Module 3: Risk register workshop(1/2)
Assembling the risk register
title: "Assembling the risk register" duration: "45 min"
The risk register: your single source of truth
The risk register is the master document of the IEC 62443-3-2 assessment. It captures every zone, every threat scenario, every risk score, every gap, and every remediation plan in one structured table.
When a regulator, auditor, or management review board asks "what is the security posture of the plant?", you hand them the risk register.
Key takeaway
A living document
The risk register is not a one-time deliverable. It is updated whenever a threat changes, a vulnerability is discovered, a control is implemented, or the plant configuration changes.
Risk register structure
| Column | Description | Example |
|---|---|---|
| Risk ID | Unique identifier | R-001 |
| Zone | Which zone | Zone 1 (Process Control) |
| Threat scenario | Narrative description | Cybercriminal reaches Zone 1 via compromised engineering conduit |
| Threat source | Category | Cybercriminal |
| Vulnerability | What is exploited | S7comm has no authentication |
| Consequence | Impact score (1–5) | 3 (Serious) |
| Likelihood | Probability score (1–5) | 3 (Possible) |
| Initial risk | Matrix rating | High |
| SL-T | Target SL vector | (2, 2, 2, 1, 3, 2, 2) |
| SL-C | Current capability | (0, 1, 1, 1, 1, 0, 1) |
| Gap FRs | Which FRs have gaps | FR 1 (−2), FR 5 (−2), FR 6 (−2) |
| Remediation | Planned controls | Protocol-aware FW, ICS network monitor |
| Priority | P1–P4 | P1 |
| Owner | Responsible person | OT Security Lead |
| Target date | When gap will be closed | 2026-09-30 |
| Residual risk | Risk after controls | Medium |
| Status | Open / In progress / Closed | Open |
Building the register: step by step
Step 1: Import zone & conduit data
Start with the zone & conduit diagram from Module 0. Create a section for each zone.
Step 2: Import threat × vulnerability pairs
From Module 1, copy each threat scenario and its associated vulnerabilities. Each unique combination gets its own row.
Step 3: Add risk scores
From lesson 1.3, enter the consequence and likelihood scores. Calculate the risk rating using the risk matrix.
Step 4: Add SL-T and SL-C vectors
From Module 2, enter the SL-T vector for each zone and the measured SL-C from the gap analysis.
Step 5: Document gaps and remediations
From lesson 2.3, list each gap (FR and magnitude) and the planned remediation.
Step 6: Assign priorities, owners, and dates
Using the prioritisation matrix from lesson 2.3:
- P1 items need an owner and a 30-day target.
- P2 items need a 90-day target.
- P3 and P4 can align with planned maintenance windows.
Step 7: Estimate residual risk
For each row, estimate what the risk score will be after the planned controls are implemented. This is the residual risk.
Worked example
R-001 residual risk estimate:
After deploying a protocol-aware firewall (FR 5 → SL 3) and an ICS network monitor (FR 6 → SL 2), the attack path is significantly narrowed. Likelihood drops from 3 (Possible) to 2 (Unlikely). Consequence remains 3 (Serious). Residual risk: 3 × 2 = Medium — within the ALARP region.
Worked example: five-row register
| Risk ID | Zone | Threat | Vuln | C | L | Risk | Priority | Remediation | Residual |
|---|---|---|---|---|---|---|---|---|---|
| R-001 | Z1 Control | Cybercriminal via eng conduit | S7comm no auth | 3 | 3 | High | P1 | Protocol-aware FW | Medium |
| R-002 | Z2 SIS | Nation-state via DCS pivot | TriStation weak auth | 4 | 2 | High | P1 | Firmware upgrade + data diode | Low |
| R-003 | Z3 Supervisory | Ransomware via phishing | HMI runs Win 7, no whitelisting | 3 | 4 | High | P1 | AppLocker + OS upgrade | Medium |
| R-004 | Z4 Site Ops | Insider | Shared service accounts | 2 | 3 | Medium | P3 | Unique accounts + RBAC | Low |
| R-005 | Z5 Enterprise | Cybercriminal | Email phishing | 2 | 4 | Medium | P3 | Email gateway + MFA | Low |
Quality checks
Before submitting the register, verify:
- Completeness — every zone has at least one risk entry.
- Consistency — consequence scores align with the consequence scale defined in lesson 1.3.
- Traceability — every risk links back to a specific threat scenario and vulnerability.
- Actionability — every gap has an owner, a target date, and a verification method.
- Management sign-off — the tolerable risk threshold and any risk acceptances are approved by management.
Key Takeaways
- The risk register is the master document — it captures zones, threats, vulnerabilities, risks, gaps, and remediations.
- Build it incrementally: import zone data → threat pairs → risk scores → SL vectors → gaps → priorities.
- Every row must have an owner, a target date, and an estimated residual risk.
- The register is a living document — update it on any change in threat, vulnerability, or plant configuration.
- Quality checks: completeness, consistency, traceability, actionability, management sign-off.
Knowledge Check
3 questions — test your understanding before moving on.
Q1.What is the risk register in an IEC 62443-3-2 assessment?
- A list of all network devices on the plant.
- The master document capturing every zone, threat scenario, risk score, gap, remediation plan, and residual risk.
- A vendor catalog of available security products.
- A log of all security incidents at the plant.
The risk register is the single source of truth for the assessment. It captures every zone, threat × vulnerability pair, risk score, SL-T/SL-C vectors, gaps, remediations with owners and target dates, and estimated residual risk.
Q2.How often should the risk register be updated?
- Only when a security incident occurs.
- Once per year during the annual audit.
- Whenever a threat changes, a vulnerability is discovered, a control is implemented, or the plant configuration changes.
- Only when a new version of IEC 62443 is published.
The risk register is a living document. It must be updated whenever the threat landscape changes, a new vulnerability is discovered, a control is implemented or removed, or the plant configuration changes (new device, new conduit, process modification).
Q3.What are the five quality checks for a completed risk register?
- Cost, schedule, scope, quality, risk.
- Completeness, consistency, traceability, actionability, and management sign-off.
- Availability, integrity, confidentiality, authentication, authorisation.
- Design, build, test, deploy, monitor.
Before submission, verify: (1) Completeness — every zone has entries. (2) Consistency — scores align with defined scales. (3) Traceability — every risk links to a threat and vulnerability. (4) Actionability — every gap has an owner and date. (5) Management sign-off on thresholds and acceptances.