An Exploratory Qualitative Comparison of Human Expert and AI-Based IEC 62443 Risk Assessments

Industrial control systems (ICS) used in critical infrastructure require structured cybersecurity risk assessments, particularly during early design phases in which proposed system architectures must be secured before tendering or procurement. Standards such as IEC 62443 provide established methodologies for this purpose; however, these assessments are typically conducted by human experts and rely on qualitative judgment. Recent advances in large language models (LLMs) raise the question of whether such systems can support early-stage, standards-based ICS risk assessments. This work presents an exploratory qualitative comparison of initial risk assessment results generated by an LLM and by a human expert team using a common system model and a task set derived from IEC 62443-3-2. The results highlight qualitative differences in threat identification, risk prioritization, and architectural coherence. Overall, the findings suggest that LLM-based analysis may complement, but not replace, human expertise in early-stage, safety-critical ICS cybersecurity risk assessment.