Industrial companies are constantly dealing with cyber risks that threaten their infrastructures. These organisations are very concerned by the corporate cybersecurity challenges in 2021 and are particularly exposed to cyber attacks from disgruntled employees, competitors, hackers, or, in the worst case scenario, terrorist states. This growing threat makes it necessary to have an efficient process of cyber risk analysis. In this specific field the methods are numerous. Should you choose HAZOP to assess cyber risks, would it provide you with a systemic and comprehensive analysis without wasting efforts?
HAZOP is primarily intended for industrial risk analysis. Conceptualised by the company Imperial Chemical Industries, it aims to ensure the safety of procedures.
“HAZOP” is the acronym for “HAZard and Operability study”. This tool is primarily used to assess the potential risks related to industrial activities.
This method is thoroughly described in standard IEC 61882. It also has similarities with the FMEA method, Failure Modes and Effects Analysis. HAZOP is designed to identify risks of all kinds: material, procedural or human. FMEA, for its part, focuses on revealing systemic failures and identifying cause-failure-consequence combinations. These two methods are complementary in the fight against cyber risks.
Historically, HAZOP is intended for the oil, pharmaceutical and chemical industries as a process risk analysis. The cyber risk assessment of these structures has historically relied on methods such as MEHARI (MEthod for the Harmonised Analysis of RIsk), or EBIOS (Expression of Needs and Identification of Security Objectives)..
HAZOP actually can be easily adapted to the field of industrial IT security. Indeed, it facilitates the identification of unsuspected, and yet probable, potential cyber risks. It is HAZOP which helps to detect the risks of commercial losses relative to cybersecurity flaws capable of stopping industrial production.
In the article Global cybersecurity in the manufacturing industry, the various cyber risks that weigh on the IT operations of industrial organisations are presented. In some of those risk scenarios, the criminals may be motivated by financial gain, as is the case with ransomware. Other scenarios also depict an attempt at unfair competition. In rare instances, the cyber attack comes from a state organisation with terrorist or military objectives.
This same article also enumerates a significant number of cyberattacks on industrial structures, including:
Initially, HAZOP is designed to analyse chemical and industrial processes. It assesses the safety of temperature-monitoring facilities, flow and pressure systems, among others. Then, potential dangers are discovered by matching “key words” representing an unusual situation - for example “more pressure”, or “less flow” - with the usual operation parameters.
This approach sheds light on unknown and unexpected causes of risk. It also assesses the effectiveness of the risk prevention measures already in place.
The great advantage of this tool is also its comprehensiveness. As part of a risk management strategy that anticipates all cybersecurity risks, it is a good support for synthesising and keeping a structured and detailed track of cyber risks at any given time.
In the context of a cyber risk analysis, HAZOP needs to be adjusted. HAZOP usually calls for the meeting of “task forces” competent in the field of the physical processes of the company.
For an efficient cybersecurity strategy, it is advised to associate cybersecurity experts with these professionals:
The company decides on which subsystems must be subject to a cyber risk assessment. In HAZOP language, such subsystems are referred to as “nodes” or “lines”.
In IT, a system is made up of:
HAZOP has the specificity of confronting “keywords” standing for potential problems with usual operating parameters of the systems. In the industrial sector, these keywords are usually related to pressure, time or flow. When it comes to cybersecurity however, HAZOP focuses on other criteria, such as availability of systems, data confidentiality, integrity and availability (the CIA triad of data).
The confrontation of those risks with the normal operation of the information systems then leads the work team to pin down potential “drifts”. In cybersecurity this specificity of HAZOP stands out in the fact that it takes into account failures due to malicious acts, and not only to human errors or vulnerabilities.
The task force then lists all possible drifts resulting from the combination of parameters / keywords, to proceed to the analysis of the causes and potential consequences of the drifts.
Once the list of potential risks has been drawn up, your task force first needs to assess their likelihood of occurrence, then their impact. The main objective is to assess the impact of a risk on a system, according to criteria varying from a company to another. This impact may take the form of damage on the user’s end, of an attack on the organisation’s reputation or on its sales or financial results.
Many methods are not prescriptive enough and often allow the task force members in charge of risk assessment to establish their grids upon nominal scales of the low/average/high type – for likelihood of occurrence and severity of impact both– which can bring some limitations as is the case when you attribute equivalent weights to the different risk factors: high probability X low impact equates to low probability X high impact (cf: ) Unfortunately, as documented in ISO27005 section 8.3 and annexes, those limitations are common to all methods relying on nominal or even ordinal scales.
The HAZOP method is based on the principle of exhaustiveness. The risk assessment team will therefore have to generate all the probable failures, for each “node” of each system. It has to target what is called “risk exhaustion”. Because it aims at exhaustiveness, HAZOP applies quite poorly to big structures, unless you consider expending a great deal of effort on this matter.
The biggest companies, particularly when it comes to assess risks on extremely complex information systems, benefit more from methods which focus on what is likely to happen rather than on whatever could happen. A good example is the VaR (Value at Risk) method, focusing primarily on the nodes critical to the structure and to its ability to create value. This kind of approach also gives room for statistical data and quantitative scales, which are more rigorous and on which you can base useful comparisons.
Then, the task force has to suggest new tools for cyber risk detection and prevention. These may be organisational measures aimed at staff training, or establishing a technology intelligence strategy. The most often adopted prevention processes fall under technical prevention: antivirus and firewalls, business software dedicated to monitoring the IT and detecting cybersecurity vulnerabilities.
In the industrial sector, the process also gives rise to material prevention measures, such as physical barrier devices which reduce the technical consequences of a cyberattack. It may for example be a cuvette or safety valves. Manufacturers also rely on cyberattack detection probes to spot the dangers threatening the control system.
The strength of HAZOP lies in its ability to highlight failures that no one had thought of. It is useful when no hazardous event has occurred prior to the analysis, but as a result, it also requires a good amount of anticipation of everything that is likely to happen.
It is a very rigorous method too as it brings together multidisciplinary teams. HAZOP, applied to cybersecurity, further enables the centralisation of analysis, rather than diluting efforts into several different methods.
The drawbacks of HAZOP lie in cross-referencing the results:
To conclude, this “exhaustive” and weighty approach applies to complex but finite and delimited industrial environments. Conversely, it seems unfit for analysing dynamic information systems because those are becoming more and more complex and without limit – if you consider the company within its ecosystem of third parties.
HAZOP stands for HAZard and OPerability study, it is a technique for risk management and system examination.
HAZOP is a succession of precise steps based on the identification of systems and subsystems (“nodes”, “lines”). It consists in varying certain keywords related to the functioning of the systems to observe their impact on the actual operating processes. These variations of keywords cause “drifts'' and therefore risks, the likelihood of which must be examined. ons de mots clés provoquent des “dérives” et donc des risques, dont il faut examiner la crédibilité.
HAZOP is an invention of Imperial Chemical Industries, one of the world's largest chemical industries. Its creation dates back to 1965, when the method was created to help optimise the safety of the company’s facilities.
related to Cybersecurity and Cyber Risk Quantification