pith. sign in

arxiv: 2604.03994 · v1 · submitted 2026-04-05 · 💻 cs.CR

Assessing Cyber Risks in Hydropower Systems Through HAZOP and Bow-Tie Analysis

Kwabena Opoku Frempong-Kore , Rishikesh Sahay , Md Rasel Al Mamun , Bell Eapen This is my paper

Pith reviewed 2026-05-13 17:36 UTC · model grok-4.3

classification 💻 cs.CR
keywords cybersystemsbarriershazopbowtiehydropoweranalysisassessment
0
0 comments X

The pith

Extending HAZOP and Bow-Tie methods to cyber causation shows that coordinated attacks can bypass safeguards by exploiting shared network dependencies in hydropower systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper takes two well-known ways of finding dangers in big machines and tests them on hydropower plants that use computers to control water and electricity. The first method, HAZOP, lists all the ways things can go wrong with key controls like water flow or pressure. The authors found 18 such problems in the normal version. When they added the idea of a hacker causing several problems at once, they saw that normal safety checks might miss the combined effect. The second method, Bow-Tie, draws a picture of what stops a bad event from starting and what limits the damage if it happens. In the cyber version, some of these stopping barriers turn out to share the same computer networks, so one attacker could break several at the same time. This questions the usual belief that having many separate protections keeps systems safe. The study suggests using both methods together as a two-step process: one to list problems and the other to check if protections hold up against smart attackers. It also notes the strengths and weaknesses of each approach for this kind of work.

Core claim

The cyber extension applied to both exposes assumptions, independent causes in HAZOP and independent barriers in BowTie, that do not hold against a coordinated adversary.

Load-bearing premise

That the qualitative extensions of HAZOP and Bow-Tie accurately capture real-world coordinated cyber threats without empirical attack data or validation on actual hydropower systems.

read the original abstract

With the widespread use of software systems in critical infrastructures such as hydropower plants has brought many advantages, yet it has exposed these systems to cyber threats. Cyber risk assessment & mitigation is important to identify cyber threats and protect these systems from unwanted incidents. This paper evaluates and compares the two risk assessment methodologies namely Hazard and Operability Study (HAZOP) and BowTie analysis for identifying cyber induced threats in hydropower systems. We selected these two methodologies because they offer a complementary perspective for cyber-safety risk assessment. Each method is first applied in traditional form to identify hazards, barriers, and threat scenarios arising from accidental causes, then extended to examine how findings change under cyber-induced causation. The traditional HAZOP identifies 18 deviations across five control parameters; the cyber extension shows how an adversary can coordinate multiple deviations to produce outcomes that conventional safeguards cannot detect. The BowTie analysis maps preventive and mitigation barriers around a top event; the cyber extension reveals that barriers appearing independently can share network infrastructure a single attacker could compromise, challenging the defense-in-depth assumption. Together, the two methods provide complementary coverage: HAZOP systematically enumerates what can go wrong, while BowTie shows how barriers provide layered protection. The cyber extension applied to both exposes assumptions, independent causes in HAZOP and independent barriers in BowTie, that do not hold against a coordinated adversary. As a result of this study, this paper highlights a practical two-stage approach to adapt established safety methods to identify cybersecurity challenges in hydropower control systems, provides pros and cons of these methodologies, and shows area of applicability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript applies traditional HAZOP and Bow-Tie analyses to identify hazards and barriers in hydropower systems, identifying 18 deviations across five control parameters in the traditional HAZOP. It then extends both methods to cyber-induced causation, claiming that coordinated cyber attacks can bypass conventional safeguards by coordinating multiple deviations and by compromising shared network infrastructure among barriers, thus challenging assumptions of independence. The paper concludes by highlighting a two-stage approach for adapting these safety methods to cybersecurity challenges in hydropower control systems.

Significance. If validated, the findings would be significant in demonstrating the limitations of standard safety analysis methods when applied to cyber threats in critical infrastructure. By showing how cyber extensions reveal non-independent causes and barriers, it underscores the need for integrated cyber-safety assessments, potentially guiding practitioners in hydropower and similar ICS environments toward more robust defense strategies.

major comments (2)
  1. [Cyber-extended HAZOP] The description of how an adversary can coordinate multiple deviations to produce outcomes that conventional safeguards cannot detect is presented as an illustrative scenario without empirical attack data, simulation results, or references to documented incidents in hydropower systems. This directly supports the central claim that independent causes do not hold against a coordinated adversary and requires substantiation to be load-bearing.
  2. [Cyber-extended Bow-Tie analysis] The revelation that barriers appearing independent can share network infrastructure vulnerable to a single attacker is based on qualitative mapping rather than analysis of actual network topologies or dependency graphs from hydropower plants. This undermines the strength of the conclusion regarding the defense-in-depth assumption without additional evidence or modeling.
minor comments (1)
  1. [Abstract] The abstract refers to 'five control parameters' without listing them; including this detail would improve clarity for readers unfamiliar with the specific HAZOP application.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The analysis rests on the domain assumption that standard safety methods can be meaningfully extended to coordinated cyber threats without new parameters or entities.

axioms (1)
  • domain assumption Traditional HAZOP and Bow-Tie methods can be extended to cyber-induced threats by considering coordinated adversary actions.
    Invoked when describing the cyber extension of both methods in the abstract.

pith-pipeline@v0.9.0 · 5597 in / 1178 out tokens · 33261 ms · 2026-05-13T17:36:19.366622+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.