A newly developed method for assessing the impact of Operational Technology (OT) cybersecurity incidents could lead to more precise evaluations and responses to such events, while also highlighting associated risks and business implications.
Today, the Operational Technology Incident (OTI) Impact Score will be introduced at the ICS/OT industry's S4x26 Conference in Miami. This score aims to provide swift clarity on the true effects of OT cyber incidents, which are often either exaggerated or downplayed, according to Dale Peterson, co-creator of the OTI model and head of the ICS/OT consulting and research firm Digital Bond.
The OTI model draws inspiration from the Richter Scale, which measures earthquake intensity and impact. It is intended for a diverse audience, including OT business executives, government officials, cyber insurers, the media, and the general public, as noted by Peterson, who is also the founder and program chair of S4.
"The challenge is that politicians, business owners, the media, and the public do not fully grasp the impact of an OT attack," Peterson explains. "They either believe it is far more severe than it actually is, or conversely, a significant event may receive little attention."
A standardized method for rating an OT cyber incident will help ensure that the appropriate resources and responses, such as ICS and physical response teams, are employed during an attack. This also includes investigations for cyber-insurance claims, according to the OTI organizers.
Hollie Hennessy, a principal analyst at Omdia, believes the OTI score will be beneficial for decision-makers in OT. She cites Omdia data indicating that approximately 45% of decision-makers responsible for OT security work solely in OT roles. The remaining individuals are from IT, infrastructure, network engineering, application engineering, and technology management within industrial organizations.
While serious OT cyberattacks are still relatively uncommon, Hennessy mentions that Omdia research has revealed that over the past year, 30% to 40% of organizations have experienced a cyber incident related to OT or IoT systems.
OTI Impact Score Formula for Cybersecurity Incidents
The idea for a cyber-incident scoring mechanism was first proposed during last year's S4 Conference by Munish Walther-Puri, principal and head of critical infrastructure at TPO Group, and a member of the faculty at IANS Research. Over the past few months, Walther-Puri and Peterson collaborated to develop the scoring system, which evaluates incidents based on three criteria: severity (ranging from minor disruption to catastrophic destruction), reach (geographic spread), and duration (length of time) of the incident.
The OTI score defines an "OT cybersecurity incident" as any situation where the OT system cannot operate normally, regardless of whether the attack directly affected the industrial network. This distinction is crucial because most cyber incidents do not reach the OT network directly; rather, they involve the organization's IT network, which in turn disrupts operations. For instance, if a manufacturer's inventory system on its IT network is compromised by ransomware, causing it to go offline, it can lead to significant repercussions for production and distribution.
Volunteers from the ICS/OT industry will evaluate OT cyber events through an online scoring portal, aiming to provide assessments within a maximum of 12 hours. Each of the three areas severity, reach, and duration will be scored independently. The scores will be multiplied together and divided by 100 to produce the final OTI Impact Score.
Experts believe the OTI will shift discussions toward the business impact of OT incidents, a critical aspect often overlooked in event reporting. When an industrial organization faces a cyberattack, there is frequently confusion regarding whether it should be categorized as a pure OT incident, especially when the attack does not directly reach the OT network. Sarah Fluchs, chief technology officer (CTO) of the OT cybersecurity consultancy Admeritia, emphasizes that the focus should be on the overall impact on the company, its business, or the population, rather than the specific classification of the incident.
"Ultimately, it doesn't matter if the incident targeted OT or not," Fluchs states. "What truly matters is its impact on the company and the broader implications for business and society." She notes that there are instances where an OT incident receives negative attention despite being effectively contained by operators.
Colonial Pipeline Cyberattack Scores High
To demonstrate the application of the OTI Impact Score, the creators calculated scores for the notorious 2021 Colonial Pipeline cyberattack. This ransomware attack on the company's IT network forced a halt in pipeline operations, resulting in a state of emergency in the US East Coast due to fuel shortages.
The Colonial Pipeline incident received an OTI Impact Score of 3.9, indicating a "high impact." The attack scored an 8 for severity due to significant disruptions in gasoline delivery and jet fuel supply shortages. It received a 7 for reach, affecting about a third of the U.S. population, and a 7 for duration, as the company experienced six days of downtime and took nine days to fully restore operations.
In contrast, a cyberattack on a water utility in Muleshoe, Texas, in 2024, which resulted in a single water tank overflowing for 30 to 45 minutes, received a 0.0 score from OTI organizers. The severity score was 1 since potable water was still safely delivered, the reach score was 1 as only one water system was affected in a town of 5,000 residents, and the duration score was also 1 due to the quick response from operators who manually controlled the system after the overflow was detected.
It remains uncertain whether the OTI Score will officially become the standard for assessing the impact of OT cybersecurity incidents. Organizers are hopeful for support from OT industry organizations and possibly government entities like the US Cybersecurity and Infrastructure Security Agency (CISA).
According to Hennessy from Omdia, regulatory and standards bodies may have an incentive to adopt this scoring system, as it could facilitate industry involvement. Establishing such a standard could create a clearer understanding across various regions, reducing confusion and complexity in guidance and mandates.
However, questions linger regarding how the OTI Impact Score would function during real-world incidents. Fluchs highlights the uncertainty about measuring the repercussions of a cyber incident, such as its effect on the reputation of the affected organization. She asks, "When does a cyber incident conclude? How long do we continue to measure its impact?"
