**3.2 Assessment of cyber risk by a single CI operator**

The basis for the protection of CI lies in a strong RA at the operator level. For RA at the company level, including CI and CII operators, many methods and standards exist. Most of these methods are in line with the ISO 31000 series of RM standards [26]. For the IT-environment, ISO/IEC 27005 [27] provides the RM and risk mitigation background as part of the ISO/IEC 27000 series that assist organizations to implement information security management based on a set of terms and definitions [28] and security controls [29, 30]. For the OT-environment, security control frameworks with similar security control sets exist, e.g. [31, 32]. Although these security control frameworks are often sector specific, they can be mapped on common structures or frameworks, see e.g. ENISA and NIST [25, 33].

One of the important factors to cover in a RA of CI/CII is the risk of ICT/ OT as a vulnerability that may cause disruptions of CI/CII. This may involve the risk of technical failure or human mistakes, but also the cyber risk of malicious attacks. Given the criticality for states, even hybrid conflicts affecting CIs and CIIs are envisioned, see e.g. [34, 35]. An early example is the Crimea conflict. On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting many customers in Ukraine. In addition, there have also been reports of malware found in Ukrainian companies in a variety of their CI sectors [36].

Section 4 below specifically focusses on the cyber risk factors related to OT.
