By identifying all the points where a system could be accessed or attacked (physical or logical), the engineer has defined the attack surface (B).
A vulnerability scan (A) is an automated tool-based assessment.
A risk analysis (C) evaluates the likelihood and impact of threats.
A threat model (D) outlines potential threat actors and attack paths but not specifically all input points.
Understanding the attack surface is critical to designing effective ICS security controls, as emphasized in GICSP.
[Reference:, , GICSP Official Study Guide, Domain: ICS Risk Management, , GICSP Training on Threat Modeling and Vulnerability Assessment, , NIST SP 800-30 (Risk Assessment Guide), ]
Submit