AI-Driven Risk Assessment for Critical Infrastructure Based on IEC 62443 Using Large Language Models

ICSs in critical infrastructure require structured cybersecurity risk assessments to derive defensible security requirements for industrial automation systems. Recent advances in LLMs raise the question of whether such systems can support early-phase IEC 62443-3-2-aligned risk assessment work and, critically, how generated assessment artifacts vary across different models. This paper presents a qualitative AI-vs.-AI comparison of IEC 62443 risk assessment artifacts produced under controlled, single-pass conditions using a common system model and a standardized IEC 62443-3-2-based task set. We compare outputs along three axes: (i) model evolution within a single family, (ii) cross-vendor comparison of frontier-class models, and (iii) a premium-tier model against the frontier baseline. The study evaluates assessment structure, architectural coherence, and internal consistency relative to IEC 62443 principles and across models, rather than against an external ground truth. Results reveal notable differences in threat scenario structuring, zoning granularity, SL-Ts assignment, and implicit operability assumptions. We discuss what these findings suggest for the use of LLMs as decision-support tools in early-stage ICS risk assessment.