Risk Assessment Considerations Using the ISA/IEC 62443-3-2 Risk Assessment Process

Industrial Cybersecurity Risk Management (ICRM) has become an increasingly visible topic with many organizations discussing it and proposing different methods to assess it. Organizations realize that they need to understand the risks to their business considering the ever more complex systems of systems and convergence of IT and OT. For large organizations or those that are subject to many of the safety-related requirements to conduct process hazards analyses, the idea of conducting risk assessments is nothing new; however, the idea of incorporating cybersecurity aspects to those risk assessments can be.

In 2020, the ISA/IEC 62443-3-2 standard was released that described a method for conducting risk assessments and assigning target security levels to ICS/OT environments. This process, while straight forward, can seem daunting for many asset owners that are new to ICRM, especially for smaller to medium-sized organizations that may be resource constrained. They may turn to external third-party organizations to assist in the risk assessment process. Whether conducting a risk assessment in-house or involving a third-party assessor, there are some decisions that need to be made and some different aspects that need to be discussed during the assessment. This presentation will go through the ISA/IEC 62443-3-2 risk assessment process and discuss some of the different aspects that need to be considered along the way.

Speaker: Jim Gilsinn, Technical Leader, Professional Services, Dragos

https://www.linkedin.com/in/jimgilsinn/