Why Cybersecurity Belongs in Engineering Hazard Analysis

Engineering systems have evolved from purely mechanical or electrical designs into deeply interconnected cyber-physical systems. Power grids, automated manufacturing lines, autonomous vehicles, medical devices, and water treatment facilities all rely on digital controllers, communication protocols, and remote monitoring. This convergence creates new vulnerabilities: a cyber attack that compromises the integrity of a sensor reading, the availability of a critical control loop, or the confidentiality of operational data can cascade into physical damage, environmental harm, or loss of life. Traditional hazard analysis, which has historically focused on hardware failures, operator errors, and environmental factors, must now systematically incorporate cybersecurity risks.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) regularly reports incidents where industrial control systems (ICS) in critical infrastructure sectors have been targeted. The 2015 Ukrainian power grid attack, the 2017 Triton malware that disabled safety instrumented systems at a petrochemical facility, and the 2021 Colonial Pipeline ransomware disruption are stark reminders that cyber incidents can produce physical consequences. These events demonstrate that cybersecurity is no longer an IT concern—it is a safety and reliability imperative. Integrating cybersecurity into hazard analysis ensures that protection measures are designed into the system from the start, rather than added as an afterthought.

For engineering organizations, embedding cybersecurity in hazard analysis also helps meet regulatory requirements and industry standards. Frameworks such as NIST’s Cybersecurity Framework, the IEC 62443 series for industrial automation and control systems, and ISA/IEC 62443-3-2 specifically address the integration of cybersecurity risk assessment with safety lifecycle processes. Adopting these standards early in the design phase reduces costly retrofits and strengthens the overall resilience of the engineered system.

From Traditional Hazard Analysis to Cyber-Inclusive Risk Assessment

Traditional hazard analysis methods—such as Hazard and Operability Study (HAZOP), Failure Mode and Effects Analysis (FMEA), and Fault Tree Analysis (FTA)—were developed in an era before widespread digital control. These methods assume that failures originate from physical degradation, design flaws, or human error. They do not naturally account for malicious actors, software vulnerabilities, or the unpredictable propagation of cyber-attacks through networked components.

To bridge this gap, engineers now augment classic techniques with cybersecurity-specific perspectives. For example, a HAZOP for a chemical reactor might include guide words such as “cyber denial of service” or “spoofed sensor data” alongside the usual “more flow” or “no pressure.” Similarly, FMEA can be extended to consider failure modes introduced by compromised firmware or corrupted communication packets. The goal is to identify, for each safety-critical function, how a cyber-event could disable, misdirect, or degrade that function.

Cyber-Hazard Analysis Process Overview

  1. Asset Inventory and Categorization: List all hardware components (PLCs, RTUs, smart sensors, actuators, gateways) and software assets (HMI applications, databases, firmware). Classify them based on safety-criticality, connectivity, and data sensitivity.
  2. Threat Modeling: Identify threat actors (nation-states, cybercriminals, insiders, hacktivists) and their capabilities. Determine plausible attack vectors: network exploitation, phishing, supply chain compromise, physical intrusion into control panels.
  3. Vulnerability Scanning and Analysis: Use tools and penetration testing to find weak passwords, unpatched software, insecure protocols, or improper network segmentation. Document each vulnerability’s severity using CVSS or similar scoring.
  4. Cyber-Physical Consequence Mapping: Link each cyber-threat scenario to potential physical hazards. For instance, a man-in-the-middle attack on a pressure transmitter could cause a vessel rupture; a ransomware attack on a building management system could disable fire suppression.
  5. Risk Calculation and Prioritization: Calculate risk as a function of likelihood and consequence. Prioritize scenarios that could lead to catastrophic or severe safety outcomes.
  6. Mitigation Design: Select controls from cybersecurity standards (firewalls, intrusion detection, access control, encryption) combined with safety measures (hardware backup, manual override, fail-safe mechanical stops). Ensure that cybersecurity controls do not interfere with safety functions.

Deep Dive: Key Cybersecurity Hazards in Engineering Systems

Integrity Attacks on Sensor or Control Data

One of the most dangerous cyber risks is the intentional corruption of data flowing between sensors, controllers, and actuators. If an attacker alters a sensor reading to show a safe state while the actual process is becoming hazardous, operators lose the ability to detect and react to abnormal conditions. In 2000, an Australian disgruntled employee used a radio transmitter to manipulate the control system of a sewage treatment plant, releasing millions of liters of untreated waste into waterways—a classic integrity attack with environmental and public health consequences.

Availability Attacks Disrupting Control Operations

Distributed denial-of-service (DDoS) attacks, ransomware, or malware that corrupts control logic can knock critical systems offline. For transportation networks (e.g., railway signaling, air traffic control), even a brief loss of availability can cause collisions or unsafe conditions. In manufacturing, the Stuxnet worm in 2010 destroyed centrifuges by targeting the availability of programmable logic controllers at Iran’s Natanz facility while hiding the damage from operators.

Confidentiality Breaches Leading to Intellectual Property or Operational Data Theft

While less directly tied to immediate physical hazards, the theft of process parameters, control algorithms, or design files can enable sophisticated future attacks. Knowing a plant’s exact safety margins and setpoints helps an adversary craft attacks that stay just below alarm thresholds, creating hidden cumulative damage.

Interdisciplinary Collaboration: Safety Engineers and Cybersecurity Pros

Effective integration demands that traditional safety engineers and cybersecurity specialists work together from the earliest design stages. Historically, these communities have used different languages, tools, and risk metrics. Safety professionals think in terms of reliability (MTBF), failure rates (FIT), and Safety Integrity Levels (SIL). Cybersecurity experts think in terms of attack trees, threat models, and indicators of compromise (IoCs).

Bridging this gap requires cross-training and shared frameworks. The ISA/IEC 62443 standards provide a common vocabulary and process for assessing risk across both safety and security. For instance, ISA-62443-3-2 outlines a method to identify and evaluate risks to the security of safety-instrumented systems. Joint workshops where safety and security teams review system architectures together help avoid situations where a security patch inadvertently disables a safety function, or where a safety failure mode opens a new cyber vulnerability.

Common Challenges and How to Address Them

Legacy Systems with Insecure Protocols

Many industrial sites operate equipment from the 1980s and 1990s that lacks modern security features—no encryption, hardcoded credentials, or unauthenticated communication. Upgrading these systems is expensive and may require extensive requalification. Possible solutions include deploying network segmentation with firewalls, adding deep-packet-inspection gateways, or using unidirectional data diodes to allow safe external monitoring without exposing the control network.

Evolving Threat Landscape

Cyber threats change rapidly, while engineering hazard analysis documents are often updated only during major redesigns or periodic reviews. To stay current, organizations should adopt a living hazard analysis that is revisited at least annually or whenever significant system changes occur. Threat intelligence feeds (e.g., from ICS-CERT, MITRE ATT&CK for ICS) can be used to trigger updates when new relevant vulnerabilities are disclosed.

Complexity of Cyber-Physical Interactions

Unlike purely digital systems, the consequences of a cyber attack in an engineered environment depend on physical dynamics—pressure, temperature, speed, chemical reaction rates. Modeling these interactions requires advanced simulation that couples control logic, network behavior, and physics. Tools like hardware-in-the-loop (HIL) simulation and digital twins can help engineers test cyber-attack scenarios safely and validate the effectiveness of combined safety and security controls.

Emerging Tools and Standards for Cyber-Inclusive Hazard Analysis

Several organizations have developed structured methods to incorporate cybersecurity into safety engineering:

  • MITRE Threat and Risk Management (TRA) has a framework that integrates threat modeling with hazard analysis using attack trees and safety case patterns.
  • The European Cybersecurity Organisation (ECSO) has published guidelines for cyber-physical risk assessment in smart manufacturing.
  • IEEE 1584-2020 (Guide for Performing Arc-Flash Hazard Calculations) now includes considerations for cybersecurity that could affect protective device coordination.
  • ISO 26262 (functional safety for automotive) is being updated to include cybersecurity clauses aligned with ISO/SAE 21434 for road vehicles.

Adopting these standards helps engineering firms demonstrate due diligence to regulators, insurers, and clients. They also provide repeatable, auditable processes that reduce the risk of overlooking critical cyber-hazard scenarios.

Future Directions: AI, Machine Learning, and Automated Risk Assessment

Machine learning offers potential to analyze large volumes of system logs and network traffic to detect anomalies that could signal a cyber-physical attack. However, engineers must be cautious: AI models can produce false positives that erode operator trust, and adversarial examples can deliberately mislead detectors. In hazard analysis, AI should augment human expertise, not replace it. Future frameworks will likely prescribe when and how to validate AI-based outputs within safety-critical contexts.

Another promising direction is the development of digital twin environments where thousands of cyber-attack scenarios can be simulated against the system’s control logic and physical model. This allows engineers to explore “what-if” situations that would be too dangerous or expensive to test on live equipment. The results feed directly into the hazard analysis, identifying the most dangerous attack paths and informing the placement of both cybersecurity and safety controls.

Building a Culture of Cyber Safety

Ultimately, the most sophisticated tools and standards will fail if the engineering organization lacks a culture that treats cyber threats as seriously as physical hazards. This means:

  • Requiring cybersecurity awareness training for all engineers, not just IT staff.
  • Integrating cybersecurity competency into job descriptions and performance reviews for system designers.
  • Performing regular red-team/blue-team exercises on control system testbeds to uncover weaknesses before attackers do.
  • Reporting near-misses and cyber incidents in the same manner as safety incidents, with root-cause analysis and corrective actions.

Organizations that embed cybersecurity into their hazard analysis culture reduce not only the likelihood of cyber-physical accidents but also the potential liability and reputational damage that follows. By treating cybersecurity as an intrinsic part of the safety lifecycle—from concept through decommissioning—engineering teams can build systems that are resilient against both technical failures and malicious acts.

Practical Steps to Start Integrating Cybersecurity into Hazard Analysis Today

  1. Form a cross-functional team with representatives from safety, controls, IT, and operations. Assign a champion who understands both domains.
  2. Perform a gap analysis between your current hazard analysis methodology and existing cybersecurity standards (e.g., NIST SP 800-82, IEC 62443). Identify missing steps such as threat modeling or cyber-consequence mapping.
  3. Choose a pilot system—a new design or a critical piece of legacy equipment—to apply the cyber-inclusive hazard analysis process. Document lessons learned.
  4. Update your corporate risk register to include cyber-physical risks alongside conventional safety risks.
  5. Invest in training for key personnel, such as Certified Functional Safety Engineer (CFSE) courses that now include cybersecurity modules, or SANS ICS courses like ICS410, ICS515, and ICS612.
  6. Develop or adopt templates for cyber-hazard analysis reports that combine elements from HAZOP, FMEA, and security threat modeling (e.g., STRIDE or ATT&CK for ICS).
  7. Schedule periodic reviews that align with system and threat change cycles—ideally every 6 to 12 months.

By taking these steps, engineering organizations can move beyond treating cybersecurity as an isolated compliance checkbox and make it a natural part of hazard analysis that protects people, the environment, and business continuity.

For more detailed guidance, consult the CISA Cyber-Physical Risk Assessment Guide, which provides a step-by-step method for integrating safety and security assessments in critical infrastructure. Another invaluable resource is the ISA TR 62443-3-2 technical report, which includes detailed examples of cybersecurity risk assessments for industrial control systems. These authoritative references will help engineering teams develop robust, defensible cyber-hazard analyses that keep pace with an ever-evolving threat environment.