R

P O W E R I N G R E S I L I E N C E

IEC 62443-3-2
RISK ASSESSMENT

www.sectrio.com
Utility/Usage guideline
This document is intended to offer a primer for aligning the requirements of ISA/IEC 62443-3-2 with
industrial automation control system (IACS) cyber security risk assessment. With due diligence and
analysis of security requirements, this assessment can be applied to many sectors including
manufacturing, utilities, ports, building automation and management, water treatment, healthcare,
and aviation.

This e-book can be used at the assessment design stage to plan the assessment.

ISA/IEC 62443-3-2: deals with security risk assessment, system segmentation, and Security Levels.
ISA/IEC 62443-3-2 views ICS security as a function of risk management and should consider
contextual threat impact, vulnerability exposure, and likelihood and asset value. These inputs can
guide the application of ICS security countermeasures to minimize cyber risks.

Planning an assessment
An outcome-oriented cyber security risk assessment plan involves the following:
• Deep understanding of the process and steps to identify and map vulnerabilities, threats and
potential disruptions to consequences of a cyberattack
• Ranking the risks emerging from the above
• Implementing measures to lower such risks and to keep them with acceptable thresholds

The process can then be further subdivided into

• Fingerprinting the System Under Consideration (SUC) and its operational spread
• The conduct of an initial cyber risk assessment to determine the contours of the risk factors
applicable
• Segment the systems into zones
• Execute the comprehensive cyber risk assessment program/process
• Revisit any of the above stages if any approach or outcome deficiencies are discovered

This document also intends to offer a shape, form and design to the ISA/IEC 62443-3-2-based
assessment process.

Steps:

Conduct the
Identify the Divide the Analyze initial
initial assessment;
system being system into risk level data;
determine initial
considered and zones derive security
level of risk
its boundaries level inference
exposure

Use this data to

Document the Identify & document
plan the
level of assumptions,
comprehensive risk
compliance data gaps and
assessment
and gaps constraints
exercise

www.sectrio.com 02
Focus areas for the initial assessment
The initial assessment should set the tone for the comprehensive assessment exercise that follows.
Having said that the initial assessment should be seen not merely as an enabler for the next
assessment. The initial assessment has legs of its own to stand on and if done right, the gaps
identified in this assessment can be addressed as action items on their own.

The following should be the focus areas for an initial assessment:

• Worst-case scenario after a breach: when an event happens, what could be the worst possible
impact on infrastructure?
• Medium impact risks that could cause a compliance issue
• Identifying the highest areas of risk: processes, configurations, or potential security gaps that may
lead to maximum disruption
• Identifying the device/zone (Target) security levels (SL-T)
• Establishing zones and conduits

The approach can be simplified into the following steps:

• Defining the system under consideration for ICS and associated networks
• Segmenting the SUC into effectively secure zones, sub-zones and conduits
• Establishing SL-Ts (Target Security Levels) and SL-Cs (Capability Security Levels) for each
established zones, conduits and assets
• Documenting the steps required to attain the Target Security Level

Defining Zones and Conduits

A ‘Zone’ is defined as a collection of logical, operational or physical assets categorized based on the
degree of risk exposure or other factors like the asset significance, their operational purposes, their
physical location, associated threat surface their necessary access, asset owners or any factor that
helps in assigning a logical category.

A conduit is a set of communication channels that link at least two (or more) zones that have a similar
security requirement. Segmenting the SUC into distinct zones and conduits is an essential step in the
risk assessment process. The first step for segmenting the SUC involves the identification of assets
that share security features. Segmenting networks reduces the risks associated with a cyberattack
and 3-2 recommends the following approach for segmenting the SUC

• Each zone should have a clear border,

• A zone can have other subzones that meet the security requirements of the primary zone,
• Assets within the zone must be protected to an adequate security level (SL-T)
• Assets outside such zones have a different set of rules,
• The border is used to define access with another zone or outside the system,
• Access is via electronic communication channels or the physical movement of people or
equipment.
• Accesses are functionally grouped into conduits.

www.sectrio.com 03
Initial risk assessment template
Dataflows Specific
Connected Asset inventory
Security Perimeter associated with Target security compliance External Risk matrix
Org. identifier Assessor Segments and and related Interna risks
qualification access points each access level mandates dependencies score
zones risks
point applicable

An initial assessment can also be repeated in case the outcome is not satisfactory. Further, with more than one round of initial assessments, more
objectivity can be induced into the process. Sectrio recommends that assessment be conducted in an unbiased manner to take into account risks with
high impact and those with low impact.

www.sectrio.com 04
Establishing the risk matrix
A risk can entail many factors including the probability of an adverse event to occur leading to a loss
of life or assets, damage to the environment, data loss, or loss of production time. In order to calculate
a risk factor, the following equation can be used:

Risk = consequence X likelihood

Consequences/Impact Notes/definitions

Ease of exploitation Minor risk score 1-5;

Minor Moderate Major (improve implementation of existing
controls or enforce monitoring)

Medium risk score 5.1 to 10

Low Medium High High (Improve control or deploy measures
to lower risk)

High-risk score 10.1 and above

Medium Low Medium High (require immediate remediation as
existing controls are not effective)

High Low Low Medium

Mapping risk probability

Understanding the likelihood of a risk turning into an event is essential to allocating capital in the form
of resources and attention to it. The probability scale starts from impossible and goes all the way up
to certain. Impossible includes a risk arising from the combination of events bearing a remote chance
of playing out.

Likelihood scale Guideword Likelihood description Frequency-based guidance

>101
1 Certain Almost certain
per year (High demand)

101 to 103
2 Likely Likely to occur
per year (Low demand)

103 to 104
3 Possible Quite possible or not unusual to occur
per year

104 to 105
4 Unlikely Conceivably possible, but very unlikely to occur
per year

<105
5 Remote So unlikely that it can be assumed it will not occur
per year

Could occur due to an extremely rare combination

<106
6 Impossible of factors. Each of these factors have a probability
per year
of <105 per year

www.sectrio.com 05
Methodology
ISA/IEC 62443-3-2-based assessments should include the following assessment components:
• Identifying the SUC
• Vulnerability assessment: to be conducted at the following levels:
◦ Device vulnerabilities: conduct a security level capability assessment using the requirements
mentioned in ISA/IEC 62443-4-2. This assessment will identify gaps in the technical
capabilities of devices in the context of the security level target of the zone where these
devices are to be deployed.
◦ Check for published device vulnerabilities: existing vulnerabilities can be documented
◦ Are there gaps in the time of release of a patch and its deployment?
• Technical gaps: identify the gaps between existing technical measures and the target security
levels using the requirements mentioned in ANSI/ISA 62443-3-3
• Process gaps: Process gaps may emerge from security blind spots. If the existing processes are
not adequate from an implementation security or performance perspective, then security gaps are
bound to emerge. The existing processes and technical measures can be compared with ISA/IEC
62443-2-1 to get a complete and actionable view of the gaps. Maturity levels of the processes can
also be determined as part of this assessment. The following process can be followed to identify
process gaps:
◦ Document all technical and process measures across zones
◦ Document zone-specific measures
◦ Document all organizational measures that are necessary to support specific technical
measures.
◦ Assess each measure and document the results
• System integration gaps: when integration testing is not carried out before a device is deployed,
security issues could emerge.
• System observability gaps: gaps arising from a lack of adequate visibility into system operations
and behavior
• Network-related security issues: vulnerabilities arising out of poor network management
practices including lack of segmentation and visibility. Lack of architecture review at an initial
stage and reviews later contribute to this challenge.
• People-related vulnerability: these arise from unregulated/excess privileges, lack of training,
governance or issues arising from unmonitored insider activity.

To help with the assessment, we have developed an assessment tool

view more
which is presented at the end of this document.

www.sectrio.com 06
Site and impact assessments
In the case of systems where there is a risk of a kinetic attack resulting in loss of life, it is
recommended that an additional level of assessment be conducted to:
• Prioritize sites based on risk of a major cyberattack or damage
• Study and prioritize consequences
• Present level of mitigation and whether they match the level of risk exposure
• Map situations and impacts with risks
• Likely target analysis (assets, functions and systems)

Asset risk assessment

An asset-risk view enriches the impact of an assessment exercise. Asset-based assessment takes
into account the following aspects:
◦ Preparation and categorization of assets along with operational sensitivities
◦ Target Analysis (The likelihood of such critical assets being attacked)
◦ Threat Analysis (Identification of specific or generic threat agents and objective/type of threat)
◦ Identification of vulnerabilities
◦ Identification of consequences
◦ Estimation and categorization of risks
◦ Identification of recommendations
◦ Documentation and reporting
◦ Follow-up

Questions to ask your IACS risk assessment

vendor or team
• Will your assessment require any part of the plant to be shut down or rendered inoperative?
• How will you ensure that the p-caps are handled securely?
• How will your tools read unique protocols that my devices use?
• If any severe vulnerabilities are discovered, then what will be the next steps? Can you help us
address them?
• Will the business impact be considered as a factor while delineating SUCs?
• What is your assessment framework and what is it that you will be looking for in our networks?
• Will you also be looking at aspects such as firewall configuration?
• How will you assess threats in an air-gapped environment?
• How will the interviews be conducted? How will the responses be evaluated?

www.sectrio.com 07
• How do you calculate the risk score of a security issue?
• How is the cybersecurity maturity score derived?
• What industrial standards will be considered?
• How will device-level issues be identified?
• What will be the next steps after the assessment? When will the report be shared?
• What will be the nature of the recommendations shared?

Recommendations and considerations for

assessment
Assessment aspects Points to consider/Checklist What to watch out for

Asset • Target analysis (Likelihood that identified • Objectivity in the identification

critical assets will be attacked) of risks associated with
• Establish SL-Cs assets
• Device level risk exposure • System interdependence and
• Level of device hardening/minimization of its impact on risk exposure
overall threat exposure • Asset level risks should be
• Threat analysis (Identification of threat mapped to consequences and
agents and purpose/type of threat) likelihood of occurrence
• Identification of vulnerabilities
• Identification of consequences
• Estimation and prioritization of risks
• Identification of recommendations
• Documentation and reporting

Risk exposure • Identify aspects that directly or indirectly • Validate risk exposure in an
contribute to risk exposure objective manner
• Quantify to measure risk exposure
• Identify scenarios linked to risk exposure
• Prioritize variables
• Map exposure level to consequence

As is analysis • Present state of the system, security • This should be treated as a

measures and key variables that impact starting point for the initial
risk exposure assessment
• An attempt should be made to map as
many such variables as possible to draw
an objective picture of the present state

www.sectrio.com 08
 Assessment aspects Points to consider/Checklist What to watch out for

Risk score • Breakdown the score into as many • The approach and the scoring
quantifiable metrics as possible. Including, should be granular and
for instance, scores related to devices, objective aligned with
processes, people, situations, supply outcomes
chains, networks, threat environment etc.
• The scoring should be done in an objective
manner with less scope for bias to
influence the process
• Validate risk score by changing variables
and scenarios. Does the score remain the
same or does it vary significantly?

Zones and Conduits Characteristics that should be documented for • Clear identification of zones
zones and conduits: with data flow traceability
• Unique identifier/tag
• Physical and/or logical boundary
• Entry points (integrations, wireless, remote
access …)
• External and internal data flows within a
zone
• Assets and services
• Connected zones
• Security requirements
• Target security level
• Security policies
• Assumptions and dependencies.

Roles and • Clearly delineated roles for assessors and • Stakeholder involvment is
responsibilities participants necessary

Validation of findings • Validation should be ideally done after the

plant is restarted
• Validation can also be done in series after
the first round of assessment is completed

www.sectrio.com 09
Risk assessment support and data capture tool Applicable to all Zones and Conduits

Event that led Reveaulation of Is the level of Is the level of

Description of Maximum Probability of SL-Target for Is the risk level Strength of New counter Strength of
Category of threat event Threat source Vector Vulnerability to the People Assets Environment Compliance Risk rating Countermeasures liklohood in view of Residual risk Residual risk
consequence severity rank occurrence zone tolerable? countermeasures measures countermeasures
consequence countermeasures tolerable? tolerable?

Authorization attack

Communicaton attack

DDoS

Data leak

Integrity violation

Reconissance

Malware

Social engineering

Supplier compromise

Insider activity

Process failure

Tech issue

Open port compromise

www.sectrio.com
ABOUT SECTRIO
London Spain

Qatar

Toronto Dubai
Seattle Myanmar
Mumbai
Portugal
Malta
Denver Kuwait Hong Kong
Saudi
Ivory Coast Ghana Bangalore

ISOC and Malaysia Singapore

Honeypot Botswana

Locations Johannesburg

Sydney
Honeypot Locations
Security operations

Sectrio is a division of Subex Digital LLP, a wholly owned subsidiary of Subex Limited. Sectrio is a
market and technology leader in the Internet of Things (IoT), Operational Technology (OT) and 5G
Cybersecurity segments. We excel in securing the most critical assets, data, networks, supply chains,
and device architectures across geographies and scale on a single platform. Sectrio today runs the
largest IoT and OT focused threat intelligence gathering facility in the world. To learn more visit:
www.sectrio.com

INDIA AMERICAS EUROPE

Pritech Park-SEZ, Block 9, Westminster: 1st Floor, Rama Apartment,
4th Floor, B Wing, Survey 1499 W. 120th Ave, Ste 210 17 St Ann’s Road, Harrow,
No. 51 to 64/4, Outer Ring Road, Westminster, CO 80234 Middlesex, HA1, 1JU
Bellandur Village, Varthur Hobli
Tel : +1 303 301 6200 Tel : +44 207 8265300
Bangalore – 560 103
Fax : +1 303 301 6201 Fax : +44 207 8265352
Tel : +91 80 6659 8700
Fax : +91 80 6696 3333

REGIONAL - MUMBAI MIDDLE EAST & AFRICA ASIA PACIFIC

Level 13, R-Tech Park, #Office number 722, 175A Bencoolen Street
Nirlon Knowledge Park, Building number 6WA, #08-03 Burlington Square
Goregaon (East), Dubai Airport Free Zone Singapore 189650
Mumbai - 400063 Authority(DAFZA,Dubai
Tel : +65 6338 1218
India. United Arab Emirates
Fax: +65 6338 1216
Tel : +91-22-4476 4567 Tel : +9 714 214 6700
Fax : +9 714 214 6714

twitter.com/SectrioOfficial facebook.com/SectrioOfficial instagram.com/sectrio_official linkedin.com/company/Sectrio info@sectrio.com