Cyber risk is the possibility that an Industrial Automation and Control System (IACS) will be compromised through unauthorised access, use, modification, disruption or destruction, resulting in adverse consequences to operations, personnel safety, the environment or the organisation.
Unlike traditional IT systems, cyber incidents within industrial environments can have real-world physical consequences, including production outages, equipment damage, environmental harm and safety incidents. Understanding cyber risk enables organisations to implement appropriate security controls and make informed business decisions.
Cyber risk is determined by three primary factors:
Risk increases whenever any one of these three factors increases. Reducing threats, removing vulnerabilities, or limiting consequences all contribute to lowering overall cyber risk.
A threat is any person, event or circumstance capable of causing harm to an Industrial Automation and Control System.
Examples include:
A vulnerability is a weakness that could be exploited by a threat actor.
Examples include:
Consequences describe the impact if a vulnerability is successfully exploited.
Potential impacts include:
Risk tolerance is the level of cyber risk that an organisation is willing to accept in pursuit of its business objectives.
It is established by management and balances:
Risk tolerance determines which risks require treatment and which risks may be accepted and monitored.
A cyber risk assessment identifies, analyses and evaluates cyber risks to determine appropriate security controls.
Risk assessments should be repeated whenever significant changes occur within the IACS, including network modifications, software upgrades or new equipment installations.
| Strategy | Purpose | Typical Application |
|---|---|---|
| Avoid | Eliminate the source of the risk. | High likelihood / High consequence risks. |
| Transfer | Transfer financial or operational responsibility. | Low likelihood / High consequence risks. |
| Reduce (Mitigate) | Lower the likelihood or consequences. | Most industrial cybersecurity risks. |
| Accept | Retain and monitor the risk. | Low likelihood / Low consequence risks. |
Avoidance removes the source of the risk entirely.
Transfer shifts responsibility for managing the consequences of a cyber incident to another party.
Mitigation is the most common strategy in Industrial Automation and Control Systems.
Common controls include:
Risk acceptance is a conscious management decision that further mitigation is not currently justified.
Acceptance requires:
Accepted risks should be reviewed periodically as threats, vulnerabilities and business priorities change.
Industrial organisations rarely eliminate every cyber risk. Instead, they aim to reduce risk to an acceptable level while maintaining operational availability, safety and business continuity.
Examples include:
Effective cyber risk management balances security, operational availability, safety, regulatory compliance and implementation cost.