OT/ICS Risk Assessment Report — Sample

About this sample: This document represents the output of the thinking. The value is in the conversations that produced it — the site walk, the stakeholder interviews, the engineering judgements made along the way. What you are reading is the record. The work that matters happened before the first page was written.

Engagement Overview

Assessment Parameters

Client

[REDACTED]

Site

[REDACTED]

Sector

[REDACTED]

Assessment Date

[REDACTED]

Lead Engineer

[REDACTED]

Framework

IEC 62443-3-2 / NIST SP 800-30

Executive Summary

Risk Landscape Overview

This assessment identified [N] risk scenarios across the assessed environment. Of these, [N] are rated High or Critical requiring prioritised treatment. The primary risk drivers are inadequate network segmentation, uncontrolled vendor remote access, and the absence of OT-specific incident response capability.

The overall residual risk posture is assessed as HIGH against the agreed target of MEDIUM within 12 months. A structured treatment plan is included in Section 04.

Risk Score Summary — By Dimension

Impact-Weighted Scoring

Safety & Personnel

High

Production & Availability

High

Environmental Impact

Medium

Regulatory & Compliance

Medium

Reputational

Medium

Note: Scores above are illustrative sample values from a representative engagement. Your actual scores will reflect your specific environment, threat profile, and existing controls.

Risk Register — Extract

Identified Risk Scenarios

The following is an extract from the full risk register. Each scenario is documented with likelihood rating, consequence analysis, and treatment options.

Risk ID	Scenario	Likelihood	Consequence	Rating
RA-001	Ransomware via IT/OT lateral movement — encrypts historian and engineering workstations, halting production visibility	High	Production shutdown — estimated [X] hrs	Critical
RA-004	Vendor remote access compromise — attacker gains authenticated session to SCADA via shared VPN credential	High	Process manipulation possible	High
RA-007	PLC firmware modification by insider — authorised user alters setpoints outside safety limits	Medium	Safety system activation risk	High
RA-011	Supply chain compromise via software update — malicious code introduced through legitimate vendor update channel	Low	Persistent access, difficult to detect	Medium
RA-015	Data exfiltration from historian — competitive intelligence extracted via unsecured historian web interface	Medium	IP loss, regulatory notification	Medium

Treatment Plan — Extract

Priority Actions

Phase	Timeframe	Actions	Risk IDs
Immediate	0–30 days	Remove shared VPN credential. Implement individual vendor accounts with session recording.	RA-004
Phase 1	30–90 days	Implement IT/OT boundary firewall. Deploy historian network isolation. Develop OT incident response plan.	RA-001, RA-015
Phase 2	90–180 days	Deploy passive OT monitoring. Implement insider threat controls on PLC access. Software update verification process.	RA-007, RA-011

On ownership: Every action in the full treatment plan is assigned to a named role, not a team. "The IT department" does not act — a named individual with authority does. Where accountability is diffuse, remediation stalls. NEXUS treatment plans are written to be assigned, not filed.

What this enables: The full Risk Assessment Report includes all identified scenarios (typically 15–40), a complete impact-weighted risk register, treatment plan with effort and cost estimates, and an executive risk dashboard suitable for board reporting.