ICS Cybersecurity Risk Screening
Expose the potential magnitude of cyber risk
A consequence-based cybersecurity risk screening methodology, performed following the ISA/IEC 62443-3-2 initial risk assessment requirement (ZCR 2), identifies the cyber-vulnerable risk scenarios found in an existing process safety study (e.g., PHA, LOPA, or HAZOP). The study’s original risk ranking is adjusted to show the modified risk should the industrial control system (ICS) or safety instrumented system (SIS) be compromised due to a cybersecurity threat. The results expose the potential magnitude of cyber risk to operations, assists with the prioritization of detailed risk assessments, and facilitates the grouping of assets into zones and conduits.
The potential cybersecurity risk identified by this method represents a high-level, worst-case (unmitigated) exposure. It does not account for the actual control system architecture or any cybersecurity countermeasures (e.g. network segmentation, access controls, etc.) in place in IT and OT networks. Actual cyber risk is determined by a combination of threats, vulnerabilities, and consequences that requires a detailed ICS cyber risk assessment such as an aeCyberPHA®.
Why perform a cyber risk screening?
Helps management allocate budgets and resources appropriately.
Compliance with industry standards and best practices (e.g. ISA/IEC 62443)
Process safety studies, such as PHA, LOPA, HAZOP, typically do not take cyber threats and impacts into account resulting in management not being fully informed on the risk to operations.
Assists the organization in gaining a high-level understanding of the worst-case risk to operations should the industrial control systems (ICSs) be compromised.
This assessment assists with the prioritization of detailed risk assessments and facilitates the grouping of assets into zones and conduits.
“Process safety studies typically do not take cyber threats and impacts into account and that leaves management with a blind spot in not fully being informed on the risk to operations”
Our new screening service leverages existing process safety hazard studies, if available, or helps to generate realistic operational consequence scenarios. These scenarios provide a proven starting point for cyber process hazards analysis (CyberPHA) and ensure compliance with industry standards and best practices.”
Vice President of Industrial Cybersecurity
Benefits of performing a screening
Meets the ISA/IEC 62443-3-2 requirement to perform a high level cybersecurity risk assessment
Leverages existing process safety hazard studies and validated consequence scenarios
Delivers a relative score to prioritize further assessments between multiple sites
Realistic worst-case scenarios provide justification for a detailed cyber PHA assessment
Starting point for cyber PHA
Contact Us today to discuss performing consequence-based, initial cybersecurity risk screenings to expose the potential magnitude of cyber risk to your operations in the event of a cyber incident and to help you determine if a detailed cybersecurity risk assessment is required.