{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T16:18:40Z","timestamp":1776442720575,"version":"3.51.2"},"reference-count":27,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2025,2,14]],"date-time":"2025-02-14T00:00:00Z","timestamp":1739491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,2,14]],"date-time":"2025-02-14T00:00:00Z","timestamp":1739491200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100004434","name":"Universit\u00e0 degli Studi di Firenze","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100004434","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2025,4]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Industrial automation control systems (IACS) are employed in current critical infrastructures and industrial plants spanning very different domains, and the transformation process towards Industry 4.0 is further increasing the dependencies on such systems. Since IACS can be exposed to malicious threats that could lead to catastrophic consequences, it is extremely important to assess the cybersecurity risk of these systems, to identify the possible threats, their impact, likelihood, and possible countermeasures. The ISA\/IEC 62443 series of standards is suited for the design and security risk analysis of IACS, and has been submitted to the International Standards on Auditing and International Electrotechnical Commission for global adoption as international standards. In this paper, we focus on the zone and conduit requirement 5 (ZCR 5) of the 62443-3-2 part of the standard, which provides the steps for detailed cybersecurity risk assessment of IACS. These steps are fundamental to identify threats related to the system, determine the risk associated with them, and derive appropriate countermeasures. We provide a methodology for conducting a detailed risk assessment of IACS that is compliant with all the steps of the ZCR 5 and integrates the following features: (i) capability to manage the complexity of the assessment process, (ii) capability to select tailored countermeasures for critical assets through the identification of attack paths, (iii) explicit involvement of the asset owner in the key steps of the assessment process, and (iv) tool-supported. We illustrate the methodology by applying it to a case study of a power plant using gas turbines.<\/jats:p>","DOI":"10.1007\/s10207-025-00990-9","type":"journal-article","created":{"date-parts":[[2025,2,14]],"date-time":"2025-02-14T04:57:51Z","timestamp":1739509071000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["A cybersecurity risk assessment methodology for industrial automation control systems"],"prefix":"10.1007","volume":"24","author":[{"given":"Francesco","family":"Brancati","sequence":"first","affiliation":[]},{"given":"Diamantea","family":"Mongelli","sequence":"additional","affiliation":[]},{"given":"Francesco","family":"Mariotti","sequence":"additional","affiliation":[]},{"given":"Paolo","family":"Lollini","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,2,14]]},"reference":[{"key":"990_CR1","doi-asserted-by":"publisher","first-page":"103174","DOI":"10.1016\/j.cose.2023.103174","volume":"128","author":"Ferhat Arat","year":"2023","unstructured":"Arat, Ferhat, Akleylek, Sedat: Attack path detection for iiot enabled cyber physical systems: revisited. Comput. Sec. 128, 103174 (2023). https:\/\/doi.org\/10.1016\/j.cose.2023.103174","journal-title":"Comput. Sec."},{"key":"990_CR2","doi-asserted-by":"publisher","unstructured":"Baybulatov, A., Promyslov, G.: A metric for the iacs availability risk assessment. In: Proceedings - 2022 International Russian Automation Conference, RusAutoCon 2022, p. 750 - 754 (2022). https:\/\/doi.org\/10.1109\/RusAutoCon54946.2022.9896250","DOI":"10.1109\/RusAutoCon54946.2022.9896250"},{"key":"990_CR3","doi-asserted-by":"publisher","unstructured":"Casey, T.: Threat Agent Library helps identify information security risks. Intel White Paper (2007). https:\/\/doi.org\/10.13140\/RG.2.2.30094.46406","DOI":"10.13140\/RG.2.2.30094.46406"},{"key":"990_CR4","doi-asserted-by":"publisher","unstructured":"Denzler, P., Hollerer, S., Fr\u00fchwirth, T., Kastner, W.: Identification of security threats, safety hazards, and interdependencies in industrial edge computing. In: 2021 IEEE\/ACM Symposium on Edge Computing (SEC), pp. 397\u2013402 (2021). https:\/\/doi.org\/10.1145\/3453142.3493508","DOI":"10.1145\/3453142.3493508"},{"key":"990_CR5","doi-asserted-by":"publisher","first-page":"85315","DOI":"10.1109\/ACCESS.2023.3303205","volume":"11","author":"F Djebbar","year":"2023","unstructured":"Djebbar, F., Nordstrom, K.: A comparative analysis of industrial cybersecurity standards. IEEE Access 11, 85315\u201385332 (2023). https:\/\/doi.org\/10.1109\/ACCESS.2023.3303205","journal-title":"IEEE Access"},{"issue":"3","key":"990_CR6","doi-asserted-by":"publisher","first-page":"1655","DOI":"10.1109\/TDSC.2020.3033150","volume":"19","author":"M Eckhart","year":"2022","unstructured":"Eckhart, M., Ekelhart, A., Weippl, E.: Automated security risk identification using automation ml-based engineering data. IEEE Trans. Depend. Sec. Comput. 19(3), 1655\u20131672 (2022). https:\/\/doi.org\/10.1109\/TDSC.2020.3033150","journal-title":"IEEE Trans. Depend. Sec. Comput."},{"key":"990_CR7","doi-asserted-by":"publisher","unstructured":"Ehrlich, M., Broring, A., Diedrich, C., Jasperneite, J., Kastner, W., Trsek, H.: Determining the target security level for automated security risk assessments. In: IEEE International Conference on Industrial Informatics (INDIN), vol. 2023-July (2023). https:\/\/doi.org\/10.1109\/INDIN51400.2023.10217902","DOI":"10.1109\/INDIN51400.2023.10217902"},{"issue":"6","key":"990_CR8","doi-asserted-by":"publisher","first-page":"453","DOI":"10.1515\/auto-2022-0098","volume":"71","author":"M Ehrlich","year":"2023","unstructured":"Ehrlich, M., Br\u00f6ring, A., Diedrich, C., Jasperneite, J.: Towards automated risk assessments for modular manufacturing systems process analysis and information model proposal. At-Automatisierungstechnik 71(6), 453\u2013466 (2023). https:\/\/doi.org\/10.1515\/auto-2022-0098","journal-title":"At-Automatisierungstechnik"},{"key":"990_CR9","unstructured":"European Committee for Electrotechnical Standardization (CENELEC): CENELEC CLC\/TS 50701, railway applications - cybersecurity (2021)"},{"key":"990_CR10","unstructured":"Geddes, A., Hatch, D.: Chase - visualising cyber security vulnerabilities and risk. In: Institution of Chemical Engineers Symposium Series, vol. 166 (2019)"},{"key":"990_CR11","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1016\/j.procs.2021.07.008","volume":"191","author":"HL Hassani","year":"2021","unstructured":"Hassani, H.L., Bahnasse, A., Martin, E., Roland, C., Bouattane, O., Mehdi Diouri, M.E.: Vulnerability and security risk assessment in a iiot environment in compliance with standard iec 62443. Proc. Comput. Sci. 191, 33\u201340 (2021). https:\/\/doi.org\/10.1016\/j.procs.2021.07.008","journal-title":"Proc. Comput. Sci."},{"key":"990_CR12","doi-asserted-by":"publisher","DOI":"10.3390\/en16031452","author":"JB Heluany","year":"2023","unstructured":"Heluany, J.B., Galv\u00e3o, R.: Iec 62443 standard for hydro power plants. Energies (2023). https:\/\/doi.org\/10.3390\/en16031452","journal-title":"Energies"},{"key":"990_CR13","doi-asserted-by":"publisher","unstructured":"Hollerer, S., Sauter, T., Kastner, W.: Risk assessments considering safety, security, and their interdependencies in ot environments. In: ACM International Conference Proceeding Series (2022). https:\/\/doi.org\/10.1145\/3538969.3543814","DOI":"10.1145\/3538969.3543814"},{"key":"990_CR14","volume-title":"The Security Development Lifecycle","author":"M Howard","year":"2006","unstructured":"Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, USA (2006)"},{"key":"990_CR15","doi-asserted-by":"publisher","first-page":"409","DOI":"10.3303\/CET2290069","volume":"90","author":"M Iaiani","year":"2022","unstructured":"Iaiani, M., Tugnoli, A., Cozzani, V.: Risk identification for cyber-attacks to the control system in chemical and process plants. Chem. Eng. Trans. 90, 409\u2013414 (2022). https:\/\/doi.org\/10.3303\/CET2290069","journal-title":"Chem. Eng. Trans."},{"key":"990_CR16","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1016\/j.psep.2023.01.078","volume":"172","author":"M Iaiani","year":"2023","unstructured":"Iaiani, M., Tugnoli, A., Cozzani, V.: Identification of cyber-risks for the control and safety instrumented systems: a synergic framework for the process industry. Process Saf. Environ. Prot. 172, 69\u201382 (2023). https:\/\/doi.org\/10.1016\/j.psep.2023.01.078","journal-title":"Process Saf. Environ. Prot."},{"key":"990_CR17","unstructured":"International Standards on Auditing (ISA), International Electrotechnical Commission (IEC): ISA\/IEC 62443, security for industrial automation and control systems (2020)"},{"key":"990_CR18","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1007\/978-3-030-64330-0_2","volume-title":"Computer Security","author":"G Kavallieratos","year":"2020","unstructured":"Kavallieratos, G., Katsikas, S.: Attack path analysis for cyber physical systems. In: Katsikas, S., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Kalloniatis, C., Mylopoulos, J., Ant\u00f3n, A., Gritzalis, S., Meng, W., Furnell, S. (eds.) Computer Security, pp. 19\u201333. Springer International Publishing, Cham (2020)"},{"key":"990_CR19","doi-asserted-by":"publisher","DOI":"10.3390\/s21051691","author":"G Kavallieratos","year":"2021","unstructured":"Kavallieratos, G., Spathoulas, G., Katsikas, S.: Cyber risk propagation and optimal selection of cybersecurity controls for complex cyberphysical systems. Sensors (2021). https:\/\/doi.org\/10.3390\/s21051691","journal-title":"Sensors"},{"key":"990_CR20","doi-asserted-by":"publisher","unstructured":"Kern, M., Taspolatoglu, E., Scheytt, F., Glock, T., Liu, B., Betancourt, V.P., Becker, J., Sax, E.: An architecture-based modeling approach using data flows for zone concepts in industry 4.0. In: ISSE 2020 - 6th IEEE International Symposium on Systems Engineering, Proceedings (2020). https:\/\/doi.org\/10.1109\/ISSE49799.2020.9272013","DOI":"10.1109\/ISSE49799.2020.9272013"},{"key":"990_CR21","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1007\/978-3-031-16815-4_14","volume-title":"Applied Cryptography Network Security Workshops","author":"A Khan","year":"2022","unstructured":"Khan, A., Bryans, J., Sabaliauskaite, G.: Framework for calculating residual cybersecurity risk of threats to road vehicles in alignment with iso\/sae 21434. In: Zhou, J., Adepu, S., Alcaraz, C., Batina, L., Casalicchio, E., Chattopadhyay, S., Jin, C., Lin, J., Losiouk, E., Majumdar, S., Meng, W., Picek, S., Shao, J., Su, C., Wang, C., Zhauniarovich, Y., Zonouz, S. (eds.) Applied Cryptography Network Security Workshops, pp. 235\u2013247. Springer International Publishing, Cham (2022)"},{"key":"990_CR22","doi-asserted-by":"publisher","unstructured":"Matta, G., Chlup, S., Shaaban, A.M., Schmittner, C., Pinzen\u00f6hler, A., Szalai, E., Tauber, M.: Risk management and standard compliance for cyber-physical systems of systems. Infocommun. J. 13(2), 32\u201339 (2021). https:\/\/doi.org\/10.36244\/ICJ.2021.2.5","DOI":"10.36244\/ICJ.2021.2.5"},{"key":"990_CR23","doi-asserted-by":"publisher","unstructured":"Schiavone, E., Nostro, N., Brancati, F.: A mde tool for security risk assessment of enterprises. In: Anais Estendidos do X Latin-American Symposium on Dependable Computing, pp. 5\u20137. SBC, Porto Alegre, RS, Brasil (2021). https:\/\/doi.org\/10.5753\/ladc.2021.18530","DOI":"10.5753\/ladc.2021.18530"},{"issue":"2","key":"990_CR24","doi-asserted-by":"publisher","first-page":"25","DOI":"10.1109\/MC.2006.58","volume":"39","author":"D Schmidt","year":"2006","unstructured":"Schmidt, D.: Guest editor\u2019s introduction: model-driven engineering. Computer 39(2), 25\u201331 (2006). https:\/\/doi.org\/10.1109\/MC.2006.58","journal-title":"Computer"},{"key":"990_CR25","doi-asserted-by":"publisher","unstructured":"Teglasy, B.Z., Katsikas, S., Lundteigen, M.A.: Standardized cyber security risk assessment for unmanned offshore facilities. In: Proceedings - 3rd International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2022, p. 33 - 40 (2022). https:\/\/doi.org\/10.1145\/3524489.3527302","DOI":"10.1145\/3524489.3527302"},{"key":"990_CR26","doi-asserted-by":"publisher","unstructured":"Wang, J.H., Huang, C.Y., Chou, H.Y., Wang, C.Y., Kuo, H.J., Ting, V.: Security service architecture design based on iec 62443 standard. In: 2023 IEEE 3rd International Conference on Electronic Communications, Internet of Things and Big Data, ICEIB 2023, p. 483 - 486 (2023). https:\/\/doi.org\/10.1109\/ICEIB57887.2023.10169989","DOI":"10.1109\/ICEIB57887.2023.10169989"},{"issue":"2","key":"990_CR27","doi-asserted-by":"publisher","first-page":"141","DOI":"10.1016\/0166-3615(94)90017-5","volume":"24","author":"TJ Williams","year":"1994","unstructured":"Williams, T.J.: The purdue enterprise reference architecture. Comput. Ind. 24(2), 141\u2013158 (1994). https:\/\/doi.org\/10.1016\/0166-3615(94)90017-5","journal-title":"Comput. Ind."}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-00990-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-00990-9\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-00990-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,30]],"date-time":"2025-03-30T08:00:32Z","timestamp":1743321632000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-00990-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,14]]},"references-count":27,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,4]]}},"alternative-id":["990"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-00990-9","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,14]]},"assertion":[{"value":"14 February 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare they have no financial interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"76"}}