Overview

Security PHA Review for Consequence-Based Cybersecurity presents a practical, process-centric method that uses existing process hazard analysis (PHA) outputs, such as hazard and operability (HAZOP) studies, to determine appropriate cybersecurity requirements for industrial process plants. The objective of the security PHA review (SPR) is to identify process hazard scenarios that could be caused by malicious cyber actions and then either recommend non‑hackable safeguards to remove the cyber vector or assign an appropriate ISA/IEC 62443 security level (SL) to guide cybersecurity design and implementation. This approach emphasizes assessing initiating events, reviewing all safeguards (both cyber and non‑cyber) and evaluating consequences in the context of an organization's risk tolerance criteria. This book explains how SLs apply to security zones and how conduits inherit the highest SL among connected zones and situates SPR within the ISA/IEC 62443 lifecycle. It emphasizes a process‑hazard perspective rather than equipment‑only vulnerability listings, describes practical documentation methods (highlighter annotations, dedicated SPR reports or PHA‑software integration) and highlights common non‑hackable safeguards (such as mechanical relief devices, buckling pins, motor overload relays and external current monitors) that can reduce required SLs when feasible. Written so that process engineers, control systems professionals, IT professionals and cybersecurity specialists can learn to integrate IT security with process-safety practices without unnecessary duplication of effort. It provides practical, implementable methods, centered on the SPR approach, to identify cyber-enabled process hazards and to assess and reduce risk in real industrial settings.

Full Product Details

Author:   Edward M. Marszal (Kenexis; Ohio State University, OH) ,  Jim R. McGlone (Kenexis)
Publisher:   Instrument Society of America
Imprint:   Instrument Society of America
ISBN:  

9781643311173

ISBN 10:   1643311174
Pages:   168
Publication Date:   20 April 2026
Audience:   Professional and scholarly ,  Professional & Vocational
Format:   Paperback
Publisher's Status:   Forthcoming
Availability:   Awaiting stock  

Table of Contents

Foreword ix Preface xi About the Authors xiii Chapter 1 Introduction 1 Brief History of Cyberattacks on ICSs 3 Security Level 5 Zones and Conduits 6 Risk Analysis Methods for Cybersecurity 7 The Security PHA Review Study 9 Benefits of the SPR Study 11 Objectives of this Book 12 Summary 14 Exercises 15 Bibliography 16 Chapter 2 Overview of the ISA/IEC 62443 Series 19 Structure of the ISA/IEC 62443 Series 19 The ISA/IEC 62443 Series Life Cycle and Requirements 21 Requirements for Risk Analysis 23 Summary 23 Exercises 24 Bibliography 24 Chapter 3 Limitations of Cybersecurity Risk Analysis Methods 25 The ISA/IEC 62443 Series Requirements for Risk Assessment 26 Risk Assessment Methods Promulgated by the Cybersecurity Community 28 Cyber PHA/Cyber HAZOP 29 CHAZOP 31 Inherent Problems with Existing Cyber Risk Analysis 31 Lack of Initiating Event 32 Infinite Potential Outcomes 33 Inherent Safety Against Cyberattack Is Not Considered 33 Frequency of Deliberate Attack 34 Summary 34 Exercises 35 Bibliography 37 Chapter 4 Process Hazard Analysis Overview 39 Common PHA Methods 41 Hazards and Operability Studies 43 Process Safety Information 45 Node Definition 45 HAZOP Team 46 Deviation Development 47 Building the Scenario 48 Summary 52 Exercises 53 Bibliography 55 Chapter 5 The SPR Study Process 57 Documenting a SPR 59 The Highlighter Method 59 The SPR Report Document 65 Leveraging PHA Documentation Software 65 Advanced Methods 66 Summary 67 Exercises 67 Bibliography 69 Chapter 6 Non-Hackable Safeguards 71 Pressure Relief Devices 71 Direct-Operated Relief Valve 72 Rupture Discs 72 Buckling Pins 73 Mechanical Overspeed Trips 74Check Valves 74 Non-Return Check Valves 75 Excess Flow Check Valves 76 Motor-Monitoring Devices 76 Motor Overload Relays 77Motor-Current Monitor Relay 77 Instrument-Loop Current Monitor Relay 77Summary 79 Exercises 79 Bibliography 81 Chapter 7 Security PHA Review Examples 83 Vessel Overpressure 84 Thermal Runaway Reaction 86 Pump-Blocked Discharge 92 Tank Reactor Runaway Reaction 94 Summary 98 Exercises 98 Bibliography 99 Chapter 8 Conclusions 101 Appendix A: Acronyms 105 Appendix B: Definitions 109 Appendix C: Sample Risk Tolerance Criteria 111 Appendix D: ISA/IEC 62443 Security Levels 117 Appendix E: Exercise Solutions 139 Index 147

Reviews

Author Information

Edward M. Marszal, Professional Engineer (PE) and ISA84 Safety Instrumented Systems Expert, is the president and chief executive officer of Kenexis. Kenexis is an engineering consultancy dedicated to assisting process industry customers with assessing the risks that are posed by their plant operations and then reducing those risks to a tolerable level by the specification of instrumented safeguards, such as safety instrumented systems (SISs), fire and gas systems (FGSs), critical alarm systems, and cybersecurity. Marszal is a longtime practitioner and pioneer of the techniques and tools associated with technical safety and the performance-based design and implementation of instrumented safeguards. Marszal started his career after receiving a BA in chemical engineering, with an emphasis on process controls and artificial intelligence, from The Ohio State University. After graduating, Marszal took a position with UOP in Des Plaines, Illinois where he worked as an instrumentation and control field advisor, performing functional safety assessments of control systems and safety instrumented systems at customer sites worldwide. At UOP, he designed and managed the development of custom control systems and SIS projects. James McGlone is the chief marketing officer of Kenexis. McGlone has more than 30 years of experience in the development and deployment of many of the embedded control systems used in industrial automation, building automation, Internet of Things (IoT), and cybersecurity. McGlone started his career in the US Navy as an electronics technician and nuclear reactor operator on fast attack submarines. McGlone was on the pre-commissioning crew of two submarines during construction and shakedown, eventually taking the boats to sea as operational platforms. While in the Navy, McGlone acquired computers and began programming in various languages including BASIC, COBOL, and FORTRAN. After 9 years of maintaining and operating nuclear power plants in submarines, McGlone decided to pursue a civilian career as a technical specialist for a Rockwell Automation (Allen-Bradley) distributor in Akron, Ohio where he solved challenging applications for drives and motion control systems and learned to program programmable logic controllers (PLCs).

Tab Content 6

Author Website:  

Countries Available

All regions