Background: The convergence of Information Technology (IT) and Operational Technology (OT) in Industrial Automation and Control Systems (IACS) has expanded the cyber-attack surface, creating critical risks where security failures can propagate into physical safety hazards. Traditional, static risk assessment methods are inadequate for this complex, converged environments, and the application of standards like IEC 62443 remains a significant challenge.
Objective: This paper designs and validates a novel, hybrid cybersecurity risk assessment (CRA) methodology that integrates Model-Driven Engineering (MDE), explicit safety-security interdependency analysis, and dynamic attack path modeling. The objective is to provide a systematic, semi-automated framework to operationalize the IEC 62443 standard within a "Safety-Security by Design" paradigm.
Methods: We propose a four-phase methodology: (1) automated system modeling and asset identification using MDE principles; (2) integrated threat analysis mapping cyber-threats to physical safety hazards; (3) dynamic risk modeling using attack path analysis to identify critical vulnerability chains; and (4) risk evaluation and mitigation alignment with IEC 62443 Security Levels (SLs). The methodology was validated using a case study of a modular manufacturing testbed.
Results: The application of the methodology successfully identified critical attack paths exploiting IT-OT boundaries that were missed by traditional static analyses. The MDE approach automated the discovery of safety-critical assets, and the interdependency analysis (Phase 2) explicitly linked specific cyber-vulnerabilities to high-priority safety hazards.
Conclusion: The proposed hybrid methodology offers a more robust, dynamic, and integrated approach to IACS cybersecurity. By embedding risk assessment within a model-driven framework, it enables the systematic identification of safety-critical risks and provides a clear roadmap for implementing IEC 62443 controls.

Arat, Ferhat, Akleylek, Sedat: Attack path detection for iiot enabled cyber physical systems: revisited. Comput. Sec. 128, 103174 (2023). https://doi.org/10.1016/j.cose.2023.103174

Baybulatov, A., Promyslov, G.: A metric for the iacs availability risk assessment. In: Proceedings - 2022 International Russian Automation Conference, RusAutoCon 2022, p. 750 - 754 (2022). https://doi.org/10.1109/RusAutoCon54946.2022.9896250

Casey, T.: Threat Agent Library helps identify information security risks. Intel White Paper (2007). https://doi.org/10.13140/RG.2.2.30094.46406

Denzler, P., Hollerer, S., Frühwirth, T., Kastner, W.: Identification of security threats, safety hazards, and interdependencies in industrial edge computing. In: 2021 IEEE/ACM Symposium on Edge Computing (SEC), pp. 397–402 (2021). https://doi.org/10.1145/3453142.3493508

Djebbar, F., Nordstrom, K.: A comparative analysis of industrial cybersecurity standards. IEEE Access 11, 85315–85332 (2023). https://doi.org/10.1109/ACCESS.2023.3303205

Eckhart, M., Ekelhart, A., Weippl, E.: Automated security risk identification using automation ml-based engineering data. IEEE Trans. Depend. Sec. Comput. 19(3), 1655–1672 (2022). https://doi.org/10.1109/TDSC.2020.3033150

Ehrlich, M., Broring, A., Diedrich, C., Jasperneite, J., Kastner, W., Trsek, H.: Determining the target security level for automated security risk assessments. In: IEEE International Conference on Industrial Informatics (INDIN), vol. 2023-July (2023). https://doi.org/10.1109/INDIN51400.2023.10217902

Ehrlich, M., Bröring, A., Diedrich, C., Jasperneite, J.: Towards automated risk assessments for modular manufacturing systems process analysis and information model proposal. AtAutomatisierungstechnik 71(6), 453–466 (2023). https://doi.org/10.1515/auto-2022-0098

European Committee for Electrotechnical Standardization (CENELEC): CENELEC CLC/TS 50701, railway applications - cybersecurity (2021)

Geddes, A., Hatch, D.: Chase - visualising cyber security vulnerabilities and risk. In: Institution of Chemical Engineers Symposium Series, vol. 166 (2019)

Hassani, H.L., Bahnasse, A., Martin, E., Roland, C., Bouattane, O., Mehdi Diouri, M.E.: Vulnerability and security risk assessment in a iiot environment in compliance with standard iec 62443. Proc. Comput. Sci. 191, 33–40 (2021). https://doi.org/10.1016/j.procs.2021.07.008

Heluany, J.B., Galvão, R.: Iec 62443 standard for hydro power plants. Energies (2023). https://doi.org/10.3390/en16031452

Hollerer, S., Sauter, T., Kastner, W.: Risk assessments considering safety, security, and their interdependencies in ot environments. In: ACM International Conference Proceeding Series (2022). https://doi.org/10.1145/3538969.3543814

AI Threat Countermeasures: Defending Against LLM-Powered Social Engineering. (2025). International Journal of IoT, 5(02), 23-43. https://doi.org/10.55640/ijiot-05-02-03

Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, USA (2006)

Iaiani, M., Tugnoli, A., Cozzani, V.: Risk identification for cyberattacks to the control system in chemical and process plants. Chem. Eng. Trans. 90, 409–414 (2022). https://doi.org/10.3303/CET2290069

Iaiani, M., Tugnoli, A., Cozzani, V.: Identification of cyber-risks for the control and safety instrumented systems: a synergic framework for the process industry. Process Saf. Environ. Prot. 172, 69–82 (2023). https://doi.org/10.1016/j.psep.2023.01.078

Ashutosh Chandra Jha. (2025). DWDM Optimization: Ciena vs. ADVA for <50ms Global finances. Utilitas Mathematica, 122(2), 227–245. Retrieved from https://utilitasmathematica.com/index.php/Index/article/view/2713

Madala, P., Amey Waikar, & Hemraj Parate. (2025). Detection to Remediation: Strategies for Managing Microplastic Pollution in Freshwater Systems. International Journal of Computational and Experimental Science and Engineering, 11(3). https://doi.org/10.22399/ijcesen.3452

International Standards on Auditing (ISA), International Electrotechnical Commission (IEC): ISA/IEC 62443, security for industrial automation and control systems (2020)

Kavallieratos, G., Katsikas, S.: Attack path analysis for cyber physical systems. In: Katsikas, S., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Kalloniatis, C., Mylopoulos, J., Antón, A., Gritzalis, S., Meng, W., Furnell, S. (eds.) Computer Security, pp. 19–33. Springer International Publishing, Cham (2020)

Kavallieratos, G., Spathoulas, G., Katsikas, S.: Cyber risk propagation and optimal selection of cybersecurity controls for complex cyberphysical systems. Sensors (2021). https://doi.org/10.3390/s21051691

Kesarpu, S., & Hari Prasad Dasari. (2025). Kafka Event Sourcing for Real-Time Risk Analysis. International Journal of Computational and Experimental Science and Engineering, 11(3). https://doi.org/10.22399/ijcesen.3715

Kern, M., Taspolatoglu, E., Scheytt, F., Glock, T., Liu, B., Betancourt, V.P., Becker, J., Sax, E.: An architecture-based modeling approach using data flows for zone concepts in industry 4.0. In: ISSE 2020 - 6th IEEE International Symposium on Systems Engineering, Proceedings (2020). https://doi.org/10.1109/ISSE49799.2020.9272013

Khan, A., Bryans, J., Sabaliauskaite, G.: Framework for calculating residual cybersecurity risk of threats to road vehicles in alignment with iso/sae 21434. In: Zhou, J., Adepu, S., Alcaraz, C., Batina, L., Casalicchio, E., Chattopadhyay, S., Jin, C., Lin, J., Losiouk, E., Majumdar, S., Meng, W., Picek, S., Shao, J., Su, C., Wang, C., Zhauniarovich, Y., Zonouz, S. (eds.) Applied Cryptography Network Security Workshops, pp. 235–247. Springer International Publishing, Cham (2022)

Rajgopal, P. R., & Yadav, S. (2025). The role of data governance in enabling secure AI adoption. International Journal of Sustainability and Innovation in Engineering, 3(1). https://doi.org/10.56830/IJSIE202501

Matta, G., Chlup, S., Shaaban, A.M., Schmittner, C., Pinzenöhler, A., Szalai, E., Tauber, M.: Risk management and standard compliance for cyber-physical systems of systems. Infocommun. J. 13(2), 32–39 (2021). https://doi.org/10.36244/ICJ.2021.2.5

Schiavone, E., Nostro, N., Brancati, F.: A mde tool for security risk assessment of enterprises. In: Anais Estendidos do X Latin-American Symposium on Dependable Computing, pp. 5–7. SBC, Porto Alegre, RS, Brasil (2021). https://doi.org/10.5753/ladc.2021.18530

Schmidt, D.: Guest editor’s introduction: model-driven engineering. Computer 39(2), 25–31 (2006). https://doi.org/10.1109/MC.2006.58

Teglasy, B.Z., Katsikas, S., Lundteigen, M.A.: Standardized cyber security risk assessment for unmanned offshore facilities. In: Proceedings - 3rd International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2022, p. 33 - 40 (2022). https://doi.org/10.1145/3524489.3527302

Kumar Tiwari, S. (2023). Security testing automation for digital transformation in the age of cyber threats. International Journal of Applied Engineering & Technology, 5(S5), 135–146. Roman Science Publications.

Wang, J.H., Huang, C.Y., Chou, H.Y., Wang, C.Y., Kuo, H.J., Ting, V.: Security service architecture design based on iec 62443 standard. In: 2023 IEEE 3rd International Conference on Electronic Communications, Internet of Things and Big Data, ICEIB 2023, p. 483 - 486 (2023). https://doi.org/10.1109/ICEIB57887.2023.10169989