News

ICS Risk Assessment in Industrial Systems

Learn what ICS Risk Assessment is , how it works, and why it is crucial for ICS Cyber security of SCADA plants, PLCs, and OT environments.

Operational phases

29 July 2025

Table of contents

  • What is an ICS Risk Assessment
  • Frameworks and reference standards: NIST, ISO and IEC 62443
  • Operational phases of the ICS Cyber Security Risk Assessment
  • Real examples of risk assessment
  • Integrating ICS Risk Assessment into Corporate Risk Management

Cyber security of industrial control systems is no longer an option, but a necessity.

ICS (Industrial Control Systems), including technologies such as SCADA, DCS and PLC, have become prime targets for cyber attacks, capable of causing economic, environmental and human damage.

The ICS Risk Assessment, i.e. the evaluation of cyber risks in production systems, is today one of the fundamental pillars of ICS Cyber security.

This article delves into what an ICS Cyber Security Risk Assessment is, how it is conducted according to standards such as NIST and IEC 62443, and presents real-world cases and operational examples to help businesses strengthen their resilience.

What is an ICS Risk Assessment

ICS Risk Assessment is the systematic process of identifying, analyzing, and managing cyber security risks associated with an industrial control system.

Unlike traditional IT environments, ICS are characterized by legacy components, continuous production cycles, and a high sensitivity to system availability. The risk assessment must therefore take into account the specificities of the operational context (OT), including impacts on physical security, process interruption, and compromise of process data.

An effective ICS Cyber Security Risk Assessment allows you to:

  • Identify potential threats (e.g. malware, APT actors, human errors)
  • Assess existing vulnerabilities (e.g. exposed PLCs, unencrypted protocols)
  • Estimate the level of risk based on probability and impact
  • mitigation and control measures
  • Ensure compliance with industry standards such as IEC 62443 or NIST SP 800-82

Frameworks and reference standards: NIST, ISO and IEC 62443

The main methodologies for performing an ICS Risk Assessment are based on international frameworks that guide organizations in risk management. The most relevant are:

NIST SP 800-82

The National Institute of Standards and Technology has developed the publication SP 800-82 Rev. 2, one of the main references for ICS Cyber security in the United States. This standard:

  • Risk assessment model for ICS
  • Includes a classification of common threats (e.g. denial of service, spoofing)
  • Suggests technical and procedural countermeasures
  • Integrates concepts from the NIST Cyber Security Framework (Identify, Protect, Detect, Respond, Recover)

ISO/IEC 27005

ISO /IEC 27005 provides a generic approach to cyber security risk management that is also applicable to industrial environments. It is often used in combination with ISO/IEC 27001 for security certifications.

IEC 62443

IEC 62443 standard is specifically designed for industrial control systems. The series is divided into several parts:

  • 62443-2-1: safety management
  • 62443-3-2: risk assessment and zoning
  • 62443-4-2: safety requirements for components

Part 62443-3-2, in particular, proposes a structured ICS risk assessment process based on:

  • Identifying zones and conduits
  • Asset Classification
  • Threat Analysis
  • Risk assessment
  • Prioritization of security checks

Operational phases of the ICS Cyber Security Risk Assessment

1. Asset identification

The first step is to create a complete inventory of the devices, software, protocols, and users in the ICS network. Assets include:

  • PLC (Programmable Logic Controller)
  • HMI (Human Machine Interface)
  • RTU (Remote Terminal Unit)
  • SCADA Servers
  • Industrial Network Switch

Practical example
In a food manufacturing plant, 74 PLCs, 5 SCADA servers and 48 HMIs were identified distributed between the packaging line and cold storage rooms. Some of these devices were connected to the corporate network without segmentation.

2. Threat Analysis

We proceed to evaluate the potential threats that could compromise the security of the systems. Among the most common threats in ICS systems we find:

  • Malware specific to OT environments (e.g. Stuxnet, Industroyer, Triton)
  • Insider attacks
  • Uncontrolled remote access
  • Configuration errors in control systems

3. Vulnerability Analysis

Vulnerabilities can be technical (e.g. outdated software), architectural (e.g. lack of firewall between IT and OT network) or organizational (e.g. insufficient training). Using tools such as Nessus, OpenVAS or Shodan SCADA module allows you to find known vulnerabilities.

4. Risk assessment

The risk is calculated by combining:

  • Probability of occurrence
  • Impact on availability, integrity and confidentiality

A classic example of risk assessment:
ThreatVulnerabilityImpactProbabilityRiskUnencrypted remote accessNo VPN between site and plantHighMediumHighIndustrial malwarePLC with outdated firmwareCriticalLowMedium-high

5. Definition and implementation of controls

Based on the results, security solutions are designed and implemented. They can be:

  • Techniques: Industrial firewalls, segmentation, application whitelist
  • Procedural: backup plans, access management, firmware update
  • Organizational: operator training, accident simulations
ICS Cyber Security Risk Assessment

Real examples of risk assessment

Case 1: Publicly exposed PLCs

During an ICS risk assessment conducted in an Italian refinery, it was discovered that 12 Siemens PLCs were reachable via public IP. Telnet access was enabled, without credentials. An attacker could have changed the operating parameters with catastrophic impacts on the system.

The solution required:

  • Instant removal from the Internet
  • Implementing a segregated OT network
  • Enabling Authentication and Updating Firmware

Case 2: SCADA without network segmentation

In a water treatment plant, the SCADA system communicated with the administrative network without VLAN or firewall. A phishing email infection on an office computer reached the SCADA server, blocking the display of real-time data.

Mitigation included:

  • Creating an Industrial DMZ
  • Isolation of OT segments
  • Monitoring network flows with an IDS system (Snort + Bro/Zeek)

Integrating ICS Risk Assessment into Corporate Risk Management

A common mistake is to treat ICS Risk Assessment as an isolated exercise. In reality, it must be integrated into a broader vision of enterprise risk management, in order to:

  • Aligning technical priorities with strategic ones
  • Plan investments based on risk
  • Support regulatory compliance (e.g. GDPR for telemetry data)

Companies that take an integrated approach achieve greater security maturity, while also reducing incident response times.

In summary

Risk assessment in industrial systems is not just a recommended practice: it is a strategic necessity for any company that uses ICS systems. Through the adoption of standardized methodologies such as IEC 62443 or NIST, it is possible to identify real threats, evaluate impacts and probabilities, and build a resilient and efficient defense system. Security solutions must not only be technological, but also organizational and cultural.

Every business, even if it has never suffered an attack, must be prepared . Because the question is no longer if it will happen, but when.

Questions and answers

  1. What is ICS Risk Assessment?
    It is the process of identifying and managing cyber risks associated with industrial control systems.
  2. What is the difference between IT and ICS risk assessment?
    ICS is for OT environments where availability and business continuity are a priority over data confidentiality.
  3. What standards are used to assess ICS risk?
    NIST SP 800-82, IEC 62443 and ISO/IEC 27005 are the main references.
  4. What does IEC 62443 mean?
    It is a family of international standards for the safety of industrial automation systems.
  5. What threats affect ICS systems?
    Industrial malware, unauthorized access, phishing, unpatched vulnerabilities.
  6. Can I use antivirus on ICS systems?
    Yes, but with caution. Antiviruses must be tested so as not to interfere with real-time processes.
  7. Can PLCs be hacked?
    Yes, especially if they are publicly exposed or not protected with passwords and updates.
  8. Do I need a VPN for SCADA systems?
    Absolutely yes, to protect remote communications from eavesdropping and man-in-the-middle.
  9. What role does risk assessment have in the GDPR?
    GDPR requires risk assessment also in data collected through sensors and control systems.
  10. How often should an ICS Risk Assessment be updated?
    At least annually or following significant changes to systems or infrastructure.
3
To top