Athens Group Services

Rig Inspection

Rig Inspections

CyberSecurity: Use the Tools You Have – HAZID

In our last two posts, we looked at three tools you already use to help provide a safely functioning system at the front end – HAZOP, HAZID, and FMECA – and recommended their use for CyberSecurity. In our most recent post, we looked specifically at utilizing HAZOPs for CyberSecurity. In this post, we’ll take a look at HAZIDs for the same purpose. 

First, here is an overview of the HAZID methodology:

The HAZID can build on the HAZOP (if one was completed) or can be utilized on a standalone basis.

In order to accommodate CyberSecurity in our HAZID, we need to add the following elements:

  1. In the Preparatory Step:
    1. Within Objectives, define:
      1. System Network Topology including all access points
      2. External Users including contractor access, application access, classes of users
      3. Internal Users including application access, classes of users.
    2. Within Operations, define:
      1. Access policies
      2. User responsibilities
      3. Management of Change Policy
    3. In the Systems, include Data Collection:
      1. Formats for operational access logs
      2. Current activity logs for existing or “as like” assets
      3. Typical network traffic
    4. Within the Team, include at least one CyberSecurity subject matter expert (SME)
  2. In Hazard Identification, include:
    1. Unauthorized access (malicious or accidental)
    2. Misuse of information (or privilege) by an authorized user
    3. Data leakage or unintentional exposure of information
    4. Loss of data
    5. Disruption of service or productivity
    6. Other specific hazards based on regulatory environment, geographic region, asset characteristics
  3. In Scenario Definition, include:
    1. Organizational Risk Management
    2. User Provisioning
    3. Administration
    4. User Authentication
    5. Infrastructure Data Protection
    6. Data Center Physical & Environmental Security
    7. Continuity of Operations
  4. In Cause and Frequency Analysis, understand the latest attacks and their regimes:
    1. 3 billion Yahoo accounts were hacked in 2016, one of the biggest breaches ever. (Oath.com
    2. Uber reported in 2016 that hackers stole the information onover 57 million drivers and riders. (Uber)
    3. 412 million subscriber accounts were stolen from Friendfinder’s sites in 2017. (LeakedSource)
    4. 148 million consumers were impacted by the 2017 Equifax Breach. (Equifax)
    5. According to recent statistics, there are over 130 targeted, large-scale, breaches in the U.S. per year, a number that is growing by 27 percent annually. (Accenture)
    6. Thirty-one percent of organizations have experienced cyber-attacks on operational technology infrastructure. (Cisco)
    7. There are an estimated 24,000 malicious mobile apps blocked on a daily basis. (Symantec)
    8. The average number of breached records by country was 24k in 2017. The country with the most breaches was India with over 33k records; the US had over 28k. (PonemonInstitute’s 2017 Cost of Data Breach Study)
  5. In Consequences Analysis include:
    1. Security breach or attack
    2. Lose or compromise your customers’ data
    3. Employees’ data at risk
    4. DDoS (Distributed Denial of Service) attack
    5. Monetary loss
    6. Violation of laws, regulations
    7. Intellectual property or trade secrets at risk
    8. Hit with a virus/ransomware
    9. Damaging downtime
    10. Reputational damage
    11. Physical data loss
  6. In Options to Decrease Frequencies include:
    1. Reduce the network target area
    2. Modify network topology
  7. In options to Mitigate Consequences include:
    1. Safe, virus free backups
    2. Isolated backup systems
    3. Insurance
  8. In Cost Benefit Assessment understand and translate these costs to your organization:
    1. Global average cost of a data breach is $3.86 million
    2. The average cost, globally, for each lost or stolen record containing sensitive and confidential information is $148 per record. 
    3. US is leading in the most data breaches, with an average cost of $7.91 million. 
    4. Canada has a $4.74 million average cost for data breaches, and Germany is $4.67 million.
    5. Countries with the smallest average cost was Brazil ($1.24 million) and India ($1.77 million.)
    6. Mean time companies took to identify their breaches was 197 days. 
    7. Companies that contained their breach within 30 days ended up saving over $1 million vs. those that took over 30 days to resolve the situation.
    8. Average cost to deploy security automation is $2.88 million. 
    9. Without cybersecurity solutions, a company could risk up to $4.43 million in breach costs.

That’s it for recognizing CyberSecurity in your HAZID. Next, we’ll look at putting CyberSecurity into your FMECA.

Read the blog entries on our website – www.athensgroupservices.com, join our LinkedIn Group, and subscribe to our newsletter.

Category: Tag: