Risk
IEC 62443-Aligned OT Cyber Risk Assessments
Meridian Consultants provides engineering-led OT cyber risk assessments for industrial control systems, supporting project teams, asset owners and suppliers who need to understand cybersecurity risk in the context of safety, operations, availability and real engineering constraints. Assessments can be aligned with IEC 62443, the Cyber Assessment Framework and other applicable requirements depending on the site, sector, project stage and assurance need.
Service detail
OT cyber risk assessment support for industrial control systems, project assurance and practical mitigation planning.
OT cybersecurity risk assessments should not be treated as generic IT risk exercises. Industrial environments have different consequences, different constraints and different failure modes.
A credible OT cyber risk assessment needs to consider how control systems are designed, operated, maintained and supported. That includes network architecture, remote access, supplier dependencies, legacy assets, safety interfaces, operational availability, engineering workstations, backups, recovery arrangements and project documentation.
Meridian supports risk assessments that turn these issues into clear findings, practical mitigations and evidence that can be used by engineering, operations, cybersecurity and assurance teams.
The problem
Industrial cybersecurity risks are often difficult to assess because the important context sits across multiple teams and documents.
A risk may involve a PLC, HMI, engineering workstation, remote support route, unmanaged switch, firewall rule, historian connection, supplier laptop, obsolete operating system or undocumented interface between IT and OT.
If these risks are assessed without understanding the control system and the operational consequences, the output becomes too generic to support real decisions.
Assessment findings often connect to insecure remote access, legacy control systems and weak segregation that may need network segmentation engineering.
- loss of view
- loss of control
- loss of availability
- unsafe or degraded operation
- unauthorised remote access
- malware transfer into OT
- supplier or vendor compromise
- weak segregation between IT and OT
- unsupported or unpatched systems
- poor backup and recovery arrangements
- unclear ownership of mitigations
- gaps in project assurance evidence
What we do
Meridian conducts OT cyber risk assessments that are shaped around the control system, the project stage and the assurance requirement.
The assessment may include review of architecture, assets, remote access, supplier interfaces, existing controls, project documentation and operational constraints. Where appropriate, the work can be aligned with IEC 62443 concepts such as System under Consideration, zones and conduits, target security levels, foundational requirements and risk-based mitigation.
Depending on the requirement, the assessment may also consider CAF outcomes, client standards, sector expectations, internal security policies or project-specific cybersecurity requirements.
The aim is not to produce a generic risk report. The aim is to create a risk position that engineering and operational teams can actually use. For wider assessment context, Meridian can combine this with OT cybersecurity assessments and IEC 62443 support.
Practical activities
Typical assessment activities may include:
- defining the system or project scope
- identifying key OT assets and interfaces
- reviewing network architecture and segmentation
- reviewing remote access routes and supplier support paths
- identifying credible OT cyber threat scenarios
- assessing operational and engineering consequences
- reviewing existing controls and gaps
- mapping risks to IEC 62443, CAF or client requirements where applicable
- developing a practical cybersecurity risk register
- identifying proportionate mitigations
- recording residual risk and ownership
- preparing evidence for project, assurance or governance review
Deliverables
- OT cybersecurity risk assessment report
- cybersecurity risk register
- System under Consideration summary
- zone and conduit review
- threat scenario summary
- existing control and gap review
- mitigation plan
- residual risk statement
- action tracker
- workshop record
- evidence list for project assurance
- recommendations for further design, testing or verification
Framework alignment
Assessments can be structured around the framework or assurance requirement that applies to the client, project or sector.
The assessment is tailored to the actual requirement rather than forcing every project into the same template.
Where projects require test and handover evidence, the assessment can also support FAT and SAT cybersecurity assurance.
- IEC 62443-aligned risk assessment
- Cyber Assessment Framework-aligned review
- client cybersecurity standards
- internal OT security policies
- supplier assurance requirements
- project-specific cybersecurity requirements
- design review, FAT, SAT or handover evidence requirements
Where this service is useful
This service is particularly useful when:
- a new control system is being connected to an existing OT network
- a project needs cybersecurity assurance evidence
- a site has legacy PLC, SCADA or HMI systems
- remote access arrangements have grown without formal review
- supplier packages need to be integrated into a wider control system
- an asset owner needs to understand current OT cyber risk
- a project needs to define zones, conduits or target security levels
- risk ownership and mitigation actions are unclear
- a client needs a practical risk register rather than a generic cyber report
Example scenario
An energy operator needed to understand the cybersecurity risks associated with connecting new monitoring and reporting systems to an existing operational control network.
The assessment reviewed the system boundary, network interfaces, supplier access routes, data flows, existing controls and operational constraints. Risks were recorded in a structured register and mapped to practical mitigations that could be progressed through engineering design, configuration, testing and assurance activities.
The output gave the project team a clearer view of cyber risk, residual risk, action ownership and the evidence needed to support later design and assurance reviews.
Risk assessment quality improves when drawings, asset records, remote access information, supplier interfaces and operational constraints are prepared before review.
The OT cybersecurity assessment preparation guide and zones and conduits explainer provide useful preparation context.
Supplier package reviews can also be supported where the assessment identifies package interfaces, vendor access routes or evidence gaps. See supplier cybersecurity review.
Related guidance
Continue through related service, problem and resource pages for the same OT cybersecurity topic.
Discuss an OT cyber risk assessment
Speak to Meridian Consultants about an IEC 62443-aligned OT cyber risk assessment for an industrial control system, project, supplier package or operational site. We can review the control system context, project stage, available documentation and assurance requirement before recommending a proportionate assessment approach.