Operational Risk Matrix (ORM)
OVERVIEW
A risk matrix, also known as a probability matrix, negative matrix, risk assessment matrix, or impact matrix, is a tool of risk analysis that helps evaluate risk by visualizing potential risks in a diagram. It allows to weigh the severity of a potential risk against the probability that the risk might occur.
Risk matrices are useful for risk management because they visually represent the risks involved in a decision. They allow you to see possible consequences of a choice easily and quickly. This empowers you to avoid worst-case scenarios by preparing contingencies, influencing the design of the system and the plant, and create meaningful effective mitigation actions.
The Objective
This document provides the basis for understanding and assisting in the development of a risk matrix to be used with the WBS framework and with the RMS/ZCM System. The Industrial or Operational Risk Matrix must meet certain requirements to complement some additional rules to finally meet all the requirements established by the ISA/IEC-62443-3-2.
- Risk Analysis Techniques
- RAGAGEP/OSHAS Requirements
- ISA/IEC-62443 Requirements
- ISA/IEC-61511/61508 Functional Safety Requirements for Cybersecurity
- Other Industrial Risk Disciplines
- Taking Good Decisions
- Using the Operational Risk Matrix on Industrial Cybersecurity
- Risk Receivers
- Impact Scale for Consequences
- Probability Scale
- Risk Levels
- Industrial Cybersecurity Risk Reduction Factor (CRRF)
Risk Analysis Techniques
There is a diversity in the matrices that we can find to make the calculation of operational risks, the matrices will depend on the context of the organization, the experience of the professionals in the construction and the relevant points to consider within it. The important point is that the WBS can use all the different types of Operational Risk Matrices.
There are different techniques for sizing the risk, all of them framed in three technical methods “Qualitative”, “Semi-Quantitative” and “Quantitative” techniques.
For this document, for showing examples, we will use the Semi-Quantitative technique. This technique is easy to use and understand, where relative ranges are established to represent the probabilities of occurrence of the consequences that affect the different risk receptors.
For those people who are not familiar with working with Operational Risk Matrices (industrial environments) understanding how all this work together is very important. We have packed together into the WBS decades of experience into one easy to use system for managing industrial cybersecurity risk. Understanding the theory and having the experience are two different things and are both required.
These matrices have different dimensions and depth levels, which depend on the context and the measurement scales that are defined. They are all good to be used in the WBS. Sometimes, if the risk matrices are not intended to be used at the plant to frame industrial risk it may not be useful.
Logical Risk Matrix: These types of Operational Risk Matrices don’t use number or numerical values. These matrices use words and concepts which must be used according to its own definitions. The strongest argument in this type of Risk Matrix is “Keep it Simple”. It does the work well, and there is no doubt about it.
If you are new to Operational Risk Evaluation, by using logical matrices are probably the best way to learn about the discipline. Think about this: “You are not going to learn math by using the calculator”. You need to understand behind de basics and build the rationales.
2D Risk Matrix: These type of Operational Risk Matrices uses numbers. There are a several variations which describes the Risk Matrix by its attributes. The Risk calculated has minimum and maximum values.
- Symmetrical. It can be Symmetrical or Asymmetrical. Over both sides of the diagonal.
- Shape: Square or Rectangular.
- Linear or non-linear. The increments in the numbers could be linear (Ex. 1,2,3,4, 5, …) or non-linear (Ex. 1,2,4,8,16, …).
- Direction. Incremental or decremental.
- Color Codes. Each color should have a meaning and it will represent a range within the Risk Range very useful for decision-making.
- Rules about how to use the Operational Risk Matrix for decision taking. Every company has its own rules. Learn the Rules. Industrial Cybersecurity Risk Management must be consistent with other Industrial Risk Disciplines.
3D Risk Matrix: These type of Risk Matrices uses numbers and introduces a third dimension into the evaluation of the Risk. The strongest argument in this type of Risk Matrix is that the risk is dynamic and varies over time based on other factors. The Risk has a Dynamical Behavior. The same attributes apply on 3D. Typically these matrices are non-linear.
One 3D method widely used on Operational Risk applications is the one defined by Fine-Kinney and all these types of Risk Matrices can comply with the RAGAGEP/OSHAS and the ISA/IEC-62443 set of requirements. Finally, they are all good to be used for Industrial Cybersecurity Risk. The best ORM will be the matrix of the plant in use by other industrial risk disciplines.
RAGAGEP/OSHAS Requirements
It is essential to consider the RAGAGEP/OSHAS requirements, to carry out a risk assessment following what is stipulated in the ISA/IEC-62443 methodology, where the main objective is the protection of risk receptors.
The U.S. Occupational Safety and Health Act of 1970 created the Occupational Safety and Health Administration (OSHA), which is part of the U.S. Department of Labor. The purpose of this administration is to ensure safe and healthy work in conditions for men and women by setting and enforcing standards, providing training, outreach, education, and assistance.
In 1992, OSHA created the Process Safety Management Regulation (PSM), which is composed of organizational and operational procedural standards. Specifically, 29 CFR 1910,119 contains requirements to prevent or minimize the consequences of toxic, reactive, flammable, or explosive chemicals.
U.S. companies containing more than 10,000 pounds of hazardous material must adhere to the regulations documented by the PSM. Which is a performance-oriented standard that allows employers flexibility in meeting requirements. The standard refers directly to and applies to generally accepted good engineering practices (RAGAGEP).
Recognized And Generally Accepted Good Engineering Practice (RAGAGEP) are the basis for engineering, operation or maintenance activities and are in turn based on established codes, standards, published technical reports or best practices (RP) or similar documents.
For more information visit: https://www.osha.gov/laws-regs/standardinterpretations/2016-05-11
ISA/IEC-62443 Requirements
By still using a “probability” within the methodology, ISA/IEC-62443-3-2 uses a proven and scientific method for evaluating industrial risk and taking good decisions, that really mitigates the risk by influencing the redesign (existing systems) or the design (new systems) and the plant as a whole. Don’t get confused, our system is scientific and not a mere statistical.
The ISA99 Committee introduces the requirements through several documents. These requirements must be interpreted appropriately and use accordingly to take good and sound decisions that mitigates risk. The objective of the ISA/IEC-62443 is to mitigate, reduce, transfer, or eliminate the risk by using scientific methods, engineering, rationales, and technical knowledge, and not mere statistics.
The ISA/IEC-62443 defines a set of requirements to use the Operational or Industrial Risk Matrix for evaluating the Industrial Cybersecurity Risk and take good decisions.
A Good Decision: are those effective and efficient decisions produced during an Industrial Cybersecurity Risk Evaluation that contributes to mitigate the Intolerable Risk. This is likely considered and Investment.
Not Good Decisions: are all those actions or initiatives already taken and in place (existing) or taken but not yet implemented which does not contribute to mitigating the intolerable Risk, or with questionable effectiveness and efficiency. This is typically considered an expense.
Requirements obtained from ISA/IEC-62443-2-1:
- 4.2.3.1 Select a risk assessment methodology
- 4.2.3.2 Provide risk assessment background information
- 4.2.3.3 Conduct a high-level risk assessment
- 4.2.3.4 Identify the industrial automation and control systems
- 4.2.3.5 Develop simple network diagrams
- 4.2.3.6 Prioritize systems
- 4.2.3.7 Perform a detailed vulnerability assessment
- 4.2.3.8 Identify a detailed risk assessment methodology
- 4.2.3.9 Conduct a detailed risk assessment
- 4.2.3.10 Identify and reassessment frequency and triggering criteria
- 4.2.3.11 Integrate physical, HSE and cyber security risk assessment results
- 4.2.3.12 Conduct risk assessment throughout the lifecycle of the IACS
- 4.2.3.13 Document the risk assessment.
Requirements obtained from ISA/IEC-62443-3-2:
- ZCR 1 Identify the System Under Consideration (SUC)
- ZCR 2 Perform a high-level cybersecurity risk assessment
- ZCR 3 Partition the SUC into zones and conduits
- ZCR 4 High-level risk exceeds tolerable risk
- ZCR 5 Perform a detailed cybersecurity risk assessment
- ZCR 6 Document requirement for additional security countermeasures
- ZCR 7 Asset’s Owner Approval
ISA/IEC-61511/61508 Functional Safety Requirements for Cybersecurity
On 2009 the IEC-61511 was updated requiring to the Assets Owner that a certain control system cannot be safe if it not secure requiring to include an Industrial Cybersecurity Assessment as part of the Functional Safety Evaluation. While there are many industrial risk disciplines at the Industrial Environment, we bring to the attention of the readers this one since the reader might find a very familiar wording and working criteria. ISA/IEC-61511/61508 requires ISA/IEC-62443 but not viceversa. Functional Safety Study requires Industrial Cybersecurity Study while Industrial Cybersecurity Study does require Functional Safety Study.
The ISA84 Committee introduces the Functional Safety series of Standards.
- IEC 61511/S84 meets the RAGAGEP (Recognized and Globally Accepted Good Engineering Practices).
- IEC 61511 is developed and used during the entire lifecycle of the plant/systems, for:
- Assure that problems (catastrophes) which happened in the past does not repeat
- Provide a consistent approach to evaluate and mitigate the Risk
- Provide the means to balance and Mitigate the Risk while maximizing Plant Performance
- Provide the tools to measure performance in a consistent way and manner.
- Functional Safety (ISA84) and Industrial Cybersecurity (ISA99): A Cybersecurity Assessment should be performed to identify SIS (Safety Instrumented Systems) Vulnerabilities. It should result in:
- A description of the devices that are reached by the Risk Analysis (SIS, BPCS, or any other device connected to the SIS).
- A description of the identified threats that may be exploited as a result of security events (including potential attacks on hardware, software programs, as well as unintentional events);
- A description of the potential consequences because of safety events and the probability of occurrence.
- Its consideration in the different phases, such as design, implementation, commissioning, operation and maintenance.
- Determining the Requirements for Additional Risk Reduction.
Other Industrial Risk Disciplines
There are many industrial Risk Disciplines with lots of things in common. Mostly the Industrial Risk Disciplines shares the same Risk Receivers, the same Consequences, the same Plant, the same Assets, the same Asset Owner, the same Control System, the same Users, the responsibility, and so on. The main difference between all these Industrial Risk Disciplines are the causes which can lead to the final undesired or intolerable consequence. They all should use the same Operational Risk Matrix. Industrial Cybersecurity is an Industrial Risk Discipline. These Industrial Risk Disciplines are immersed in the Physical Domain.
Some of the many other Industrial Risk Disciplines could be:
- Workers Safety
- Process Safety
- Environmental Safety
- Functional Safety
- Intrinsic Safety or Intrinsic Security
- FDA: 21 CFR 11 & HACCP
- …. only to mention a few.
Taking Good Decisions
Industrial Cybersecurity is another Industrial Risk Management Discipline which must be consistently implemented with other risk disciplines for good and sound decisions. Every organization is unique, and every Operational Risk Matrix will be unique. An Operational Risk Matrix would typically be part of a document with explanations, instructions, use criteria, rationales, and rules.
The Good Decisions: are those decisions produced during an Industrial Cybersecurity Risk Evaluation Study that contributes to mitigate the Intolerable Risk with efficiency and effectiveness. From now on the decisions are considered investments and should not be considered as a cost. Good decisions within the RMS/WBS system can be grouped or classified in two types:
- (a) Those decisions, actions, changes, requirements and or countermeasures introduced to effectively and efficiently prevent the multiple types of threats to compromise the Cyber-Asset Components.
- (b) Those decisions, actions, changes introduced within the organization (governance), systems (technology), the plant (physical), influencing the redesign (existing) or design (future) to eliminate the risk or reduce the impacts.
Not Good Decisions: there are two types of wrong decisions, typically by using the incorrect rationales, wrong rules, and criteria:
- (a) Are all those actions or initiatives already taken and in place (existing) or taken but not yet implemented which does not contribute to effectively, efficiently mitigating the intolerable Risk. This would likely be considered and expense or cost.
- (b) Are those decisions that should have been taken to effectively mitigating the Industrial Cybersecurity Risk but were not. The Industrial Cybersecurity Risk is still there and not yet mitigated.
| Why are many organizations still failing to take good and sound decisions? |
| Reason #1: Professionals (Organizations) don’t know the Standards, they don’t have experience, they don’t understand them, they are biased by their own business interests. Consider this: “Since Stuxnet, Industrial Cybersecurity became a Business, for good or bad”. OT is different than IT. Two different problems cannot be solved with the same method. A differente approach is required. |
| Reason #2: Professionals (Organizations) they know the standards but finally they implement wrongly. Beautiful policies and procedures, hundreds, or thousands of ineffective Best Practices are created but there is a lack of effectiveness and efficiency or Know-How. Theory (knowledge) and Practice (experience) are two faces of the same coin. Nice and well beautifully written documents won’t grant success in mitigating industrial cybersecurity risks. |
| Reason #3: The Board of a certain organization (Asset Owner) they simple don’t consider important or relevant the International Standards, they are influenced by the wrong consultants/organizations, and/or they are being pushed to implement costly and insufficient countermeasures. |
Principle #1: All the Risk Receivers and knowledgeable participants must be heard and considered during the decision-making process.
Warning #1: The knowledge must be shared and used appropriately. Many professionals and recognized organizations are using the wrong experiences, the wrong criteria, wrong methods, wrong hypothesis, and wrong standards, in evaluating risk and taking supposedly “good” decisions.
Using the Operational Risk Matrix on Industrial Cybersecurity
Within the construction of the operational risk matrix, minimum elements must be considered to comply with RAGAGEP/OSHAS and the ISA/IEC-62443-3-2 requirements. Setting the Industrial Cybersecurity Rules.
Industrial Cybersecurity Risk is identified as the “Threat” times “Vulnerability” times “Impact (Consequence)”. In other terms it can also be interpreted as “the probability that a certain threat can exploit the vulnerabilities by means of a specific action, compromising the Cyber-Asset in a certain way, leading to the final Consequence”.
- Risk = Vulnerability x Threat x Impact (ISA/IEC-62443 definition)
But we have our first limitation by using Operational Risk Matrices for Cybersecurity. If we look at the Operational Risk Matrix, most of them uses the following formula:
- Risk = Probability x Impact (2D, logical or numeric)
- Risk = Probability x Exposure x Impact (3D, numeric)
By using the Operational Risk Matrix, within the RMS system, we replace the Probability with the following: (this is further explained on other RMS/WBS guides and documents)
- Probability = Threat x Vulnerability
- Exposure is typically introduced to add a Dynamical behavior of risk. (3D)
Impact is the measure of loss and damage that is associated with one or more consequences. Consequences are often spoken of when the risk being evaluated is related to the impact on the risk receptors related to health, safety, environment, financial impact, among others.
Before evaluating the risks, the components that will be used for the industrial cybersecurity risk calculation must be identified, following the previous formula, the components to be identified for a typical linear 2D/3D risk matrix are:
Before assessing each risk, you’ll want to develop a common set of factors to help evaluate your organization’s risk universe.
A typical linear risk assessment matrix uses the following main criteria:
- Risk Receivers (Consolidated Arrangement)
- Likelihood (the level of possibility)
- Exposure (3D, Dynamic Behavior of Risk)
- Consequence (the impact levels)
It should be clarified that the previous formula will only be used to define the organization’s risk matrix if it does not have one, but that for the purposes of developing the WBS Framework, the following formula is used within the RMS system.
- Industrial Cyber Risk = Threat x Vulnerability x Impact of the Consequence (RMS/WBS)
Risk Receivers
To build an Industrial risk matrix we must understand the context of the organization, starting with the identification of the receivers of internal and external risks that may be affected by the consequences caused by a cyber-incident that generates affectation in the organization, third parties or nation.
Critical Infrastructure: The nation might be involved when the facility being analyzed is considered a Critical Infrastructure by the government of governmental agency with certain criteria. The criteria might vary from country to country. While many countries with limited resources are tending to copy what others are doing the definition and selection of Critical Infrastructure should be the result of a technical risk assessment.
The following is a list of possible internal and external risk receivers’ groups.
Example 1. Risk Receivers
| List of internal risk receivers |
| Workers Safety |
| Process Safety |
| Machinery Equipment Damage |
| Production Assets (Outcome) |
| Physical infrastructure |
| Business & Financial stakeholders |
| List of external risk receivers |
| Environmental Damage |
| Society, neighbors Safety |
| Society, consumers Safety |
| Supply Chain, Suppliers Impacted |
| Nation (Critical Infrastructure) |
As a first step, it is important to identify the receivers of risks, considering the industrial process, its physical infrastructure, its location, and any receiver that may be impacted by consequences derived from the context of the organization. All the Receivers of Risk must be clearly represented and considered into the Operational Risk Matrix.
Each Assets Owner (End User) must clearly identify its Risk Receivers. What is being protected by Implementing a sound Industrial Cybersecurity Program? Is your Governing Policies and Procedures clearly defining the scope of the Industrial Cybersecurity Program?
Scale of Consequence Impact Levels
After identifying each risk receiver, the impact scale of the consequence, must be clearly defined.
The scale of severity of the consequence allows to measure the severity from lowest to highest affectation, giving a measurable scale to the consequences and an index of severity of affectation to the risk receptors.
Example 2. Scale of Impact levels
| Safety | Level | |
| Medical Treatment, Minor Health Effects, First Aid Case, or Less | 1 | Trivial |
| Medical Treatment with Restricted Duty or Medium Health Effects | 2 | Minor |
| Serious illness or injury resulting in days away from work [LTI]; or a permanent partial Disability | 3 | Moderate |
| Illness or injury resulting in one fatality; or permanent full disability | 4 | Major |
| Illness or injury resulting in multiple (2+) fatalities | 5 | Critical |
| Environment | Level | |
| No off-site impact | 1 | Trivial |
| One odor or noise complaint from event | 2 | Minor |
| On-site or off-site environmental release to soil/ground or multiple odor or noise complaints from event | 3 | Moderate |
| On-site or off-site environmental release to surface water | 4 | Major |
| Major off-site impact (vapor cloud explosion, fire, major toxic gas release, major off-site environmental release, wildlife kill) | 5 | Critical |
| Financial | Level | |
| Potential equipment or asset damage or financial loss < $100K USD | 1 | Trivial |
| Potential equipment or asset damage or financial loss $100K to $ 1M | 2 | Minor |
| Potential equipment or asset damage or financial loss $1M to $10M | 3 | Moderate |
| Potential equipment or asset damage or financial loss $10M to $100M | 4 | Major |
| Potential equipment or asset damage or financial loss >$100M | 5 | Critical |
In Example 2, All the risk receivers are consolidated into three column arrangement “Safety”, “Environmental” and “Financial” each with their respective scales of severity levels.
For Safety, it is observed how the severity scale has been subdivided into a criticality range of 5 levels, where we see the value 1, representing minor issues in relation to people’s health and 5 represents a high level of criticism where you can compromise and putting the lives of several people at risk.
Scale of Probability
With the probability scale, it is analyzed how possible the consequence is to occur and is expressed in terms of frequency, feasibility, among others.
- Frequency: It is the measure of the number of times an event is repeated, it can be guessed by events that have occurred or event histories.
- Feasibility: The presence of internal and external factors that can materialize the risk is analyzed, it starts from an event that has not occurred, but it is possible that it will occur.
The frequency analysis should be adjusted depending on the industry and the availability of historical data on the events or consequences identified. In the absence of historical data, work will be done in accordance with the experience of those responsible for developing the process and its internal and external factors.
Example 3. Probability scale.
| Level | Scale | Frequency | Likelihood |
| 5 | Likely | Event expected to occur more than once per year | Likely to occur |
| 4 | Possible | Has occurred or is expected to occur within 1 to 5 years | Quite possible or not unusual |
| 3 | Unlikely | Has occurred or is expected to occur within 5 to 10 years | Unusual but possible |
| 2 | Rare | Event could occur at sometime within 10 to 100 years | Conceivably possible, but very unlikely to occur |
| 1 | Improbable | Event could occur at some time greater than 100 years | Virtually improbable and unrealistic |
For this example, 3, A probability scale based on years and probability of occurrence has been taken. Where 5 represents that the event has a very high probability of occurrence and is expected to occur repeatedly in one year and 1 represents a probability of occurrence approximately every 100 years.
Risk Levels
The risk matrix includes aspects such as tolerance, acceptance and capacity, defined according to the risk culture of the organization defined by senior management.
Risk levels are defined by senior management, this helps to establish a common language and magnitudes shared by all stakeholders, which favors better understanding and communication. The Risk Levels must be consistent with other Industrial Risk Disciplines.
It is a typical mistake by many organizations to drive the Industrial Cybersecurity decisions by using only one or two Receivers of Risk (Economical Financial, Security of Information). All Risk Receivers and all Industrial Risk Disciplines must be evaluated consistently. We should not improve one discipline of risk in detriment of another. All Decisions to mitigate the Risk must be Introduced consistently to avoid other problems or create new ones.
Color Codes. Typically, these colors are defined and explained in a document. This explanations and rules will be the guiding director for treating and mitigating all the Risks. These are not just colors introduced to make the matrix looks nicer or prettier. Each organization will have its own set of rules and Best Practices. At the Industrial Risk Management these will be much more important and relevant than any C2M2, GAP or any maturity study alone.
The colors used by the Operational Risk Matrices and by each organization my vary significantly. It is key to take some valuable time in understanding the ranges, definitions, criteria, and rules for treating the intolerable industrial risk.
Industrial Cyber Risk Reduction Factor (CRRF)
The Industrial Cybersecurity Risk Reduction Factor is introduced by ISA/IEC-62443 series of Standards as a way to measure the number of times in which the Inherent Risk of the System (Zones and Conduits) needs to be reduced to reach the Tolerable Risk (The risk accepted by the Assets Owner).
The Industrial Cybersecurity Risk Reduction Factor is used to map the Risk Levels (Ranges of Risk) with the ISA/IEC-62443-3-3 Security Levels. This is one of the most important and significant aspects of ISA/IEC-62443 series of standards.
ISA/IEC-62443-3-3 defines a set of requirements to be applied on Zones and Conduits over the many interrelated (or isolated) Cyber-Asset Components. These are not Controls. Don’t get confused with the Security Controls. Security Requirements are different from Security Controls. A system/plant well designed meeting the Security Requirements will need much fewer Controls. Controls should not be used to mitigate Risk. Controls should only be used to confirm, verify, and validate that the security requirements are met. There will never be enough controls to mitigate the Industrial Cybersecurity Risks.
The CRRF must be added to the current existing Operational Risk Matrix and approved by the Upper Management as it will be used to justifying the decision-making process and companies’ investments on all necessary countermeasures and actions that really mitigates the Industrial Cybersecurity Risk.
The CRRF is formally defined by using the following formula:
- CRRF = Inherent Risk / Tolerable Risk
Dominating and Managing CRRF and SL-T within the RMS system is incredibly easy, but the application and the definition of CRRF and SL-T assignment requires to be done by certified experienced ISA/IEC-62443 professionals with deep knowledge and accredited experience into Physical Domain, Control Systems Technology, Workers Safety, and Process Safety. Don’t start doing Industrial Cybersecurity Assessments without having formal approval by Upper Management. Not doing this will be a HUGE BIG MISTAKE.
Types of Security Levels:
- SL-T (Target): is the target level of security needed at a Zone or Conduit after performing a Detailed Risk Assessment in compliance with the ISA/IEC-62443 Requirements.
- SL-A (Achieved): is the current level of security achieved by a specific Zone or Conduit with current design.
- SL-C (Capabilities): different security or security measures have the capacity to provide a certain level of security to the Zone or Conduit.
Additional types of Security Levels may be used depending on the particular methodology.
ISA/IEC-62443 series defines SLs at 5 levels (0, 1, 2, 3 and 4), each with different safety criteria and technological Foundational Requirements.
- SL 0: No Specific Requirements or Protection Needed
- SL 1: Protection from Casual or Coincident Violations
- SL 2: Protection from Intentional Violations through Low Resources, General Knowledge, and Low Motivation
- SL 3: Protection against Intentional Violations using sophisticated tools or methods with Moderate Resources, IACS-specific knowledge, and Moderate Motivation
- SL 4: Protection against Intentional Violations using sophisticated tools with extensive Resources, IACS Knowledge and High Motivation
Example of a Typical Result after mapping the Security Levels with the Calculated CRRF:
| Calculated Inherent Risk | Tolerable Risk | CRRF | SL-T |
| 1 | 4 | 0.25 | 0 |
| 2 | 0.5 | 0 | |
| 3 | 0.75 | 0 | |
| 4 | 1 | 0 | |
| 5 | 1.25 | 1 | |
| 6 | 1.5 | 1 | |
| 7 | 1.75 | 1 | |
| 8 | 2 | 1 | |
| 9 | 2.25 | 2 | |
| 10 | 2.5 | 2 | |
| 11 | 2.75 | 2 | |
| 12 | 3 | 2 | |
| 13 | 3.25 | 3 | |
| 14 | 3.5 | 3 | |
| 15 | 3.75 | 3 | |
| 16 | 4 | 3 | |
| 17 | 4.25 | 4 | |
| 18 | 4.5 | 4 | |
| 19 | 4.75 | 4 | |
| 20 | 5 | 4 | |
| 21 | 5.25 | 4 | |
| 22 | 5.5 | 4 | |
| 23 | 5.75 | 4 | |
| 24 | 6 | 4 | |
| 25 | 6.25 | 4 |
The Security Levels must start with 0 and end in 4 at the maximum risk. Rationales and criteris needs to be mapped with the technical requirements according to ISA/IEC-62443-3-3. Once established this mapping should not be changed aver again. It is importent to maintain over time for consistency and validity of risk evaluation. If the security levels mapping changes, the cybersecurity risk assessments will become invalid.
Additional complementary reading “The State of Knowledge and Risk Management in Industrial Cybersecurity with ISA/IEC-62443-3-2.“
—— End of Document —–
Responses