The benefits of visualizing CyberPHAs using Bowtie Diagrams

Process hazard analyses (PHA) are used to evaluate hazards associated with industrial processes. Performing such studies is mandated in the US by the process safety management regulation. CyberPHA is a similar methodology to conduct a security risk assessment for a control or safety system. The methodology aligns with ISA/IEC 62443-3-2, a recently published standard on “Security Risk Assessment for System Design”.

The results of a CyberPHA look very much like a hazard and operability (HAZOP) worksheet. They are usually presented in a tabular format and contain a large amount of information. Unfortunately, the tabular format can be difficult to interpret by those not familiar with CyberPHAs. Figure 1 is an example.


Figure 1: Sample of a CyberPHA table

Bowtie diagrams are a graphical way to depict pathways from the cause, the top event, and the consequence. The diagram—which resembles a man’s bowtie—graphically shows the progression of events. It depicts the different causes and consequences of an event, and the different prevention and mitigation controls that are in place to reduce the risk. Figure 2 is an example.

Figure 2: Example of CyberPHA Results Illustrated in a Bowtie Diagram


It is possible to take high risk scenarios and show the before (with no barriers or controls in place) and after (with existing and recommended barriers) snapshots for comparison.

Bowtie diagrams provide a more graphical and intuitive representation of complex risk assessments compared to a CyberPHA table, making them more easily comprehended by stakeholders and management than mere tables. Fortunately, minimal effort is needed to generate Bowties from existing CyberPHA results, as automated tools are available. Even better, Bowtie templates can be created for more common scenarios, and libraries can be created to help drive efficiency.


To read the full paper and learn more about the benefits of visualizing CyberPHAs using Bowties, click here.

By John Cusimano

VP of Industrial Cybersecurity