This ISA author Q&A was edited by Joel Don, ISA’s community manager. ISA recently published Security PHA Review for Consequence-Based Cybersecurity by Jim McGlone and Edward Marszal. In this Q&A feature, both authors highlight the focus, importance, and differentiating qualities of the book. To purchase a copy of this book, click here.

ISA recently published Security PHA Review for Consequence-Based Cybersecurity by Edward Marszal, PE, and James McGlone  – two globally recognized experts in process safety, industrial cybersecurity, and the ISA/IEC 62443 series of IACS security standards. In this Q&A feature, McGlone highlights the focus, importance, and differentiating qualities of the book.

Q. What is a Security PHA Review and how does it help ensure industrial cybersecurity?

A. The first step is applying a methodology for assessing the potential risks posed by a cyberattack on process plants. In the process industries, the most widely accepted process for identifying hazards and assessing risk is the Process Hazard Analysis (PHA) method, most commonly performed through hazard and operability studies (HAZOPs)

A Security Process Hazards Analysis (PHA) Review is a practical and inexpensive analysis method that can verify if critical industrial automation processes and machinery are protected or if they could be damaged through cyberattack.

By analyzing the cause of and safeguards for cybersecurity weaknesses, it's possible to determine consequences that are potentially unaffected by the safeguards and those that could be caused by malicious intrusion, such as hacking.

This book reviews the most common methods for PHA of process industry plants and explains how to supplement those methods with an additional Security PHA Review (SPR) study to determine if there are any cyberattack vectors that can cause significant physical damage to the facility. If these attack vectors are present, then the study methodology makes one of two recommendations: (1) modify one or more of the safeguards so that they are not vulnerable to cyberattack or (2) prescribe the appropriate degree of cyberattack safeguarding through the assignment of an appropriate security level. SPR examples provide insight for implementing these recommendations.

Any consequence that is not protected by existing safeguards or that can be caused by a cybersecurity attack is assigned an ISA/IEC 62443-based Security Level Target to be implemented or it is assigned an alternative safeguard or redesign to eliminate all or some of the cybersecurity risk.

Q. What makes this book different than other books on cybersecurity? Why were you compelled to write it?

A. We were prompted to write the book because the industry and cybersecurity practitioners are still unsure of what to do and why. The prevailing approach in industrial cybersecurity focuses on network devices such as computers, Level 3 switches, and firewalls instead of on the process and machines that could be damaged or cause damage if control is lost.

By focusing on hazard and operability studies (HAZOPs) designated scenarios, it is possible to identify hackable scenarios, rank them appropriately, and design non-hackable safeguards-such as relief valves and current overload relays-that are not vulnerable to the cybersecurity threat vector. Where inherently secure safeguard design is not feasible, the appropriate cybersecurity countermeasures must be deployed.

Q. What types of automation and process industry professionals would benefit most by reading the book?

A. The book will be useful to a wide range of automation and process industry professionals, including:

• Instrumentation and control system engineers and technicians
• Network engineers
• Process safety, health and safety, cybersecurity, and maintenance personnel
• Executives focused on risk reduction

Q. Why does the cover of your book depict springs and gears? How are they related to the content of the book?

A. The book shows how to evaluate each cause and safeguard in a "node" to discover if the consequence can be generated by a cyberattack. If a consequence is vulnerable to a cyberattack, then you can select a Security Level Target for the zone where the cause and safeguard reside or you can modify or redesign the cause and safeguard so they are not vulnerable to the cyberattack. The modifications or redesign involves choosing a different type of technology to remove the cyberattack vulnerability. In many cases, the redesign or modification might involve a device with a spring or gear instead of a microprocessor.

ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:

• Cybersecurity Resources Portal
• Cybersecurity Training
• IEC 62443 Conformance Certification
• Family of Standards
• ISA/IEC 62443 Cybersecurity Certificate Programs
• Suite of Security Standards

About the Author
Simon Lucchini, CFSE, MIEAust CPEng (Australia), serves as a Chief Controls Specialist and Fellow in Safety Systems at Fluor Canada. Through his more than 23 years in the petro-chemical industry, Lucchini has broad expertise and experience in operations/maintenance, corporate engineering, and project engineering. For the past 16 years, he has worked in the Control Systems Department at Fluor Canada. He is the Fluor Fellow in Safety Systems Design and also the chief controls specialist based at Fluor’s Calgary, Alberta Canada office. He has written papers on safety systems for various industry and academic venues, including two chapters in the 2017 Bela Liptak Instrument & Automation Engineers’ Handbook. Lucchini is currently the Safety Systems Committee chair of ISA’s Safety & Security Division, within which he produces web articles on matters of importance for the safety systems industry. He is also an active contributor to local control system networks that include a number of global oil & gas operators.

Connect with Simon

About the Author
Edward M. Marszal, PE, is president and CEO of Kenexis. He has more than 20 years of experience in the design of instrumented safeguards, such as SIS and fire and gas systems. He is an ISA Fellow, former director of the ISA safety division. Edward is the co-author of two ISA books, Safety Integrity Level Selection and Security PHA Review for Consequence-Based Cybersecurity. He is an ISA84 expert.

Connect with Edward