Authors xiii
Chapter 1 Introduction 1
Brief History of Cyberattacks on ICSs 3
Security Level 5
Zones and Conduits 6
Risk Analysis Methods for Cybersecurity 7
The Security PHA Review Study 9
Benefits of the SPR Study 11
Objectives of this Book 12
Summary 14
Exercises 15
Bibliography 16
Chapter 2 Overview of the ISA/IEC 62443 Series 19
Structure of the ISA/IEC 62443 Series 19
The ISA/IEC 62443 Series Life Cycle and Requirements 21
Requirements for Risk Analysis 23
Summary 23
Exercises 24
Bibliography 24
Chapter 3 Limitations of Cybersecurity Risk Analysis Methods 25
The ISA/IEC 62443 Series Requirements for Risk Assessment 26
Risk Assessment Methods Promulgated by the Cybersecurity Community 28
Cyber PHA/Cyber HAZOP 29
CHAZOP 31
Inherent Problems with Existing Cyber Risk Analysis 31
Lack of Initiating Event 32
Infinite Potential Outcomes 33
Inherent Safety Against Cyberattack Is Not Considered 33
Frequency of Deliberate Attack 34
Summary 34
Exercises 35
Bibliography 37
Chapter 4 Process Hazard Analysis Overview 39
Common PHA Methods 41
Hazards and Operability Studies 43
Process Safety Information 45
Node Definition 45
HAZOP Team 46
Deviation Development 47
Building the Scenario 48
Summary 52
Exercises 53
Bibliography 55
Chapter 5 The SPR Study Process 57
Documenting a SPR 59
The Highlighter Method 59
The SPR Report Document 65
Leveraging PHA Documentation Software 65
Advanced Methods 66
Summary 67
Exercises 67
Bibliography 69
Chapter 6 Non-Hackable Safeguards 71
Pressure Relief Devices 71
Direct-Operated Relief Valve 72
Rupture Discs 72
Buckling Pins 73
Mechanical Overspeed Trips 74Check Valves 74
Non-Return Check Valves 75
Excess Flow Check Valves 76
Motor-Monitoring Devices 76
Motor Overload Relays 77Motor-Current Monitor Relay 77
Instrument-Loop Current Monitor Relay 77Summary 79
Exercises 79
Bibliography 81
Chapter 7 Security PHA Review Examples 83
Vessel Overpressure 84
Thermal Runaway Reaction 86
Pump-Blocked Discharge 92
Tank Reactor Runaway Reaction 94
Summary 98
Exercises 98
Bibliography 99
Chapter 8 Conclusions 101
Appendix A: Acronyms 105
Appendix B: Definitions 109
Appendix C: Sample Risk Tolerance Criteria 111
Appendix D: ISA/IEC 62443 Security Levels 117
Appendix E: Exercise Solutions 139
Index 147
About the Author :
Edward M. Marszal, Professional Engineer (PE) and ISA84 Safety Instrumented Systems Expert, is the president and chief executive officer of Kenexis. Kenexis is an engineering consultancy dedicated to assisting process industry customers with assessing the risks that are posed by their plant operations and then reducing those risks to a tolerable level by the specification of instrumented safeguards, such as safety instrumented systems (SISs), fire and gas systems (FGSs), critical alarm systems, and cybersecurity. Marszal is a longtime practitioner and pioneer of the techniques and tools associated with technical safety and the performance-based design and implementation of instrumented safeguards.
Marszal started his career after receiving a BA in chemical engineering, with an emphasis on process controls and artificial intelligence, from The Ohio State University. After graduating, Marszal took a position with UOP in Des Plaines, Illinois where he worked as an instrumentation and control field advisor, performing functional safety assessments of control systems and safety instrumented systems at customer sites worldwide. At UOP, he designed and managed the development of custom control systems and SIS projects.
James McGlone is the chief marketing officer of Kenexis. McGlone has more than 30 years of experience in the development and deployment of many of the embedded control systems used in industrial automation, building automation, Internet of Things (IoT), and cybersecurity.
McGlone started his career in the US Navy as an electronics technician and nuclear reactor operator on fast attack submarines. McGlone was on the pre-commissioning crew of two submarines during construction and shakedown, eventually taking the boats to sea as operational platforms. While in the Navy, McGlone acquired computers and began programming in various languages including BASIC, COBOL, and FORTRAN. After 9 years of maintaining and operating nuclear power plants in submarines, McGlone decided to pursue a civilian career as a technical specialist for a Rockwell Automation (Allen-Bradley) distributor in Akron, Ohio where he solved challenging applications for drives and motion control systems and learned to program programmable logic controllers (PLCs).
