Accurate cyber security checks for industrial control systems (OT risk assessments) are essential for preventing losses and ensuring safe operation, following international standards like IEC 61511 and IEC 62443-3-2, and the UK's OG-0086. IEC 61511 requires a security check for all instrumented safety systems, while OG-0086 specifically demands evaluating cyber defenses against the risks of Major Accidents, requiring companies to analyze the potential cyber impact on every safety barrier shown in their accident diagrams (bowtie diagrams).
Since various methods exist for these checks—differing on how to determine the worst possible impact or threat likelihood—this paper will outline the key steps for effective assessment, including reviewing common techniques, comparing the flexible approach of IEC 62443-3-2 with the detailed instructions of OG-0086, and emphasizing the need to create realistic cyber threat scenarios and use a network map called a zone and conduit model.
This paper was originally presented at the IChemE Hazards 35 Process Safety Conference on November 4–6, 2025 in Birmingham, UK.