When a risk assessment for an industrial plant only counts downtime, lost production and recovery cost, it is missing the largest number on the page. OT incidents can hurt people, and the way we quantify risk needs to reflect that.

When a risk assessment for an industrial plant ends with a number that only counts downtime, lost production, and recovery cost, it is missing the largest number on the page.

OT incidents can hurt people. They can contaminate water. They can release toxic gases. They can derail trains. They can shut off power to a hospital in the middle of a cardiac surgery. The monetary loss is real, but it is not the metric that justifies the investment, and it is certainly not the metric the public, the regulator, or the judge will measure you by afterwards.

Three categories of consequence, not one

Mature OT risk assessments distinguish at least three categories of consequence:

1. Financial.Lost production, recovery cost, regulatory fines, ransom paid, legal fees.
2. Environmental.Spills, emissions, contamination of groundwater or air, remediation liability.
3. Safety.Injury or loss of life, whether to workers, contractors, or members of the public.

These categories do not substitute for each other. A $2M incident that hurts nobody is not equivalent to a $100K incident that injures a worker. Any scoring rubric that silently converts them to a single dollar value is hiding a value judgement you probably do not want to make.

The IEC 62443-3-2 approach

IEC 62443-3-2 specifies that a risk assessment for an IACS (Industrial Automation and Control System) must consider HSE (Health, Safety, Environmental) consequences alongside financial ones. The standard uses a consequence-likelihood matrix, but it explicitly allows, and in most implementations requires, separate scales for financial, environmental, and safety impact.

In practice, this means your risk register should have columns like:

Scenario   |   Financial Impact   |   Environmental Impact   |   Safety Impact   |   Combined Risk

Compromise of SIS logic solver   |   High   |   Very High   |   Catastrophic   |   Critical

Ransomware on business historian   |   Medium   |   Negligible   |   Negligible   |   Medium

Vendor remote access abuse on chemical dosing   |   High   |   High   |   High   |   High

A scenario that scores “Catastrophic” on safety cannot be downgraded by being “Low” on financial. The highest consequence across categories sets the overall risk. That is the point.

Why this matters for the public sector

Water utilities, power grids, rail networks, healthcare facilities, and ports are the OT environments where cybersecurity is public safety. A compromised chlorine dosing pump is not a finance problem. A compromised signalling system is not a ticket-refund problem.

Regulators in the EU (NIS2), the UK (NIS Regulations), the US (CISA performance goals), and India (CERT-In critical infrastructure guidelines) have all started requiring safety-weighted risk assessments for critical sectors. If your OT risk register still speaks only in dollars, you are behind the compliance curve in most jurisdictions.

What to do before your next assessment

Three practical moves:

1. Add two columns.Environmental and safety, on the same scale as financial. Even if your impact rubric is rough at first, the act of filling those columns reshapes the conversation.
2. Bring in a safety engineer.If your HAZOP study and your cyber risk assessment have never met, introduce them. A good OT risk assessment borrows vocabulary from HAZOP: deviation, consequence, likelihood, safeguards.
3. Rank your scenarios by the worst column, not the average.Your #1 risk is whatever has the worst safety score, not whatever has the highest combined number.

The hard part is political, not technical

Once safety is in the risk register, suddenly every unpatched vulnerability with a plausible path to the safety instrumented system is a board-level issue. That is exactly what it should be, but it is also uncomfortable. Expect pushback: “We can’t put that on paper.” Put it on paper. The paper already exists in someone else’s email; you just have not found it yet.

RelyBlue’s OT risk assessments use a three-axis consequence model aligned to IEC 62443-3-2. If you want an assessment that a safety engineer and a CFO will both recognise as credible, let’s talk.