Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

White Paper Excerpt: Leveraging ISA 62443-3-2 For IACS Risk Assessment and Risk Related Strategies

This document is intended to provide the reader with an overview of ISA 62443-3-2, “Security Risk Assessment for Design”, as well as a summary of some methodologies that can be used to assist execution of the industrial automation control system (IACS) cyber security risk assessment work process requirements detailed in the standard. This risk assessment work process is applicable to many sectors, e.g. industrial process sector, building automation, medical devices, transportation sectors, electrical production, water treatment, etc. Risk management of the IACS starts with a proposed design that is based on company standards and practices and/or recognized and generally acceptable good engineering practice (RAGAGEP). It then requires the understanding of how to identify vulnerabilities, threats, consequences of a successful attack, ranking risks, and then implementing mitigating measures to lower risks to tolerable levels. The standard itself is considered a (RAGAGEP).

The standard can be summarized in two figures, both workflow diagrams. Figure 1 illustrates the overall work process, while figure 2 illustrates the detailed level risk assessment sub process shown in figure 1.

The major steps include:

  • Identification of the System under Consideration (SuC)
  • Perform an Initial Cyber Risk Assessment
  • Partition the SuC into Zones and Conduits
  • Perform a Detailed Level Cyber Risk Assessment
  • Document Updated Cyber Security Requirements for Detailed Design

Each zone and conduit requirement (ZCR) number shown in figures 1 and 2 represents a specific requirement within the standard. The boxes in the left column of each figure represent inputs that are required for the different steps. The boxes in the right column represent outputs that are created in each step. The purpose of the cyber security risk assessment work process as a whole is to evaluate the consequences and associated likelihoods of risk scenarios due to security being compromised in order to prioritize which risks require mitigation as well as what cyber security measures are necessary to reduce the risk to tolerable levels established by the authority having jurisdiction, typically the operating company, referred to as the asset owner in the 62443 series of standards.

Risk is considered to be a measure of human injury, environmental damage, and economic loss, loss of intellectual property or loss of privacy in terms of both the incident likelihood and the magnitude of the loss or injury. A simplified version of this relationship expresses risk as the product of the likelihood and the consequences (i.e., risk = consequence x likelihood) of an incident. With respect to safety, health and environmental risk, consequences are measured in the same manner, irrespective of whether they are due to a cyber-attack or due to more traditional risk assessments that in the past have not considered cyber security. Likelihood, however, can be thought of as a combination of vulnerabilities and the likelihood that a threat agent or source has the requisite skills, resources, and motivation to exploit the potential vulnerabilities or that vulnerabilities are unknowingly exploited by non-malicious human error.

During the initial cyber security risk assessment, likelihood is often expressed as a conditional probability equal to one, while detailed cyber security risk assessments must consider likelihood as an estimated frequency or probability. Cyber risk assessments should address uncertainty (at least qualitatively if not quantitatively) since not considering uncertainties can produce misleading and potentially dangerous decisions. Should a detailed level cyber security risk assessment be required, its work process is shown in figure 2 below.

The ISA/IEC 62443-3-2 standard, entitled “Security Risk Assessment for System Design” was released in February 2020 and may be purchased either from the ISA, or the International Electrotechnical Commission (IEC). The benefits of using a risk-based standards approach include:

  • Reducing the likelihood of a successful cyberattack
  • The use of a common set of requirements among stakeholders
  • Security throughout the lifecycle, and a
  • Reduction in overall lifecycle cost.

Like most performance-based standards, it provides general requirements and is not prescriptive, meaning it defines what to do, but not how do it. The standard defines general requirements and links those requirements to examples of common best practices. For instance, it describes how to rank risk. Most corporations have a risk matrix that helps them establish their level of risk tolerance. Cyber risk assessments should be performed according to that basis and cyber risk, like any other corporate risk, should be ranked using that scale.

To support the “How” to execute the risk assessment requirements of the standard, this paper includes a summary of various methodologies for the performance of both vulnerability and risk assessments. More detail on these methodologies can be found in the source references. In addition, some guidance for application of the standard is provided to contrast green field projects versus brown field facilities.

To read more, download the full white paper here.

Hal Thomas
Hal Thomas
Hal Thomas, a self-employed consultant, HWT Consulting LLC. He was formerly an Engineering Associate - Process Safety at Air Products for over 36 years. He received a BSME from Bucknell University, is a registered professional engineer in the state of PA and is a certified functional safety expert, CFSE. Prior to becoming a process safety engineer and being involved in cybersecurity for control systems, he was a process control engineer. He has participated in several industry initiatives involving the Center for Chemical Process Safety (CCPS), ISA84 and ISA99. He currently participates in ISA84 technical report working groups and co-chairs WG9 responsible for TR84.00.09, Cyber Security Related to the Safety Lifecycle, as well as participating in a number of ISA99 working groups and co-chairing WG7 that is intended to address the intersection of security and safety. During his career, he has authored and co-authored a number of papers dealing with aspects of risk assessment, including cybersecurity.

Related Posts

Cybersecurity Investment Tax Credits

Cyberattacks continue to grow worldwide, which has increased awareness and concern about utilities, indus...
Bill Lydon Nov 30, 2021 5:30:00 AM

IEC Designates ISA/IEC 62443 as a Horizontal Standard

The International Society of Automation (ISA) and the ISA Global Cybersecurity Alliance (ISAGCA) are prou...
Steven Aliano Nov 23, 2021 5:30:00 AM

Architecture vs. Design

Many Operational Technology (OT) projects start with identifying the requirements and then diving straigh...
Achal Lekhi Nov 16, 2021 5:30:00 AM