OT Cyber Risk Assessment: Asset Vs Function Focused

OT systems are responsible for managing and controlling physical processes in sectors such as manufacturing, energy, transportation, utility, and healthcare. These systems have become increasingly integrated with Information Technology (IT) networks, making them more vulnerable to cyber threats. Operational Technology (OT) risk assessments are critically important for cybersecurity.

Why Conduct OT Cyber Risk Assessment?

Cyber risk assessment assists in structurally determining which cyber risks are present in the industrial environment. It is possible to understand the effectiveness of (existing) countermeasures only after explicitly identifying these risks. This, in turn, makes it possible to reason about new countermeasures, if they are needed, and their potential effectiveness.

Furthermore, assessing the severity of the identified risks enables deciding on and prioritizing countermeasures and making an informed decision if the costs of implementing them weigh up against the potential consequences. Moreover, performing a risk assessment will create a complete overview of the strengths and weaknesses of your organization. This overview can, in turn, be used to improve preparedness during a cyberattack or prevent one by addressing the identified weaknesses.

Here are some key reasons why OT risk assessments are essential for cybersecurity:

  • Identify Vulnerabilities
  • Prioritize Security Measures
  • Compliance and Regulations
  • Threat Landscape Understanding
  • Incident Response Planning
  • Business Continuity
  • Supply Chain Security
  • Integration with IT Security
  • Cost Savings
  • Stakeholder Confidence

This article presents an overview of prominent methodologies for conducting OT cyber risk assessments. It covers asset-focused and function-focused methodologies. These methodologies help in identifying cyber risks, analyzing their impact, and recommending appropriate protections and mitigations. 

Asset-Focused and Function-Focused OT Cyber Risk Assessments

Asset-focused and function-focused OT (Operational Technology) cyber risk assessments are two different approaches to evaluating and managing cybersecurity risks in industrial and critical infrastructure environments. These approaches have distinct methodologies and priorities:

Asset-Focused OT Cyber Risk Assessment

Asset-focused assessments primarily center on identifying and securing specific assets within an industrial network. These assets could include machines, sensors, controllers, DCS, PLCs (Programmable Logic Controllers), SCADA (Supervisory Control and Data Acquisition) systems, and other hardware and software components.

This Methodology has the following Key characteristics which considers how cyber assets can be exploited by threat agents to perform disruption.

  • Identification and inventory of all assets within the industrial environment.
  • Asset classification based on their criticality to operations and their vulnerability to cyber threats.
  • Focusing on vulnerabilities and security measures related to individual assets.
  • Identification and documenting worst case potential consequences as a function of process area.
  • Documenting ease of propagation with open communication.
  • Prioritization of asset protection and mitigation efforts based on their importance to the functioning of the industrial process.
  • Selection of target security level for each asset category as a function of process/utility area.
  • Often used in asset-rich environments where understanding the specific vulnerabilities of each component is crucial.
  • Verify risk criteria are adequate for cyber risk management

A diagram of a risk management system

Description automatically generated

Function-Focused OT Cyber Risk Assessment

Function-focused assessments take a broader view and emphasize the critical functions or processes that an industrial facility performs. Instead of concentrating on individual assets, these assessments assess the overall functionality of the system.

This Methodology has the following Key characteristics:

  • Identification and mapping of critical functions or processes that could be disrupted by cyberattacks.
  • Assessment of dependencies and interconnections between various functions and systems.
  • Gaining a holistic understanding of the System Under Considerations (SuC’s) functionality and interactions between humans and system components.
  • Documentation and data flow diagrams are created in an intuitive way, even without existing system documentation or asset inventory.
  • Evaluation of the potential impact of a cyber incident on the continuity and safety of industrial operations.
  • Prioritization of risk mitigation efforts based on the importance of maintaining critical functions.
  • Often used in environments where the overall system’s functionality and resilience are more critical than individual asset protection.

Technical Risk Assessment

A Technical Risk Assesses the security vulnerabilities, actual security level and the gap between the actual and target security level following the IEC-62443. Also, any risks associated with network assets (e.g., software, network, and computers) are determined. Additionally, detailed scan of network is performed for in-depth asset visibility and complete threat analysis for network and connected assets.

Operational Risk Assessment

The Operational Risk Assessment defines the security risk associated with the organization and processes (e.g., incident management) and determines the risk associated with Cyber Security Management System.

Business Risk Assessment

The Business Risk Assessment determines the security risk associated with uncertain conditions from the OT domain that could be a threat to an organization’s business continuity.


In summary, asset-focused OT cyber risk assessments are concerned with securing specific components or assets within an industrial network, while function-focused assessments are concerned with ensuring the continuity and reliability of critical processes and functions. The choice between these approaches often depends on the specific context, goals, and priorities of the organization or facility conducting the assessment. In practice, a combination of both approaches may be used to comprehensively manage cyber risks in industrial environments, as they can complement each other to provide a holistic view of the cybersecurity landscape.

Are you looking for more information on our people, technology, and solutions? 

Browse aristame.com


Deepak Malwade

I am an OT Cybersecurity Director and Co-Founder at Arista Middle East, a leading provider of cybersecurity solutions and services for industrial control systems (ICS) and operational technology (OT) in various sectors, such as petrochemical, power and oil and gas. I have over 32 years of experience in control systems, automation, instrumentation, and cybersecurity, and I hold Project Management (PMP) and Cybersecurity certifications from globally recognized organizations.

Leave a comment

Your email address will not be published. Required fields are marked *