krish teaching linkedin ad.png

aeCyberPHA   Facilitation Suite


A Do It Yourself Cyber PHA Package

The aeCyberPHA Facilitation Suite was developed at the request of asset owners who have adopted the cyber PHA methodology and intend to “self-perform”, maintain, and manage cyber PHAs utilizing internal resources.


This toolset codifies aeSolutions’ internal solutions and expertise that have been

refined through the execution of hundreds of successful cyber PHA studies including:

- Risk Assessment Templates

- Company Specific Template Customization

- Integrated Libraries

- Comprehensive Training

- Expert Support and Guidance

Screenshot 2021-03-17 140619.png

Comprehensive Training Includes:

  • Facilitation Suite Training: A comprehensive training to ensure that end-users are comfortable with and get the most value from the template and tools.

  • CyberPHA Training: Instruction, examples, and team exercises led by experienced CyberPHA facilitators on techniques and best practices.

  • PHA-Pro Training: Introductory course for new PHA-Pro users including features, functions, and navigational elements.

How do you assess ICS Cyber Risks? 

Choosing the right method to assess cybersecurity risk can be a challenge and effectively conducting studies can be more challenging still. The cyber PHA methodology is a practical application of the ISA/IEC 62443-3-2 cybersecurity risk assessment requirements. This method links realistic threat scenarios with known vulnerabilities and existing countermeasures and couples that with credible consequences from the PHA to determine cyber risk.    


However, even applying a proven method, like cyber PHA, can lead to sub-par results if the risk assessment team does not have the tools and training needed to conduct the study in an effective and efficient manner. Risk assessment work processes and templates, while seemingly simply, are notoriously difficult to develop and manage. Cybersecurity risk assessments are becoming more common in operational technology (OT) environments, but they are still relatively new to industry. As a result, many OT professionals lack the necessary experience and tools to facilitate and maintain cyber PHAs.


Benefits of aeCyberSolutions' Cyber PHA Suite

The aeCyberPHA Facilitation Suite has been developed by expert facilitators with the needs of the risk assessment team in mind. aeSolutions has utilized the experience and lessons learned from leading hundreds of HAZOP, LOPA, and cyber PHAs studies, as well as developing dozens of custom risk assessment templates to build an ideal toolset and training for cyber PHA teams.

Facilitators and the risk assessment team will recognize and appreciate the:

  • Comprehensive training including: Facilitation Suite Training, Cyber PHA Training, and PHA-Pro Training

  • Efficient format and optimized template structure

  • Intuitive scenario development that is engaging for the team

  • Pre-built drop-down libraries that incorporate common and industry specific threats, vulnerabilities, countermeasures, and recommendations

  • Quick and effective reporting

  • Expert study support and peer review

The entire organization will realize the benefits of:

  • Ownership of the cyber PHA process

  • A method that is fully compliant with and meets the requirements of ISA/IEC:62443-3-2 and ISA/IEC:61511

  • Consistent results within and across studies

  • Fully customizable templates and reports

  • A template based in PHA-Pro, a widely used and well-known risk assessment tool

  • Facilitator mentoring to develop internal competency

  • Bridging the gap between process safety and cybersecurity risk assessment

Contact Us today to discuss an all-in-one package of the tools, training, and guidance needed to successfully lead an ISA/IEC 62443-3-2 compliant risk assessment per the cyber PHA methodology.

Until now asset owners have had to hire consults or develop their own internal tools to conduct cyber PHAs. Using a contractor to conduct the assessments may be the more straightforward option, however, when the project is completed the asset owner typically will not own the files or deeply understand process. Updating these studies can results in expensive maintenance contracts and options to customize the process are typically limited. On the other hand, developing a process from scratch can be a tricky process as ISA/IEC 62443 tells you what to do but not how to do it. Unfortunately, many asset owners have limited practical experience applying risk assessment practices to OT systems.