Abstract
Cyberattacks targeting the process industry have become increasingly prevalent in recent years. The ISA TR84.00.09 standard and the CCPS guidelines propose methodologies for conducting process risk assessments against cyberattacks on process facilities, such as attacks on the Basic Process Control System (BPCS) and the Safety Instrumented System (SIS), to ensure robust functional requirement management throughout the plant lifecycle. However, hazard identification and risk assessment techniques addressing process incidents triggered by cyberattacks remain largely unstandardized. Contemporary cybersecurity (CS) risk assessments predominantly focus on general Information Technology (IT) risks within business contexts. A notable contributing factor is the persistent misalignment between IT and Operational Technology (OT), including Process Safety (PS). OT professionals often regard CS as the responsibility of IT personnel, while IT teams typically lack familiarity with OT systems. Consequently, integrated IT-OT risk assessments are not widely implemented. This study explores an effective framework and methodology for conducting CS risk assessments specific to process incidents. The research utilizes a typical LNG plant model as the basis for a detailed CS risk assessment. The findings reveal several potential pathways for cyberattacks that could lead to major process incidents, underscoring the criticality of inherent safety measures and effective coordination between CS and PS disciplines. The CS risk assessment framework and procedural guidance detailed in this study are anticipated to significantly enhance the effectiveness of CS risk evaluations and the precise definition of functional requirements to mitigate cybersecurity risks.
