What is the HAZOP method?
HAZOP is primarily intended for industrial risk analysis. It was developed by the company Imperial Chemical Industries to ensure the safety of procedures.
Definition of HAZOP
“HAZOP” is the acronym for “HAZard and OPerability study”. This tool is primarily used to assess the potential risks related to industrial activities.
This method is thoroughly described in standard IEC 61882. It also has similarities with the FMEA method, Failure Modes and Effects Analysis. HAZOP is designed to identify risks of all kinds: material, procedural or human. FMEA, for its part, focuses on revealing systemic failures and identifying cause-failure-consequence combinations. These two methods are complementary in the fight against cyber risks.
Who should perform a HAZard and OPerability study?
HAZOP is intended for the oil, pharmaceutical and chemical industries as a process risk analysis. The cyber risk assessment of these structures has historically relied on methods such as MEHARI (MEthod for the Harmonised Analysis of RIsk), or EBIOS (Expression of Needs and Identification of Security Objectives).
HAZOP can also be adapted to the field of industrial IT security. Indeed, it facilitates the identification of unsuspected, and yet probable, potential cyber risks. It is HAZOP which helps to detect the risks of commercial losses relative to cybersecurity flaws capable of stopping industrial production.
In the article Global cybersecurity in the manufacturing industry, the various cyber risks that weigh on the IT operations of industrial organisations are presented. In some of those risk scenarios, the criminals may be motivated by financial gain, as is the case with ransomware. Other scenarios also depict an attempt at unfair competition. In rare instances, the cyber attack comes from a state organisation with terrorist or military objectives.
This same article also enumerates a significant number of cyberattacks on industrial structures, including:
- Intellectual property theft
- Data modification of customer specifications prior to manufacturing
- Loss of productivity because of the downtime
- Malware compromising integrity of the production processes
- Alteration of products and loss of reliability
How can this analysis tool be useful?
Initially, HAZOP is designed to analyze chemical and industrial processes. It assesses the safety of temperature-monitoring facilities, flow and pressure systems, among others. Then, potential dangers are discovered by matching “key words” representing an unusual situation - for example “more pressure”, or “less flow” - with the usual operation parameters.
This approach sheds light on unknown and unexpected causes of risk. It also assesses the effectiveness of the risk prevention measures already in place.
The great advantage of this tool is also its comprehensiveness. As part of a risk management strategy that anticipates cybersecurity risks, it is a good support for synthesizing and keeping a structured and detailed track of cyber risks at any given time.
Transform how you model, measure, and manage cyber risk
Don't wait for the inevitable cyber incident. Build a resilient, risk-based cybersecurity program with Cyber Risk Quantification.
How does HAZOP apply to cybersecurity?
In the context of a cyber risk analysis, HAZOP needs to be adjusted. HAZOP usually calls for the meeting of “task forces” competent in the field of the physical processes of the company.
For an efficient cybersecurity strategy, it is advised to associate cybersecurity experts with these professionals:
1 / Preparation of HAZOP analysis: HAZard and Operability study
The company decides on which subsystems must be subject to a cyber risk assessment. In HAZOP language, such subsystems are referred to as “nodes” or “lines”.
In IT, a system is made up of:
- equipment such as servers, networks or workstations
- information, and in particular sensitive data
- actors involved in the process
- data exchange flows
2 / Generation of potential deviations
HAZOP has the specificity of confronting “keywords” standing for potential problems with usual operating parameters of the systems. In the industrial sector, these keywords are usually related to pressure, time or flow. When it comes to cybersecurity however, HAZOP focuses on other criteria, such as availability of systems, data confidentiality, integrity and availability (the CIA triad of data).
The confrontation of those risks with the normal operation of the information systems then leads the work team to pin down potential deviations. In cybersecurity this specificity of HAZOP stands out in the fact that it takes into account failures due to malicious acts, and not only to human errors or vulnerabilities.
The task force then lists all possible deviations resulting from the combination of parameters / keywords, to proceed to the analysis of the causes and potential consequences of the deviations.
3 / Identification of the causes and consequences of the deviations
Once the list of potential risks has been drawn up, your task force first needs to assess their likelihood of occurrence, then their impact. The main objective is to assess the impact of a risk on a system, according to criteria varying from a company to another. This impact may take the form of damage on the user’s end, of an attack on the organization’s reputation or on its sales or financial results.
Many methods are not prescriptive enough and often allow the task force members in charge of risk assessment to establish their grids upon nominal scales of the low/average/high type – for likelihood of occurrence and severity of impact both– which can bring some limitations as is the case when you attribute equivalent weights to the different risk factors: high probability X low impact equates to low probability X high impact (cf: ) Unfortunately, as documented in ISO27005 section 8.3 and annexes, those limitations are common to all methods relying on nominal or even ordinal scales.
The HAZOP method is based on the principle of exhaustiveness. The risk assessment team will therefore have to generate all the probable failures, for each “node” of each system. It has to target what is called “risk exhaustion”. Because it aims at exhaustiveness, HAZOP applies quite poorly to big structures, unless you consider expending a great deal of effort on this matter.
The biggest companies, particularly when it comes to assess risks on extremely complex information systems, benefit more from methods which focus on what is likely to happen rather than on whatever could happen. A good example is the VaR (Value at Risk) method, focusing primarily on the nodes critical to the structure and to its ability to create value. This kind of approach also gives room for statistical data and quantitative scales, which are more rigorous and on which you can base useful comparisons.
4 / Organization of preventive measures and recommendations
Then, the task force has to suggest new tools for cyber risk detection and prevention. These may be organizational measures aimed at staff training, or establishing a technology intelligence strategy. The most often adopted prevention processes fall under technical prevention: antivirus and firewalls, business software dedicated to monitoring the IT and detecting cybersecurity vulnerabilities.
In the industrial sector, the process also gives rise to material prevention measures, such as physical barrier devices which reduce the technical consequences of a cyberattack. It may for example be a cuvette or safety valves. Manufacturers also rely on cyberattack detection probes to spot the dangers threatening the control system.
Advantages and disadvantages of HAZOP in risk analysis?
The strength of HAZOP lies in its ability to highlight failures that no one had thought of. It is useful when no hazardous event has occurred prior to the analysis, but as a result, it also requires a good amount of anticipation of everything that is likely to happen.
It is a very rigorous method too as it brings together multidisciplinary teams. HAZOP, applied to cybersecurity, further enables the centralisation of analysis, rather than diluting efforts into several different methods.
The drawbacks of HAZOP lie in cross-referencing the results:
- it does not necessarily help to measure the consequences of the combination of deviations
- it only identifies one cause for each deviation
- it is no exception to the rule: every method based on nominal and ordinal scales suffers from the same flaws
- it is very time-consuming for the teams.
To conclude, this “exhaustive” and weighty approach applies to complex but finite and delimited industrial environments. Conversely, it seems unfit for analyzing dynamic information systems because those are becoming more and more complex and without limit – if you consider the company within its ecosystem of third parties.
Cyber Risk Management using FAIR™
While HAZOP does include methods for identifying certain cybersecurity risks, it was developed specifically for industrial processes. The FAIR™ Body of Knowledge is the only international standard quantitative model for information security and operational risk. It complements cybersecurity frameworks like NIST CSF or EBIOS by informing quantitative risk assessments using the FAIR™ methodology and taxonomy.
Jumpstarting a quantitative risk approach to cyber risk management can be simplified with the support of CRQ experts to scope your risk scenarios, identify your critical assets, and perform your initial quantified risk assessments. C-Risk works with CISOs in every industry to operationalize their CRQ assessments with a goal of improving the allocation of resources, communicating with executive leadership and mitigating cyber risk across an organization.
To learn more about CRQ and how it could benefit your organization, contact us for a free 30-minute CRQ consultation.
FAQ : HAZOP
What does HAZOP mean?
HAZOP stands for HAZard and OPerability study, it is a technique for risk management and system examination.
How to carry out a HAZOP study?
HAZOP is a succession of precise steps based on the identification of systems and subsystems (“nodes”, “lines”). It consists in varying certain keywords related to the functioning of the systems to observe their impact on the actual operating processes. These variations of keywords cause deviations and therefore risks, the likelihood of which must be examined.
Where does HAZOP come from?
HAZOP is an invention of Imperial Chemical Industries, one of the world's largest chemical industries. Its creation dates back to 1965, when the method was created to help optimise the safety of the company’s facilities.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.