The initial cybersecurity risk assessment (or high-level risk assessment as it was previously called) is an important step in the cybersecurity lifecycle. It is at this point that the basis for network segmentation and creating zones and conduits for an industrial control system (ICS) starts. At this stage the “worst case unmitigated cyber security risk” for any scenario is documented to allow assets to be grouped into areas of similar risks. Several methodologies have been adopted to complete this task, and two of the most common are asset-based and PHA-based, each with a slightly different focus and approach. One common question that we receive when conducting initial risk assessments, is if any protections can be credited. At this stage no cybersecurity protections can be credited, but what about non-hackable safety protections? In this webinar we will review similarities and differences between these two approaches to initial risk assessment and answer the question of whether or not we can look at non-hackable protections during the initial risk assessment.