ICS Cybersecurity Risk Screening 

Expose the potential magnitude of cyber risk

A consequence-based cybersecurity risk screening methodology, performed following the ISA/IEC 62443-3-2 initial risk assessment requirement (ZCR 2), identifies the cyber-vulnerable risk scenarios found in an existing process safety study (e.g., PHA, LOPA, or HAZOP). The study’s original risk ranking is adjusted to show the modified risk should the industrial control system (ICS) or safety instrumented system (SIS) be compromised due to a cybersecurity threat. The results expose the potential magnitude of cyber risk to operations, assists with the prioritization of detailed risk assessments, and facilitates the grouping of assets into zones and conduits. 

 

The potential cybersecurity risk identified by this method represents a high-level, worst-case (unmitigated) exposure. It does not account for the actual control system architecture or any cybersecurity countermeasures (e.g. network segmentation, access controls, etc.) in place in IT and OT networks. Actual cyber risk is determined by a combination of threats, vulnerabilities, and consequences that requires a detailed ICS cyber risk assessment such as an aeCyberPHA®. 

pha document screening.png
completed document.png

Why perform a cyber risk screening?

  • Helps management allocate budgets and resources appropriately. 

  • Compliance with industry standards and best practices (e.g. ISA/IEC 62443) 

  • Process safety studies, such as PHA, LOPA, HAZOP, typically do not take cyber threats and impacts into account resulting in management not being fully informed on the risk to operations.   

  • Assists the organization in gaining a high-level understanding of the worst-case risk to operations should the industrial control systems (ICSs) be compromised.  

  • This assessment assists with the prioritization of detailed risk assessments and facilitates the grouping of assets into zones and conduits. 

“Process safety studies typically do not take cyber threats and impacts into account and that leaves management with a blind spot in not fully being informed on the risk to operations”

 

Our new screening service leverages existing process safety hazard studies, if available, or helps to generate realistic operational consequence scenarios. These scenarios provide a proven starting point for cyber process hazards analysis (CyberPHA) and ensure compliance with industry standards and best practices.”

John Cusimano

Vice President of Industrial Cybersecurity

aeSolutions

Benefits of performing a screening

  • Meets the ISA/IEC 62443-3-2 requirement to perform a high level cybersecurity risk assessment 

  • Leverages existing process safety hazard studies and validated consequence scenarios 

  • Delivers a relative score to prioritize further assessments between multiple sites  

  • Realistic worst-case scenarios provide justification for a detailed cyber PHA assessment 

  • Starting point for cyber PHA 

Contact Us today to discuss performing consequence-based, initial cybersecurity risk screenings to expose the potential magnitude of cyber risk to your operations in the event of a cyber incident and to help you determine if a detailed cybersecurity risk assessment is required. 

Related
cyberpha copy@4x.webp

aeCyberPHA® Risk Assessment 

A Proven Method to Assess ICS Cybersecurity Risk

facilitation suite 1-2.png

aeCyberPHA® Facilitation Suite

A Do It Yourself Cyber PHA Package