With the widespread use of software systems in critical infrastructures such as hydropower plants has brought many advantages, yet it has exposed these systems to cyber threats. Cyber risk assessment & mitigation is important to identify cyber threats and protect these systems from unwanted incidents. This paper evaluates and compares the two risk assessment methodologies namely Hazard and Operability Study (HAZOP) and BowTie analysis for identifying cyber induced threats in hydropower systems. We selected these two methodologies because they offer a complementary perspective for cyber-safety risk assessment. Each method is first applied in traditional form to identify hazards, barriers, and threat scenarios arising from accidental causes, then extended to examine how findings change under cyber-induced causation. The traditional HAZOP identifies 18 deviations across five control parameters; the cyber extension shows how an adversary can coordinate multiple deviations to produce outcomes that conventional safeguards cannot detect. The BowTie analysis maps preventive and mitigation barriers around a top event; the cyber extension reveals that barriers appearing independently can share network infrastructure a single attacker could compromise, challenging the defense-in-depth assumption. Together, the two methods provide complementary coverage: HAZOP systematically enumerates what can go wrong, while BowTie shows how barriers provide layered protection. The cyber extension applied to both exposes assumptions, independent causes in HAZOP and independent barriers in BowTie, that do not hold against a coordinated adversary. As a result of this study, this paper highlights a practical two-stage approach to adapt established safety methods to identify cybersecurity challenges in hydropower control systems, provides pros and cons of these methodologies, and shows area of applicability.

翻译：随着软件系统在水电站等关键基础设施中的广泛应用，虽然带来了诸多优势，但也使这些系统暴露于网络威胁之下。网络风险评估与缓解对于识别网络威胁并保护此类系统免遭意外事件至关重要。本文评估并比较了两种风险评估方法，即危险与可操作性研究（HAZOP）和Bow-Tie分析，用于识别水电站系统中由网络引发的威胁。我们选择这两种方法是因为它们为网络-安全风险评估提供了互补视角。每种方法首先以传统形式应用于识别由意外原因引发的危险、屏障和威胁场景，随后进行扩展以考察在由网络引发的原因下，研究结果如何变化。传统的HAZOP在五个控制参数中识别出18种偏差；网络扩展则揭示了攻击者如何协调多种偏差以产生传统安全措施无法检测的后果。Bow-Tie分析围绕项上事件映射预防与缓解屏障；网络扩展则表明，看似独立的屏障可能共享单一的、可被攻击者攻破的网络基础设施，从而挑战了深度防御的假设。两种方法共同提供了互补的覆盖范围：HAZOP系统性地枚举了可能出错的情况，而Bow-Tie则展示了屏障如何提供分层保护。对两者应用的网络扩展暴露了在应对协调性对手时无法成立的假设，即HAZOP中的独立原因和Bow-Tie中的独立屏障。本研究的结果表明，本文提出了一种实用的两阶段方法，用于调整既有安全方法以识别水电站控制系统中的网络安全挑战，提供了这些方法的优缺点，并展示了其适用范围。