In our last post, we looked at three tools you may already use to help provide a safely functioning system at the front end – HAZOP, HAZID, and FMECA – and recommended their use for CyberSecurity. In this post, we’ll take a look at how to use HAZOPs to address CyberSecurity.
First, here is an overview of the HAZOP methodology:
Here is our recommended approach to addressing CyberSecurity within each phase of the HAZOP:
- In the Definition Phase:
- Within Scope and Objectives define:
- System Network Topology including all access points
- External Users including contractor access, application access, classes of users
- Internal Users including application access, classes of users
- Within Responsibilities define:
- Access policies
- User responsibilities
- Management of Change Policy
- Within the Team include at least one CyberSecurity subject matter expert (SME)
- Within Scope and Objectives define:
- In the Preparation Phase include:
- Within the Plan include keywords related to CyberSecurity; e.g. “more secure”, “less secure”, “access”
- Within Data Collection include:
- Formats for operational access logs
- Current activity logs for existing or “as like” assets
- Typical network traffic
- Within Estimate the Time include at a minimum 4 hours focused on CyberSecurity
- In the Examination Phase include:
- For each system part defined, ensure the design intent includes CyberSecurity
- For the remainder of the HAZOP follow each of the Examination Phase activities
- “Identify possible remedial/mitigating measures” is NOT optional. It is essential that CyberSecurity measures are identified and included during the design phase of any project.
- In the Documentation and Follow-Up Phase include:
- Ensure there are specific CyberSecurity actions
- Record and monitor any CyberSecurity action items and risks identified in the HAZOP
That’s it for recognizing CyberSecurity in your HAZOP. Next, we’ll look at putting CyberSecurity into your HAZID.
Read the blog entries on our website – www.athensgroupservices.com, join our LinkedIn Group, and subscribe to our newsletter.