Lesson 3F – Hazard Analysis

This lesson explains hazard analysis, a technique often employed in the process industries, to understand and mitigate process risk. Hazard analyses can provide critical input for cybersecurity risk management.

Learning Objectives
  • Explain why hazard analysis can be useful to cybersecurity risk management, particularly in process industries
  • Recognize PHA, What-If, and HAZOP reports
  • Apply PHA, What-If, and HAZOP to analyze hazards
  • Choose the appropriate hazard analysis technique given goals and resource constraints
Files
Lesson 3F – Hazard Analysis Lesson Plan
CPI_Module3_Lesson3F_Presentation.pptx
Laboratory Exercise 3F – Hazard Analysis with PHA/What-If and HAZOP

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0002: * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • K0008: Knowledge of applicable business processes and operations of customer organizations.
  • K0048: Knowledge of Risk Management Framework (RMF) requirements.
  • K0053: Knowledge of measures or indicators of system performance and availability.
  • K0084: Knowledge of structured analysis principles and methods.
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0149: Knowledge of organization's risk tolerance and/or risk management approach.
  • K0150: Knowledge of enterprise incident response program, roles, and responsibilities.
  • K0169: Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.
  • K0437: Knowledge of general SCADA system components.
  • K0612: Knowledge of what constitutes a “threat” to a network.
  • S0027: Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • S0034: Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system
  • S0085: Skill in conducting audits or reviews of technical systems.
  • S0256: Skill in providing understanding of target or threat systems through the identification and link analysis of physical, functional, or behavioral relationships.
  • S0359: Skill to use critical thinking to analyze organizational patterns and relationships.
  • A0040: Ability to translate data and test results into evaluative conclusions.
  • A0106: Ability to think critically.
  • A0118: Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
  • A0119: Ability to understand the basic concepts and issues related to cyber and its organizational impact.
* NSA/DHS Center of Excellence (CAE) KUs Addressed
  • Policy, Legal, Ethics, and Compliance,Core
  • Industrial Control Systems

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit:

KSAs: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

KUs: https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_Knowledge_Units.pdf