Yet, some IACSs are more critical than others and it is recommended by IEC 62443 that an effective industrial cybersecurity program should start with a thorough risk assessment.
Each IACS presents a different risk to an organisation depending upon; the threats they are exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences of a compromised system.
To address this, IEC 62443 outlines a framework of five protection levels (PLs) that allow industrial companies to determine the level of protection that its security controls should meet in order to effectively mitigate each of the cybersecurity risks based upon the criteria listed above.
A Network Asset Discovery audit should also be conducted in conjunction with a risk assessment to identify and collect data on the technology assets connected to an industrial network, such as PLCs, HMI & SCADA Systems, IIoT devices as well as standard PCs including the software and virtual machines that run on these devices.
This will help to map the interaction between devices which can be used to create a complete and up-to-date picture of the technology landscape to establish a baseline for anomalous activity and threat detection purposes.