The threat of cyberattacks on the Industrial Control Systems (ICS) used in factories and plants is growing. The serious damage from cyberattacks, such as the shutdown of factories due to malware infection and large-scale blackout due to unauthorized operation of substations, disrupts businesses and causes a major impact on people's daily lives. Meanwhile, the risk assessment (overall process of risk identification, risk analysis and risk evaluation) has attracted attention as one of the methods for strengthening security risk management in ICS. In this presentation, we will introduce some examples of real ICS incidents. In addition, we will explain a security risk assessment approach focusing on avoiding critical business impacts.