Security Risk Assessment Service
This service contains an IEC 62443 based process for performing a security risk assessment. The assessment aims to guide the organization through the process of assessing the security risks to the control system, and propose a plan for prioritizing the threats / risks for the control system.
The service is carried out in several steps according to IEC 62443 grouped into parts.
Part 1 – High Level Risk Assessment
In accordance with IEC 62443, a high-level cyber security risk assessment (HLRA) of the system under consideration (SuC) is carried out first to obtain an overview of the worst-case risks. It is important to perform such a HLRA of the system as a whole before breaking it down into sub-systems as critical hazards and risks may be overlooked when looking at the parts in isolation. System-wide risks are therefore identified first, and risks due to interdependencies between systems and processes are evaluated.
The output documentation is a list of scenarios that describe how threats could take advantage of particular types of vulnerabilities causing damage to system assets resulting in negative consequences. The output may also be used to partition the system under consideration into zones and conduits as described in IEC 62443
Part 2 – Detailed Risk Assessment
The prioritized detailed security risk assessments of zones and conduits will be carried out according to the process described in IEC 62443. An ABB template is used to assist in carrying out the detailed security risk assessments.
Part 3 – Documentation, requirements specification and acceptance of results
During part 3, ABB will assist the customer in documenting the security requirements, assumptions and constraints.