Module 1: Threat identification and risk analysis(1/4)
Threat sources: insiders, nation-states, ransomware crews
title: "Threat sources: insiders, nation-states, ransomware crews" duration: "35 min"
Threat sources in context
IEC 62443-3-2 §5.2 requires that you identify threat sources relevant to each zone in your system. A threat source is any entity — human, software, or natural — capable of exploiting a vulnerability.
The Foundations track introduced the major threat actors. This lesson teaches you how to systematically catalogue them for a risk assessment.
The IEC 62443 threat-source taxonomy
| Category | Motivation | Capability | Examples |
|---|---|---|---|
| Unintentional insider | None (accidental) | Varies — can be very high if they have admin access | Operator plugs infected USB into HMI; engineer misconfigures firewall rule |
| Intentional insider | Revenge, financial gain, ideology | High — has legitimate credentials and physical access | Disgruntled contractor (Maroochy Shire), sabotage-for-hire |
| Hacktivist | Ideological disruption, publicity | Low to moderate — script-kiddie to moderate tooling | Cyber Av3ngers (Aliquippa water plant) |
| Cybercriminal | Financial extortion | Moderate to high — ransomware-as-a-service, initial-access brokers | LockBit, BlackCat/ALPHV, Clop |
| Nation-state APT | Strategic pre-positioning, espionage, sabotage | Very high — custom malware, zero-days, multi-year operations | Sandworm, Volt Typhoon, APT33 |
| Competitor | Industrial espionage, market advantage | Moderate — typically via supply chain or insider recruitment | Rare in public reporting but significant in pharmaceuticals and energy |
| Natural / environmental | N/A | N/A — non-adversarial | Flood, earthquake, lightning strike affecting equipment availability |
Mapping threats to zones
Not every threat source applies to every zone. A nation-state APT is a credible threat to the SIS zone of a power plant; it is not a credible threat to the billing workstation of a small bakery.
The relevance test
For each zone × threat-source pair, ask:
- Does this threat source have a motive to target assets in this zone?
- Does this threat source have the capability to reach this zone?
- Has this threat source historically targeted assets of this type?
If the answer to all three is "no," you may exclude the pairing — but document the exclusion with justification.
Key takeaway
Do not under-scope
The Aliquippa water plant did not consider nation-state hacktivists a relevant threat. They were wrong. When in doubt, include the threat source and let the risk score determine priority.
Example: reference water-treatment plant
| Threat source | Zone 1 (Control) | Zone 2 (SIS) | Zone 3 (Supervisory) | Zone 4 (Site Ops) | Zone 5 (Enterprise) |
|---|---|---|---|---|---|
| Unintentional insider | ✓ | ✓ | ✓ | ✓ | ✓ |
| Intentional insider | ✓ | ✓ | ✓ | ✓ | ✓ |
| Hacktivist | ✓ | ✗ | ✓ | ✗ | ✓ |
| Cybercriminal | ✓ | ✗ | ✓ | ✓ | ✓ |
| Nation-state APT | ✓ | ✓ | ✓ | ✓ | ✓ |
| Natural/environmental | ✓ | ✓ | ✓ | ✓ | ✓ |
Worked example
Hacktivists are excluded from Zone 2 (SIS) because their typical capability — exploiting default credentials on internet-exposed devices — does not extend to specialised safety controllers behind multiple zone boundaries. However, if the SIS were ever exposed via a misconfigured conduit, this exclusion would need to be revisited.
Threat scenarios
For each included zone × threat-source pair, write a threat scenario — a one-paragraph narrative describing how the attack would unfold:
Zone 1 × Cybercriminal: A ransomware operator purchases initial access from an access broker who compromised the plant's VPN. The attacker moves laterally from the corporate network through a misconfigured IDMZ to the supervisory zone, then pivots to the PLC zone via the engineering conduit. The attacker encrypts the engineering workstation and threatens to modify PLC setpoints unless a ransom is paid.
These scenarios are the input to vulnerability identification and consequence scoring in the next two lessons.
Key Takeaways
- IEC 62443-3-2 requires systematic identification of threat sources per zone.
- Seven categories cover the full spectrum: accidental insiders through nation-state APTs.
- Map each threat source to each zone using the relevance test (motive, capability, history).
- Document exclusions with justification — under-scoping is the most common assessment error.
- Write threat scenarios for each included pairing as input to the detailed risk analysis.
Knowledge Check
3 questions — test your understanding before moving on.
Q1.When mapping threat sources to zones, what is the 'relevance test'?
- Testing whether the threat actor has previously attacked the same vendor's equipment.
- Asking three questions: does the threat source have motive, capability, and historical precedent for targeting assets in this zone?
- Running a penetration test against the zone.
- Checking whether the threat source is listed in CISA advisories.
The relevance test asks: (1) Does this threat source have a motive to target this zone? (2) Does it have the capability to reach it? (3) Has it historically targeted assets of this type? If all three are 'no,' the pairing may be excluded — but the exclusion must be documented.
Q2.Why should you avoid under-scoping threat sources in an IEC 62443-3-2 assessment?
- Because every threat source must be included to satisfy ISO 27001.
- Because facilities that did not consider certain threat sources (e.g. Aliquippa vs hacktivists) were successfully attacked by those exact actors.
- Because under-scoping voids the warranty on industrial equipment.
- Because regulators require exactly seven threat sources per zone.
The Aliquippa water plant did not consider nation-state-linked hacktivists a relevant threat. They were wrong — Cyber Av3ngers exploited a default password on an internet-exposed PLC. When in doubt, include the threat source and let the risk score determine priority.
Q3.What is a threat scenario in the context of IEC 62443-3-2?
- A penetration test report.
- A one-paragraph narrative describing how a specific threat source would exploit a specific vulnerability in a specific zone.
- A list of CVEs applicable to a device.
- A diagram of the attack path through the network.
A threat scenario combines a threat source with a vulnerability in a zone to describe a realistic attack narrative. These scenarios are the input to consequence and likelihood scoring in the detailed risk analysis.