Knowledge/Risk Assessment/3.2

Module 3: Risk register workshop(2/2)

Presenting and defending your assessment

40 min5 min readRef: Practical exercise

title: "Presenting and defending your assessment" duration: "40 min"

The assessment is only as good as the audience's trust in it

A technically perfect risk register is worthless if the review panel — plant management, the safety team, the CISO, regulators — does not understand or trust it. This lesson teaches you how to present your IEC 62443-3-2 assessment and defend your decisions under questioning.

The presentation structure

1. Executive summary (5 min)

Start with the answer, not the methodology:

  • Number of zones assessed.
  • Number of risks identified: how many Critical, High, Medium, Low.
  • Top 3 risks by priority — one sentence each.
  • Total remediation cost estimate and timeline.
  • Residual risk posture after remediation.

Key takeaway

Lead with the "so what"

Management does not want to hear about Foundational Requirements. They want to know: "Are we at risk? How much will it cost to fix? What happens if we don't?"

2. Zone & conduit overview (5 min)

Show the zone & conduit diagram. Walk through:

  • How many zones, how they map to the plant's physical layout.
  • Where the IDMZ is (or isn't).
  • The SIS zone and why it has the highest SL-T.

3. Key findings (10 min)

Present the top 5 findings from the gap analysis. For each:

  • What the gap is — in plain language, not FR/SR codes.
  • What could happen — the threat scenario in one sentence.
  • What it costs to fix — ballpark estimate.
  • What happens if we don't fix it — the residual risk.

Worked example

Finding 1: The PLCs accept commands from any device on the network — there is no authentication. An attacker who reaches the control network can change chemical dosing setpoints. A protocol-aware firewall ($15K) would restrict access to the engineering workstation only. Without it, the risk of a water-safety incident remains High.

4. Remediation roadmap (5 min)

Present the prioritised remediation plan:

PhaseTimelineActionsCost
Phase 10–30 daysDeploy protocol-aware FW, install data diode on SIS conduit$65K
Phase 230–90 daysDeploy ICS network monitor, upgrade SIS firmware$120K
Phase 390–180 daysAppLocker on HMIs, unique accounts, OS upgrades$45K
Phase 4Next outageFull SL-T validation and reassessment$30K

5. Risk acceptances (5 min)

If any risks are being accepted rather than remediated, present them explicitly:

  • What risk is being accepted.
  • Why — the cost-benefit justification.
  • What compensating controls are in place.
  • When the acceptance will be reviewed (must have an expiry date).

Defending your decisions

Common challenges and responses

"Why can't we just put everything at SL 4?"

SL 4 requires hardware-backed credentials and formal verification — very few commercial ICS products support it. Over-specifying SL-T inflates costs without proportionate risk reduction. Our SL-T assignments are calibrated to the actual threat landscape for a municipal water utility.

"The safety team already handles risk. Why do we need a cyber risk register?"

The safety team assesses random failure. Cyber risk assessment addresses intentional adversaries — a different probability model. The TRITON incident showed that a SIL 3-rated safety controller can be compromised if the cyber risk is not assessed independently. The two registers complement each other.

"This will cost $260K. Can we do it for less?"

Phase 1 ($65K) addresses the two highest risks and reduces the overall posture from Critical to High. If budget is constrained, implement Phase 1 immediately and defer Phases 2–4. But the residual risk for Phases 2–4 must be formally accepted by management.

"How do we know the assessment is correct?"

The methodology follows IEC 62443-3-2 clause by clause. The threat scenarios are based on real incidents (Stuxnet, TRITON, Oldsmar). The SL-T assignments are validated against the ALARP principle. We recommend an independent third-party review of the register within 12 months.

The 200-word executive summary template

Use this structure for the written summary:

Scope: [Number] zones assessed across [plant name], covering [number] assets from Level 0 to Level 4.

Key findings: [Number] risks identified — [X] Critical, [Y] High, [Z] Medium. The top risk is [one-sentence description]. The most common gap is [FR name] — [plain-language description].

Remediation: A four-phase plan totalling $[amount] over [timeline]. Phase 1 ($[amount], [timeline]) addresses the [X] Critical/High risks and reduces the overall posture to [target].

Risk acceptances: [Number] risks are recommended for acceptance with compensating controls, pending management approval. The highest accepted risk is [description] with a review date of [date].

Recommendation: Approve Phase 1 immediately. Schedule Phase 2 within [timeline]. Conduct a reassessment after Phase 4 to validate the achieved SL-A against SL-T.

Key Takeaways

  1. Lead with the "so what" — risks, costs, consequences — not methodology.
  2. Present the zone diagram, top 5 findings, remediation roadmap, and risk acceptances.
  3. Prepare for challenges: over-specification, cost, relationship to safety, and assessment validity.
  4. Any risk acceptance must have a cost-benefit justification, compensating controls, and a review date.
  5. Use the 200-word executive summary template for the written report.

Lab exercise

Using the reference water-treatment plant from Module 0, write a 200-word executive summary covering:

  1. Number of zones and assets assessed.
  2. Top risk finding.
  3. Remediation cost estimate for Phase 1.
  4. One risk acceptance with justification.

Knowledge Check

3 questions — test your understanding before moving on.

  1. Q1.When presenting a risk assessment to management, what should you lead with?

    • A detailed explanation of the IEC 62443 Foundational Requirements.
    • The executive summary: number of risks, top 3 priorities, remediation cost, and residual risk posture.
    • The technical details of every CVE found.
    • A comparison of firewall vendors.

    Management wants the 'so what' — how many risks, what they cost to fix, and what happens if they do not fix them. Lead with the executive summary: risk counts by severity, top findings in plain language, total remediation cost, and projected residual risk.

  2. Q2.If a plant manager challenges the assessment with 'This will cost $260K — can we do it for less?', what is the appropriate response?

    • Reduce all SL-T values to SL 1 to lower costs.
    • Explain that Phase 1 addresses the highest risks first, and defer later phases — but require management to formally accept the residual risk for deferred items.
    • Remove the most expensive items from the risk register.
    • Ask the equipment vendors to absorb the costs.

    Phased remediation allows the highest-priority risks to be addressed first within budget. If later phases are deferred, the residual risk for those items must be formally accepted by management with documented justification and a review date.

  3. Q3.What must every formal risk acceptance include?

    • A vendor warranty certificate.
    • A cost-benefit justification, compensating controls, management approval, and a review/expiry date.
    • A penetration test report.
    • An insurance policy number.

    Risk acceptances are formal decisions. Each must include: what risk is being accepted, why (cost-benefit justification), what compensating controls are in place, management sign-off, and a review date so the acceptance does not become permanent without reassessment.