On 7 May 2021, Colonial Pipeline’s IT network was breached through a single VPN account without multi-factor authentication.
The operational technology that pushes fuel through 5,500 miles of pipeline was never directly compromised — yet operators still shut the whole system down for six days because the 62443 risk assessment needed to prove the IT-OT conduit was safe did not exist. Gasoline hit $3 a gallon.
Seventy-one percent of Charlotte filling stations ran dry. Colonial paid a $4.4 million ransom. The bill for skipping a rigorous 62443 risk assessment is rarely abstract; it lands in a crisis room with a board, a regulator, and a queue of journalists.
| What every OT leader needs to know about the 62443 risk assessment |
| The assessment is the only internationally standardised way to translate Health, Safety and Environment (HSE) consequences into cyber security level targets for industrial automation and control systems. |
| ISA/IEC 62443-3-2 prescribes a seven-step Zonal Cyber Risk (ZCR) workflow — identify, initial assessment, zone partition, detailed assessment, document requirements, asset-owner approval, reassess. |
| A credible IACS assessment produces two outputs every auditor will ask for: a Cybersecurity Requirements Specification (CRS) and a justified SL-T (Security Level Target) per zone and conduit. |
| Dragos tracked 119 ransomware groups hitting 3,300 industrial victims in 2025 — up 87% year-over-year. A standardised assessment that skips conduits or treats IT-OT as one flat network will not survive that threat landscape. |
| Residual risk — not inherent risk — is the number that goes to the board. Show the before/after on the same likelihood × consequence matrix and attach the control deltas that moved the score. |
| Re-run the assessment methodology after every material change: a new plant, a merger, a protocol upgrade, a named threat actor campaign, or a regulatory event such as NIS2 transposition in the EU. |
A OT cyber assessment, anchored in the ISA/IEC 62443-3-2 standard, is how asset owners decide which zones, which conduits, which assets, and which adversaries actually deserve security investment.
This guide is the playbook we wish every OT team had before their first plant audit: the seven-step Zonal Cyber Risk (ZCR) workflow, the artefacts regulators ask for, the 2025 incident data that sharpens every threat model, and the mistakes that repeatedly turn good 62443 risk assessment programmes into shelfware.
We are writing for senior practitioners — risk leads, OT security managers, control engineers — who will implement what they read on a live plant floor, not a classroom whiteboard.
What you will leave with: a working definition of the industrial risk assessment, a zone-and-conduit method you can apply this quarter, decision rules for SL-T (Security Level Target) selection, a table of SL-1 through SL-4 control depths, five practitioner charts grounded in public data, a pitfalls table based on field audits, and a forward-look at NIS2, CRA, and SEC-level reporting obligations.
If your CEO asked you right now what the worst-case cyber consequence is for your most critical OT zone, and whether your assessment process proves it is tolerable, you should be able to answer in under two minutes by the time you finish reading.
What a 62443 Risk Assessment Actually Is — and Why It’s Different
Most practitioners arrive at the evaluation after running IT cybersecurity risk assessments and assuming the method will port across.
It does not. The risk review is built for Industrial Automation and Control Systems (IACS) — programmable logic controllers, safety instrumented systems, historians, distributed control systems, building automation, SCADA — where a successful attack does not just exfiltrate data, it can vent chlorine, derail a train, or stop a turbine at 80 megawatts of load.
That is why ISA/IEC 62443-3-2:2020 weights consequence with Health, Safety and Environment (HSE) impact — a dimension most IT-centric NIST cybersecurity risk assessments barely touch.
Here is the position we take: a IEC 62443 exercise is an HSE-weighted cyber risk assessment run at the zone and conduit level, producing a defensible SL-T for each. It is not a spreadsheet exercise. It is not a generic cyber audit.
It is not the same as an ISO 27001 risk assessment — though the two should share a risk appetite statement and a common risk register backbone at the enterprise level. The assessment exercise answers three questions the IT risk assessment cannot:
Can this cyber event kill someone? Can it breach an environmental permit? Can the plant recover inside the asset owner’s tolerance for downtime?
The four things a 62443 risk assessment must produce
| Artefact | What it contains | Who signs it |
| System Under Consideration (SUC) definition | Physical and logical boundary of the IACS, networks, devices, external interfaces. | OT lead + control engineer |
| Zone and conduit diagram | Grouping of assets with common security requirements; communication conduits between them, with data flows named. | Network architect + process owner |
| Risk matrix per zone / conduit | Initial (inherent) risk, detailed risk, residual risk scored on HSE-weighted likelihood × consequence. | Risk lead + asset owner |
| Cybersecurity Requirements Specification (CRS) and SL-T | Justified target Security Level (SL-1 to SL-4) per zone and conduit, mapped to the seven Foundational Requirements. | Asset owner (accountable) |
Figure 1 — The four deliverables every 62443 risk assessment must ship.
Why the assessment programme matters more in 2026 than ever
Industrial ransomware groups tripled from 35 in 2022 to 119 in 2025; victims breached 3,300 — a risk analysis is now table stakes. Source: Dragos 2025 Year in Review.
The 2025 Dragos OT Cybersecurity Year in Review tracked 119 ransomware groups hitting 3,300 industrial organisations — an 87% increase in ransomware activity year-over-year, with manufacturing taking more than two-thirds of the hits.
The average dwell time in OT was 42 days; organisations with mature OT visibility cut that to 5 days. That five-to-forty-two gap is the operational return on a serious cybersecurity assessment — it is what tells the board that the plant either sees the adversary or does not.
A ransomware-linked production halt now costs median $125,000 per hour in discrete manufacturing and over $500,000 per hour in power generation, according to IBM X-Force and the IBM 2025 Cost of a Data Breach Report.
The industrial sector’s global average data breach cost stands at $4.44 million. Against those numbers, a OT security assessment is not a compliance line-item — it is the document that justifies the spend.
The Seven-Step ZCR Workflow of an ISA/IEC 62443 Risk Assessment
The standard breaks a IACS cyber risk analysis into seven Zonal Cyber Risk (ZCR) stages. Each stage feeds the next, and skipping any of them (especially ZCR-3) is the single most common reason a zonal assessment fails an audit.
The Dragos 62443 concepts guide describes the workflow at a high level; the detail below is where implementation breaks down in practice.
The ZCR workflow — detailed zone-level risk assessment (ZCR-4) is where the real effort sits.
ZCR-1 — Define the System Under Consideration (SUC)
Draw the boundary. Every device, cable, wireless link, protocol, and external interface inside the boundary is in scope. Every operator workstation, engineering laptop, historian, patch server, and vendor remote-access terminal belongs on the list.
Asset inventory is where operational risk programmes die — 45% of Dragos service engagements reported a lack of OT visibility. If you cannot list the assets, you cannot run a 62443 risk assessment on them.
ZCR-2 — Initial (high-level) risk assessment
Assume likelihood equals 1 — i.e., the worst-case scenario has occurred. Score the consequence using your HSE-weighted impact scale. The initial risk assessment answers one question: if this system fails catastrophically due to a cyber event, how bad is it?
This is the quickest way to bucket zones into ‘must get to SL-3’ versus ‘SL-1 is fine.’ Do not negotiate with the worst-case here. Initial risk assessment under 62443-3-2 sets the ceiling for the rest of the programme.
ZCR-3 — Partition the SUC into zones and conduits (62443 risk assessment heart)
A zone is a logical grouping of assets with common security requirements — for example, the HMI zone, the basic process control system zone, the safety instrumented system zone, the historian zone.
A conduit is the communication pathway between two zones, also subject to its own security requirements. The MDPI study of zones and conduits documents how mis-grouped zones propagate compromise laterally. Good rule: if two assets have different HSE consequences or different trust levels, they are not in the same zone.
ZCR-4 — Detailed 62443 risk assessment per zone and conduit
Now you reintroduce likelihood, using threat intelligence that is specific to your sector. Run threat-vulnerability-consequence for every high-consequence zone and every conduit that touches it.
Document the countermeasures you already have (existing risk reductions), score the residual risk, and derive the target security level (SL-T).
This is where 35% of the total assessment effort will sit. Short-cutting ZCR-4 is the most common failure mode — and the one regulators catch first.
ZCR-5, 6, 7 — Document, approve, maintain the 62443 risk assessment
Write the Cybersecurity Requirements Specification (CRS). Get the asset owner’s signature — not the CISO’s, not a consultant’s. Set a reassessment cadence (annual is typical, but any material change triggers re-run).
Attach the risk evaluation to your risk management process flow chart so changes in one push updates to the other.
Zones, Conduits, and Security Levels — the 62443 Risk Assessment Vocabulary
The ZCR exercise has a specific vocabulary. Using it correctly at the kick-off meeting prevents two months of re-scoping later. The SyC Smart Energy 62443 guidance is the tightest primer outside the paywalled standard itself. Here is the distilled practitioner version.
Zones in the 62443 risk assessment
A zone is a grouping of systems and components sharing common security requirements — functionally, logically, or physically related. Typical plant zones: Level 0 field devices; Level 1 basic control (PLCs, RTUs); Level 2 supervisory (HMIs, operator workstations); Level 3 operations (historian, batch servers); Level 3.5 DMZ; Level 4 enterprise.
The ISA/IEC 62443 methodology assigns an SL-T to each zone — not to the plant as a whole. That zone-by-zone decision is why the standard outperforms an IT risk assessment methodology that treats the plant as one flat network.
Conduits in the 62443 risk assessment
A conduit is a logical or physical grouping of communication channels connecting two or more zones that share common security requirements.
Conduits are where the 2021 Colonial Pipeline attack would have been caught: the IT-to-OT conduit was trusted by default instead of being zoned, monitored, and authenticated as its own object.
Fortinet’s 62443 whitepaper maps conduit-level controls against the seven Foundational Requirements.
Security Levels (SL-1 through SL-4) in the IACS risk assessment
SL-1 to SL-4 drives control depth across the seven Foundational Requirements — SL-3 is where nation-state-resistant capability begins.
Target Security Level (SL-T) is the level the asset owner decides the zone or conduit must achieve to reduce risk to a tolerable level. It is derived from the OT risk assessment, not copied from a vendor brochure.
The four levels map to the capability of the adversary the zone must withstand — casual (SL-1), intentional-with-low-resources (SL-2), sophisticated-with-moderate-resources (SL-3), and sophisticated-with-extended-resources (SL-4).
SL-4 is a nation-state-resistant posture; most industrial sites legitimately settle at SL-2 or SL-3 for critical zones.
| SL-T | Adversary profile | Typical zones | Example controls |
| SL-1 | Casual or coincidental — no intent, no skill. | Non-critical monitoring, read-only historian replicas. | Baseline authentication, network segmentation, basic logging. |
| SL-2 | Intentional violation with simple means, low resources, low motivation. | Standard HMI zones, supervisory workstations. | Role-based access, encrypted channels, application whitelisting. |
| SL-3 | Sophisticated means, moderate resources, IACS-specific skills. | BPCS (basic process control), DMZ, IT-OT conduit. | Multi-factor auth, deep packet inspection, integrity monitoring, strict change control. |
| SL-4 | Sophisticated means, extended resources, IACS-specific skills, high motivation. | Safety instrumented systems, critical infrastructure zones. | Hardware-rooted trust, cryptographic signing, air-gap or one-way data diode, 24/7 OT SOC. |
Table — Security Level targets (SL-T) and the adversary each is designed to withstand.
How to Run the Detailed 62443 Risk Assessment — a Worked Example
Abstract methodology is easy; running a detailed cyber risk assessment on a live plant is where practitioners earn their keep.
What follows is an anonymised walk-through based on a discrete manufacturing plant we have audited, with five representative zones and conduits.
It is intended to model the level of rigour auditors increasingly expect, and to show how the 62443 risk assessment drives the residual risk number down from red to green.
Figure — Risk scores across five zones move from red to green once the assessment drives the SL-T controls.
Step 1 of the 62443 risk assessment: identify threats that actually apply (not all of them)
Use sector-specific threat intelligence — Dragos tracks 26 named OT threat groups including the three newly identified in 2025 (AZURITE, SYLVANITE, PYROXENE). Map named threat actors to your zones using the MITRE ATT&CK for ICS matrix.
Add ransomware, insider, and supply-chain threat vectors. Do not copy a generic 150-row threat list from a vendor template; the IACS assessment is a bespoke exercise, and a generic list is the fastest way to lose credibility with the asset owner.
Step 2 of the 62443 risk assessment: score consequence on an HSE-weighted scale
Consequence is where the standardised assessment diverges hardest from IT assessments. Use a 5-point HSE-weighted scale covering: injury/fatality, environmental release, production loss, regulatory fine, and reputational impact.
The worst category wins — if an event is a 5 on safety and a 2 on production, the consequence score is 5. This rule prevents the hedging that turns most risk registers into theatre.
Step 3 of the 62443 risk assessment: score likelihood with sector-specific threat intelligence
Likelihood is where assessment methodologys routinely undershoot. A realistic scale: 1 = not observed in sector in last 5 years; 2 = rare; 3 = occasional (1-2 named incidents per year in sector); 4 = frequent; 5 = imminent (active campaign).
Calibrate against CISA ICS advisories and your ISAC feed. If you cannot cite evidence, default high — that is the precautionary bias the HSE framing demands.
Step 4 of the 62443 risk assessment: multiply to a risk score, then derive SL-T
Likelihood × consequence on a 5×5 matrix = risk score from 1 to 25. The OT cyber assessment then maps the residual risk band to an SL-T: 1-4 = SL-1; 5-9 = SL-2; 10-15 = SL-3; 16-25 = SL-4. Do not treat the mapping as a lookup — adjust for existing compensating controls.
A zone already behind a one-way diode can legitimately accept a lower SL-T for the upstream side of the conduit.
Step 5 of the 62443 risk assessment: document the countermeasures and re-score
Every control you claim must be tied to a 62443-3-3 system security requirement (SR) or component requirement (CR). No hand-wave allowed. Re-score the risk with the claimed controls in place. The residual should be visibly below the asset owner’s tolerance line.
If it is not, either add controls, accept the risk in writing, or escalate to enterprise risk management for a board decision.
Sector Context: What the 62443 Risk Assessment Looks Like Across Industries
The industrial risk assessment standard is sector-agnostic by design — the ISA 62443-3-2 white paper calls out process industries, building automation, medical devices, transportation, power generation, and water treatment as in-scope. What changes is the consequence weighting, the downtime cost, and the regulator on the other end of the phone.
Downtime costs per hour by sector — the ROI on a rigorous 62443 risk assessment scales with whatever is on the Y-axis.
Energy and utilities 62443 risk assessment considerations
Median downtime cost of $520,000 per hour for power generation and $950,000 per hour for upstream oil and gas changes the calculus entirely. Overlay NERC CIP, NIS2 transposition in the EU, and the DoE’s critical infrastructure executive orders.
The assessment process becomes the evidence base regulators cite when they decide whether your outage was foreseeable. See our guidance on energy sector risk management and NERC CIP for the sector overlay.
Manufacturing 62443 risk assessment considerations
Manufacturing accounted for more than two-thirds of industrial ransomware victims in 2025. A $125K/hour downtime median is typical for discrete manufacturing, but specialty chemicals exceed $300K.
The evaluation should target every MES-to-ERP conduit and every OEM remote-support tunnel. Pair with a business continuity plan for manufacturing so the residual risk hand-off to BCM is explicit.
Transportation and water 62443 risk assessment considerations
These sectors have the lowest cyber budget per zone but some of the tightest HSE consequence scores. A water treatment plant’s pH manipulation is a mass-casualty event with a single register value.
The risk review must push safety instrumented systems to SL-3 minimum, with a hard separation conduit from the business network.
Wireless rail signalling and transit SCADA are rising threat surfaces — expect sector-specific addenda in 62443-3-2’s next revision.
Building automation 62443 risk assessment considerations
Building automation lives at the low end of the downtime scale but the high end of attack surface — BACnet and KNX are often internet-reachable, default credentials survive decades.
A building-management IEC 62443 exercise typically ends at SL-2 for most zones, with SL-3 for life-safety systems. Link it to your IoT project risk assessment framework because building automation and IoT converge in smart buildings.
How the 62443 Risk Assessment Integrates with Other Risk Frameworks
A assessment exercise does not sit in a vacuum. Enterprises that get the most value run it alongside ISO 31000 enterprise risk management, NIST CSF 2.0, and ISO 27001 information security management.
The question is not which framework wins; it is which sits where in the stack. Our view: ISO 31000 is the enterprise umbrella, NIST CSF 2.0 is the cyber control catalogue, ISO 27001 is the ISMS backbone for data, and the assessment programme is the deep dive for the IACS environment.
Organisations certified to ISO 27001 have already met about 83% of NIST CSF requirements — an efficient path is to build on that base and extend downward into the 62443 risk assessment.
| Framework | Role in the stack | Where the risk analysis plugs in |
| ISO 31000 | Enterprise risk management principles, appetite, governance. | Sets the tolerance bands the SL-T targets must meet. |
| COSO ERM | Board-level ERM framework popular in U.S. public companies. | Elevates top residual OT risks to the risk committee. |
| NIST CSF 2.0 | Cyber control catalogue — Govern, Identify, Protect, Detect, Respond, Recover. | Provides outcome language for SL-T justification; useful for U.S. reporting. |
| ISO 27001:2022 | Information security management system (ISMS) standard. | Covers IT asset controls; the cybersecurity assessment extends coverage into OT. |
| IEC 62443-2-1 | IACS security programme requirements for asset owners. | Governs the programme the OT security assessment operates within. |
| IEC 62443-3-3 | System security requirements and security levels. | Provides the control catalogue the SL-T maps to. |
| NIST SP 800-82 | Guide to operational technology (OT) security. | Highly compatible; use as a U.S. government reference alongside the IACS cyber risk analysis. |
Table — Where the zonal assessment plugs into the broader risk and cyber framework stack.
Regulatory Context: Where the 62443 Risk Assessment Now Meets the Auditor
The 62443 risk assessment has crossed the line from engineering best practice to regulatory expectation in multiple jurisdictions in 2024-2025.
In the EU, NIS2 Directive (Directive 2022/2555) expanded scope to 18 critical sectors with transposition deadline of 17 October 2024.
Fines reach €10 million or 2% of global turnover, and management bodies are personally accountable. Although NIS2 is not 62443-specific, regulators increasingly reference the risk evaluation as the reasonable-person standard for IACS compliance.
In the U.S., the SEC’s cyber disclosure rule, the TSA Pipeline Security Directive, and the EPA’s sector-specific rules for water utilities all push asset owners towards documented risk assessment.
The CMMC 2.0 regime for defence contractors already cites IEC 62443 alongside NIST SP 800-82. Expect the CRA (Cyber Resilience Act) in the EU and the UK’s Product Security and Telecommunications Infrastructure (PSTI) regime to extend similar expectations through the supply chain by 2027.
Take this position: a ZCR exercise done properly today is a cheaper investment than a post-incident ISA/IEC 62443 methodology demanded by a regulator after a breach.
Document the methodology, the assumptions, the participants, and the version. When the regulator shows up, the IACS risk assessment is the first document they will ask for — and the one that determines whether the conversation is technical or punitive.
Where 62443 Risk Assessment Programmes Stall — and How to Unstick Them
Across audits of industrial sites, the same patterns derail OT risk assessment programmes. They are rarely technical — most are organisational or methodological.
The common mistakes in risk assessment overlap heavily with IT risk assessments, but a few are specific to the IACS environment. Spot these early, and the cyber risk assessment ships in weeks, not quarters.
| Pitfall | Root cause | Remedy | ||
| Skipping the zone-and-conduit partition. | Treating the IACS as one flat network — an IT-security legacy habit. | Force ZCR-3 as a gate before ZCR-4; a peer-reviewed zone diagram is non-negotiable. | ||
| Using IT likelihood scales for OT threats. | Analysts carrying over frequencies from cyber insurance data sets. | Rebuild the scale from sector-specific threat intel (Dragos, CISA ICS, E-ISAC). | ||
| Consequence weighted on data loss, not HSE. | Copy-paste from an ISO 27001 risk assessment. | Replace the consequence scale with a 5-point HSE-weighted rubric; safety wins ties. | ||
| SL-T set by vendor preference, not risk assessment. | Vendor marketing positions products at a fixed SL. | Run the 62443 risk assessment first; match product SL-capability to derived SL-T after. | ||
| One-off assessment, never revisited. | Programme becomes the consultant’s deliverable, not the asset owner’s. | Hard-code an annual reassessment cadence plus change triggers (M&A, new plant, major incident). | ||
| Residual risk accepted verbally. | Asset owner signs the SL-T but never the residual acceptance. | Require written acceptance of each residual risk above the tolerance line; archive for audit. | ||
| Cybersecurity Requirements Specification omitted. | Programme stops at risk scoring. | Treat CRS as the exit criterion; no CRS, no IACS assessment closure. | ||
| No measurement of risk reduction effectiveness. | Controls claimed but never tested. | Pair the standardised assessment with | key risk indicators | — failed patches, expired certificates, rogue assets. |
Table — The eight most common assessment methodology pitfalls and the fixes that actually work.
Where the 62443 Risk Assessment Is Heading — 2026 to 2028
Three shifts will reshape the OT cyber assessment playbook in the next 24 months. First, regulatory convergence: the EU’s NIS2 transposition (especially Germany’s NIS2UmsuCG entering force in Q4 2025) combined with the Cyber Resilience Act will push asset owners to harmonise the industrial risk assessment with ENISA guidance.
Expect cross-border supply chain clauses where the 62443 risk assessment is shared up and down the value chain.
Second, AI-enabled threat modelling. A 2025 Springer paper on IACS risk methodology proposes automating the detailed assessment process using Bayesian threat modelling and LLM-assisted consequence scoring.
Expect commercial tools to fold this into the ZCR-4 workflow by 2027. The practitioner opportunity: automate the mechanical scoring, keep the HSE judgement human.
Third, the quantification shift. IT has moved from qualitative heat-maps to cyber risk quantification using FAIR and Monte Carlo. OT will follow, anchored by the evaluation.
Expect boards to ask for a loss-distribution curve per zone, not just a colour on a matrix. Practitioners who can translate SL-T into expected annualised loss will lead the next wave of industrial cyber risk programmes.
What to do now: run a fresh risk review on your top three critical zones before Q4 2026. Document every assumption. Put the residual risk numbers on your board pack. If the risk committee cannot see the before-and-after, the programme has not yet earned its keep.
Frequently Asked 62443 Risk Assessment Questions
What exactly is a 62443 risk assessment?
A IEC 62443 exercise is the ISA/IEC 62443-3-2 method for identifying, analysing and treating cyber risk in Industrial Automation and Control Systems (IACS).
It partitions the System Under Consideration into zones and conduits, scores risk with an HSE-weighted consequence scale, and derives a target Security Level (SL-T) per zone and conduit.
The assessment exercise sits alongside but does not replace ISO 31000, NIST CSF, or ISO 27001 assessments — each has a different scope.
Who is responsible for running a 62443 risk assessment?
The asset owner is accountable for the assessment programme. The work is typically delivered by an OT security lead, a control engineer, a process owner, and an enterprise risk function.
Vendors and integrators should contribute but never own the 62443 risk assessment — that is one of the most common audit findings.
The asset owner signs off on the SL-T, the Cybersecurity Requirements Specification, and any residual risk acceptance.
How long does a 62443 risk assessment take?
A single-plant risk analysis with 8-15 zones typically runs 10-14 weeks end to end — ZCR-1 and ZCR-2 in weeks 1-3, ZCR-3 in weeks 4-5, ZCR-4 in weeks 5-11, ZCR-5 to ZCR-7 in weeks 11-14.
Multi-plant enterprises running cybersecurity assessments in parallel with template reuse can complete each site in 6-8 weeks once the first one is stable. Never compress ZCR-4 — that is where the residual risk number is earned.
How does a 62443 risk assessment differ from a NIST SP 800-82 OT risk assessment?
NIST SP 800-82 is the U.S. government guide to OT security; it is broader and more prescriptive on control categories but less prescriptive on method.
The OT security assessment is method-heavy — it tells you how to partition zones, how to derive SL-T, and how to document requirements.
Most programmes run both: NIST 800-82 as the U.S. reference for federal contractors and the IACS cyber risk analysis as the detailed engineering method. They share roughly 70% of their control outcomes.
What Security Level target should a typical plant aim for in a 62443 risk assessment?
There is no single answer — that is the whole point of the zonal assessment. Most plants settle on SL-2 for standard zones, SL-3 for critical BPCS and IT-OT conduits, and SL-4 for safety instrumented systems that carry HSE consequences of 5.
SL-1 is only appropriate for truly non-critical zones (e.g., read-only reporting replicas). Any programme that labels every zone SL-3 ‘just to be safe’ is not a risk evaluation; it is risk-aversion theatre.
How often should a 62443 risk assessment be updated?
Annual refresh at minimum, with event-driven triggers for: any material IACS change, a named sector campaign, a plant acquisition or disposal, a regulatory change (e.g., NIS2 transposition), a major vulnerability disclosure affecting installed devices, and any cyber incident.
The 62443 risk assessment artefacts should also be re-issued when a zone’s downtime tolerance or HSE consequence scale changes — not just when the threat landscape shifts.
Can a small manufacturer realistically run a 62443 risk assessment?
Yes — with proportionality. A small manufacturer’s ZCR exercise might cover three to five zones and two or three conduits, run in 2-3 weeks, and land at SL-2 for most zones.
The key is to keep the method intact (SUC definition → zones/conduits → HSE-weighted risk → SL-T → CRS) and simplify the artefacts rather than skip them. A compliant ISA/IEC 62443 methodology does not have to be 200 pages; it has to be defensible.
What happens to a 62443 risk assessment after a cyber incident?
Two things. First, the IACS risk assessment’s likelihood scale is recalibrated using the incident data — a category-3 ransomware event in your sector moves likelihood from 2 to 4.
Second, the residual risk across affected zones is reopened and reassessed; if residuals now exceed tolerance, additional controls are deployed and SL-T may be raised.
The OT risk assessment should never survive an incident unchanged. Incident-driven reassessments are one of the strongest signals of a mature programme.
Make Your 62443 Risk Assessment a Board-Ready Asset
A cyber risk assessment done right gives the board three things a regulator respects: a defensible method, a documented residual risk number per zone, and a commitment to reassess on a cadence. It also gives the plant manager a prioritised list of what to buy and what to ignore.
Our team at Risk Publishing helps industrial operators design, run, and board-approve assessment programmes — from a one-plant kick-off to an enterprise-wide playbook covering dozens of sites.
Explore our OT and cyber risk services or contact us directly to scope a 62443 risk assessment for your operations. A 45-minute conversation will tell you where your current programme stands, what the biggest residual risk gap is, and what a pragmatic 62443 risk assessment roadmap looks like in your sector.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.