Team development, charter, reference and documentation
ICS OT Cyber Security Risk Assessment
Knowing the risk of the asset is an important step prior to continuing the ICS OT cyber security assurance process. The SWOT analisys of the ICS OT environment can be determined properly by having the ICS OT Cyber Security Risk Assessment. A thorough risk posture of an existing ICS OT environment is one of the goals of having risk assessment in place
The Activities
The simpliefied ICS OT Cyber Security Risk Assessment milestones consist of 4 core segments as per the following
A risk assessment workshop is a process to define, analyze, strategize and plan against the assessed risk level that lies in the ICS OT environment. The Risk Register depicts the security posture of the assessed object.

Controls catalog also known as Risk Register as the RA reference for any follow-up action. The responsible party for each action item should be defined and ensure they understand the responsibilities. Review and revise the Controls Catalog (Risk Register) as per system changes/upgrades (in line with RA review) as required. The Controls Catalog (Risk Register) is the baseline reference as the result of the risk assessment workshop, it also determines the strategic planning that covers the future implementation to close the gap findings, and to ensure the risk level is achieved and maintained under the ALARP level
The implementation of Controls Catalog (Risk Register) action items as per agreed by the Risk Assessment team. The sustainability phase is covering the periodic review of risk assessment (depends on the level of the risk), stewardship against the implementation and continuous improvement against the system in place. RA periodic review is based on the risk category (high, medium, low, etc.). The unplanned review can be performed if any crucial changes happened on the system or some incident happened. The owner and custodian should understand and aware regarding system risk status and its Controls Catalog (Risk Register).
The Critical Steps
Please keep in mind that managing the risk in an ICS OT environment is not a “One Man Show“. It is purely a Team Work that works as a team. Assigning the proper personnel to join the Risk Assessment team is a crucial part, while performing the proper Risk Assessment Workshop is one of the critical steps. The result of the RA workshop in the form of Risk Register (Controls Catalog) will be the baseline reference for the next activity on ICS OT Cyber Security assurance
Keep The Pace
Don't Get Loose
The agreed risk as mentioned in the Risk Assessment result is the basis for implementing the Controls Catalog (Risk Register) and some other proposed security controls to put down the risk at the ALARP level. Don’t get loose on the sustainability phase, the Controls Catalog (Risk Register) stewardship and periodic review will be the window to manage the performance