Cybersecurity data center
ComplianceESGJuly 04, 2019|UpdatedFebruary 22, 2022

CHASE – Visualizing cyber security vulnerabilities using bowties

By:
Chase blog
Click here to view the full image

Hazards 29 is Europe’s leading process safety forum.

At this year’s event, industry expert Andy Geddes and CGE Partner David Hatch from Process Safety Integrity presented their new CHASE concept. Their work has developed a practical methodology for Computer Hazard And Security Evaluation.

You can’t defend what you don’t understand

Cyber security is a major concern across all industries with the threat of data theft or corruption, disabled functionality such as denial of service or ransomed ware, or spurious protection activation. With limited resources, organizations must target their cyber security efforts wisely and proportionally to prevent, detect, and recover from intentional attacks and unintentional challenges.

Plant and equipment need robust security to defend against deviations within Industrial Automation Control Systems (IACS) and incursions into IT systems such as maintenance management or enterprise resource planning systems. As the UK’s Health and Safety Executive says: “In order to defend a system, it is first important to know what is to be defended”. They stress that “you can’t defend what you don’t understand” (HSE OG0086).

Physical & logical topology

CHASE starts by creating a topological map of the physical plant and logical IACS assets that is clear and concise. All control and protection measures (subdivided into Zones and Conduits) are overlaid onto the map with a view of potential hazards, which could result in major accidents (MA) and/or loss of essential services (LES). This technique responds to the current focus of the competent bodies including the UK’s Health and Safety Executive (HSE) and Cyber Security Centre (CSC). The mapping and evaluation also consider environmental impact and commercial or reputational damage. CHASE uses the concept of vulnerability to infer likelihood because the ecology of cyber-attacks is constantly evolving. Vulnerability is combined with asset hazard (MA or LES) severity to generate a high-level risk assessment.

High-level risk assessment

CHASE uses bowties to visualize the high-level risk assessment by presenting reasonably foreseeable threats (e.g. OG0086 Table 5.1) and their countermeasures or barriers. This allows the applicability of the threat and the adequacy of the barriers to be risk assessed.

Chase blog
Figure 1: A typical IACS threat is prevented by a combination of security barriers of varying effectiveness (examples only). Click here to view the full image.

The effects of an IACS breach can impact on a plant or process in two ways:

  • threats which originate from the IACS become more likely or new ones are created
  • barriers which rely on the IACS are defeated or degraded

Detailed risk assessment

Regulators are not currently focussed on detailed risk assessments, but this will change in the near future. CHASE anticipates this change by using the same basic bowties for detailed IACS and process risk assessments which are chained together to highlight the relationships between cyber events and process events.

Chase blog
Figure 2: The consequence of a loss of integrity of an IACS becomes a chained threat to a physical asset which has tangible effects (examples only). Click here to view the full image.

Best practice

CHASE uses recognized industry good practice including HSE 0G0086, CSC Cyber Assessment Framework (CAF), IEC 62443 and NIST SP800-30. It is structured to allow easy expansion as physical and logical asset bowties develop. It provides a proportionate and practical visual risk assessment technique, which is understandable and explainable to non-technical personnel. This results in a common understanding of both general and specific vulnerabilities and improves decision making and resource deployment.

Start the CHASE method – Download a full copy of the paper

Are you interested to learn more about visualizing cyber security vulnerabilities with bowtie? Download the paper for a more detailed explanation of the CHASE method. Complete & submit the details below to receive a copy in your inbox right away.

© David Hatch – Process Safety Integrity. 2019 – The copyright of the content of this guest blog belongs to David Hatch who has authorized CGE Risk Management Solutions B.V. to provide this content on its website.

Related Insights

  • Economic nexus simplified: State sales tax guide
    Article
    Compliance
    Updated July 10, 2025

    Economic nexus simplified: State sales tax guide

    Learn more about economic nexus thresholds from this simple chart that sets forth the sales and transaction thresholds for each state that imposes a sales tax.
    Learn More
  • On-demand webinar: End-to-end UCC search, filing, and management
    Webinar
    Compliance
    Updated April 01, 2025

    On-demand webinar: End-to-end UCC search, filing, and management

    In this webinar, learn how the UCC Hub can optimize your UCC workflow.
    Learn More
  • Internal audit’s role in AI fraud detection
    Article
    Compliance
    February 19, 2025

    Internal audit’s role in AI fraud detection

    In this article, we explore AI fraud detection through the lens of internal audit leaders, highlighting its impact on governance, risk management, and compliance.
    Learn More
  • Strategies to pledge electronic collateral to the Federal Reserve Bank
    Webinar
    Compliance
    February 19, 2025

    Strategies to pledge electronic collateral to the Federal Reserve Bank

    Hear from industry leaders from Celent, Vibrant Credit Union, Park National Bank, Zions Bancorporation, and Wolters Kluwer in the webinar Strategies to Pledge Electronic Collateral to the Federal Reserve Bank.
    Learn More
Back To Top