← Return to Home

Cyber Risk

Cyber risk is the possibility that an Industrial Automation and Control System (IACS) will be compromised through unauthorised access, use, modification, disruption or destruction, resulting in adverse consequences to operations, personnel safety, the environment or the organisation.

Unlike traditional IT systems, cyber incidents within industrial environments can have real-world physical consequences, including production outages, equipment damage, environmental harm and safety incidents. Understanding cyber risk enables organisations to implement appropriate security controls and make informed business decisions.

Cyber Risk Summary
Cyber Risk overview for Industrial Automation and Control Systems.

Understanding Cyber Risk

Cyber risk is determined by three primary factors:

Risk = Threat × Vulnerability × Consequence

Risk increases whenever any one of these three factors increases. Reducing threats, removing vulnerabilities, or limiting consequences all contribute to lowering overall cyber risk.


Threat

A threat is any person, event or circumstance capable of causing harm to an Industrial Automation and Control System.

Examples include:

Vulnerability

A vulnerability is a weakness that could be exploited by a threat actor.

Examples include:

Consequence

Consequences describe the impact if a vulnerability is successfully exploited.

Potential impacts include:

Reducing any one of the three components—Threat, Vulnerability or Consequence—reduces the overall level of cyber risk.

Risk Tolerance

Risk tolerance is the level of cyber risk that an organisation is willing to accept in pursuit of its business objectives.

It is established by management and balances:

Risk tolerance determines which risks require treatment and which risks may be accepted and monitored.


Cyber Risk Assessment

A cyber risk assessment identifies, analyses and evaluates cyber risks to determine appropriate security controls.

Typical Process

  1. Identify assets.
  2. Identify threats.
  3. Identify vulnerabilities.
  4. Assess likelihood.
  5. Assess consequences.
  6. Determine the risk level.
  7. Select appropriate risk treatment.
  8. Review residual risk and monitor continuously.

Risk assessments should be repeated whenever significant changes occur within the IACS, including network modifications, software upgrades or new equipment installations.


Risk Treatment Strategies

Strategy Purpose Typical Application
Avoid Eliminate the source of the risk. High likelihood / High consequence risks.
Transfer Transfer financial or operational responsibility. Low likelihood / High consequence risks.
Reduce (Mitigate) Lower the likelihood or consequences. Most industrial cybersecurity risks.
Accept Retain and monitor the risk. Low likelihood / Low consequence risks.

1. Avoid

Avoidance removes the source of the risk entirely.

2. Transfer

Transfer shifts responsibility for managing the consequences of a cyber incident to another party.

Risk transfer does not eliminate cyber risk; it simply reallocates responsibility.

3. Reduce (Mitigate)

Mitigation is the most common strategy in Industrial Automation and Control Systems.

Common controls include:

4. Accept

Risk acceptance is a conscious management decision that further mitigation is not currently justified.

Acceptance requires:

Accepted risks should be reviewed periodically as threats, vulnerabilities and business priorities change.


Engineering Perspective

Industrial organisations rarely eliminate every cyber risk. Instead, they aim to reduce risk to an acceptable level while maintaining operational availability, safety and business continuity.

Examples include:

Effective cyber risk management balances security, operational availability, safety, regulatory compliance and implementation cost.


Key Takeaways