The draft standard, ISA-62443-3-2, requires that a cybersecurity risk assessment be performed for industrial automation and control systems to determine target security levels. The standard provides a basis for specifying security countermeasures by aligning risk-ranked vulnerabilities with security capabilities in ISA-62443-3-3.
The draft standard relies on the use of risk matrices. However, risk analysis professionals have recommended against their use because of underlying flaws in their structure. Furthermore, security risks are fundamentally different from safety risks. The former arise from deliberate acts and the latter from random events. This difference is crucial in risk assessment. Methods that have been used successfully for safety risks cannot necessarily be used for security risks. First, the validity of using a probabilistic model to address security risks can be challenged. Second, security risks are dynamic because adversaries are intelligent and adaptive. The use of static risk models for security risks has received considerable criticism and dynamic models have been developed for terrorism risk. Other issues include the advisability of using worst-case consequence scenarios which may not represent the real risk, time dependencies in risk modeling, and the absence of meaningful security risk tolerance criteria.
These topics are discussed in the article:
P. Baybutt, Issues for Security Risk Assessment in the Process Industries, Journal of Loss Prevention in the Process Industries, DOI 10.1016/j.jlp.2017.05.023.