ABSTRACT
In the previous chapters, we reviewed the threat and vulnerabilities that ICS face. In this chapter we will turn our attention toward the issue of what to do with this information. Understanding vulnerabilities is helpful but does not provide guidance about which vulnerabilities are more important than others. Understanding threats facing ICS is also important-critically so-because it allows practitioners to narrow down the range of vulnerabilities that must be managed. Combining our understanding of vulnerabilities and threats and applying speci¤c knowledge about the potential severity of impacts results in a process of risk assessment.
