Industrial Control Systems (ICS) are under modernization towards increasing efficiency, reliability, and controllability. Despite the numerous benefits of interconnecting ICS components, the wide adoption of Information Technologies (IT) has introduced new security challenges and vulnerabilities to industrial processes, previously obscured by the systems' custom designs. Towards securing the backbone of critical infrastructure, selection of the proper assessment environment for performing cyber-security assessments is crucial. In this paper, we present a layered analysis of vulnerabilities and threats in ICS components, that identifies the need for including real hardware components in the assessment environment. Moreover, we advocate the suitability of Hardware-In-The-Loop testbeds for ICS cyber-security assessment and present their advantages over other assessment environments.