• ISA provides technical resources and standards to help industrial automation professionals advance their careers and the field. We enable automation professionals worldwide to solve problems and enhance their skills by bringing people together to create new technologies and share best practices with future automation professionals.
    • Industry Insights

  • We attract over 140,000 unique automation professionals monthly, making us the premier online content provider and the only dedicated electronic magazine in the automation industry.

    Monthly Magazine

    • More things to read

    Back
    Back
  • M logo for Automation.com Monthly. Link to current issue.

Simplifying Likelihood in OT Risk Assessments: A Practical ISA/IEC 62443 Perspective

By: Naveen Menon
Source: ISA Global Cybersecurity Alliance
27 May, 2026
4 min read
Feature Image for Simplifying Likelihood in OT Risk Assessments: A Practical ISA/IEC 62443 Perspective
Let's discuss a practical approach to simplify likelihood assessment in OT environments by defining it as a function of access exposure and exploitability.

Let's discuss a practical approach to simplify likelihood assessment in OT environments by defining it as a function of access exposure and exploitability. This model improves consistency, aligns with ISA/IEC 62443 concepts and enables more actionable risk evaluation.

Risk in cybersecurity is typically assessed using the relationship:

Risk = Likelihood × Consequence

This relationship is also reflected in the ISA 62443 3-2 risk assessment framework and uses threat and vulnerabilities to characterize the scenarios and their likelihood. While consequences are often easier to define — especially in operational or financial terms — likelihood tends to be more subjective, particularly in OT environments where validated datasets are limited. As a result, risk assessments often rely on qualitative judgments, leading to inconsistencies across assessors and challenges in prioritization. This subjectivity often reduces stakeholder confidence, particularly when risk is expressed in qualitative terms such as “high” or “severe” without clear numerical grounding. This is particularly evident when traditional models are applied directly to OT systems without considering operational realities such as legacy infrastructure, segmented networks and constrained maintenance windows.

This article proposes a simplified model to operationalize likelihood by focusing on two key dimensions:

Likelihood = Access Exposure × Exploitability

The above definition provides a practical basis for consistently evaluating likelihood in OT environments. This approach is meant to offer a structured way to interpret likelihood in a manner that is consistent, practical and aligned with real-world industrial environments. While ISA/IEC 62443 provides structured guidance for identifying threats, vulnerabilities and zones, the practical quantification of likelihood remains open to interpretation. 

Figure 1: Likelihood Determination Matrix

Figure 1 presents a practical representation of how likelihood can be derived by combining access exposure and exploitability. This model aligns with ISA/IEC 62443 concepts such as zones, conduits and security levels, where both accessibility and attacker capability influence required protection levels.

Understanding access exposure

Access exposure reflects how easily a system can be reached by a potential threat actor. In OT environments, this is influenced by a combination of network architecture, connectivity and implemented security controls.

From practical experience, access exposure can be broadly understood through factors such as:

  • Level of connectivity: Whether the system is exposed to the internet, accessible via enterprise networks, vendor remote access or isolated within control networks. 
  • Segmentation and perimeter controls: The effectiveness of zoning, firewalls and boundary protections in limiting access pathways. 
  • Access pathways: Remote access mechanisms such as VPNs, jump hosts or direct connections, which can significantly increase exposure if not properly secured. 
  • Physical access considerations: In certain environments, physical access can also play a role, particularly where devices are accessible within operational areas. 
Advertisement

By evaluating these aspects, systems can be categorized along a spectrum ranging from very high exposure (easily reachable) to minimal exposure (highly restricted and well-protected).

Understanding exploitability

Exploitability reflects the level of effort and complexity required to successfully exploit a vulnerability in a system. Unlike purely theoretical probability models, exploitability in OT environments is better understood in terms of:

  • Vulnerability ceverity: The presence of critical or high-impact vulnerabilities that can be leveraged. Exploitability can be informed by established frameworks such as CVSS, which consider factors like attack complexity, required privileges and access vectors.
  • Threat capability: The skill level, resources, and motivation of potential threat actors. This aligns with the concept of Security Levels (SL) in ISA/IEC 62443, where threat capability plays a key role in defining protection requirements. Hence, understanding and profiling threat actors is important when assessing exploitability.
  • System and configuration weaknesses: Factors such as default credentials, outdated systems or lack of hardening. 

A practical way to represent exploitability is through an effort-based scale:

  • Trivial: Minimal effort required, commonly known weaknesses or default configurations 
  • Easy: Low effort with basic tools or techniques 
  • Moderate: Requires some expertise or multiple steps 
  • Difficult: Requires advanced skills or specific conditions 
  • Complex: Highly challenging, requiring significant expertise and resources 

This approach allows teams to move beyond abstract probability and instead assess how feasible it is for an attacker to successfully exploit a system.

Bringing it together

When access exposure and exploitability are considered together, they provide a clearer and more consistent basis for determining likelihood. For instance, a remotely accessible engineering workstation with default credentials represents high exposure and trivial exploitability, resulting in a very high likelihood. An isolated PLC in a segmented control network with no remote access, where exploitation requires physical access and advanced reverse engineering of proprietary firmware has low exposure and complex exploitability, resulting in a low likelihood.

Figure 2: Applying the matrix in Risk Assessment.

Figure 2 illustrates how a high-exposure, low-effort exploitation scenario maps to an “Almost Certain” likelihood outcome. This combined view helps reduce subjectivity and improves alignment between technical teams, operations and management stakeholders.

Why this approach works in OT environments

From a practical implementation perspective, this approach offers several advantages:

  • Consistency: Provides a repeatable way to assess likelihood across different assets and environments. 
  • Clarity: Breaks down likelihood into understandable and measurable components.
  • Alignment with operations: Reflects how systems are actually accessed and exploited in real environments. 
  • Improved prioritization: Helps focus efforts on high-risk scenarios where both exposure and exploitability are significant. 
  • Management confidence: Providing a structured and repeatable methodology also enables better quantification of risk, improving management confidence and supporting informed decision-making. 

Importantly, this approach complements frameworks such as ISA/IEC 62443 by providing a practical interpretation layer, rather than replacing existing methodologies.

Conclusion

Simplifying likelihood is not about reducing rigor; it is about making risk assessment actionable in real OT environments. By grounding likelihood in exposure and exploitability, organizations can move from subjective scoring to more consistent, defensible and operationally relevant risk decisions. This practical perspective enables more consistent risk evaluation, better prioritization of security efforts and ultimately contributes to building more resilient industrial environments.

In future discussions, this foundation can be extended to explore how these likelihood assessments translate into security levels and risk reduction strategies within the ISA/IEC 62443 framework.

The opinions and views expressed are solely those of the author and do not necessarily reflect any official policy, position or views of the International Society of Automation (ISA), Automation.com or the ISA Global Cybersecurity Alliance (ISAGCA). 

Advertisement

Trending Articles

Advertisement

Related Articles

View all Articles and News
Advertisement
Advertisement