Citicus ICS is a special implementation of our award-winning web-based Citicus ONE software that is optimized for measuring and managing risks to industrial control systems (ICS). These include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other technologies used to automate industrial processes, eg using programmable logic controllers (PLC) and remote telemetry units (RTU). Industrial control systems are essentially IT systems and risks can be evaluated and managed using the same basic approaches used for other IT environments. However, these real-time systems have particular characteristics that need to be taken into account so that the risk management process is viable and optimized for the industrial control system environment.

Managing risk in ICS

Citicus ICS supports a complete risk management lifecycle that follows a four-phase Plan-Do-Check-Act process as illustrated below.

Citicus ICS implements a four-phase plan-do-check-act risk management process

Citicus ICS risk management process

The Citicus ICS risk scorecard that is central to this process probes five key factors that determine or indicate the level of risk to an industrial control system. This risk scorecard can be used out-of-the-box but is also highly configurable to support an organization’s specific requirements. The structure of the risk scorecard is shown in the table below:


Risk factor

What it covers


The potential impact of ICS incidents leading to a loss of availability of the process control capability, integrity of control data or confidentiality of information.

Availability disruption can be measured on a scale from milliseconds to days or longer, depending on the nature of the controlled process.

Status of controls

The status of controls measured against a library of industry best practice controls drawn from many sources such as CPNI Good Practice Guides to process control and SCADA security and NIST 800-82.

Organizations can use the Citicus-supplied control framework off-the-shelf or augment/replace it with their own set of controls.

Special circumstances

Particular characteristics of the ICS that can drive risk up, such as high degree of change, complexity, interconnection to other systems, accessibility by external parties.

Level of threat

An indicator of incident probability through metrics of past incidents such as malfunctions, human error, malicious action, disruption from environmental events.

Business impact

The actual business harm caused by previous ICS incidents, if any.

Harm is measured in an objective and consistent way and covers all types of business impact such as financial loss, reputational damage, environmental and safety impacts.



Completion of a Citicus ICS risk scorecard provides an assessment of the status of risk that can be displayed graphically as shown below.

Risk Charts








Citicus ICS risk charts show the status of each risk factor and the overall level of risk

Other reports that can be generated from Citicus ICS identifying different aspects of risk and compliance can be seen in the Example results section. The information presented in these results enable you to build risk treatment plans that can be costed, prioritized and assigned to individuals. These plans can be managed within Citicus ICS and used as an input into the next risk assessment cycle.

Download the Citicus ICS topic paper