In a landscape heavily influenced by natural disasters such as hurricanes and earthquakes, a new initiative seeks to introduce a quantifiable measure for operational technology (OT) cyber incidents. This “OT Incident Impact Score” aims to systematically evaluate the severity of cyber threats affecting critical infrastructure sectors. However, establishing this scoring system comes with notable challenges.

Proponents of the impact score argue that it is an essential tool for dismantling the fear, uncertainty, and doubt often associated with cyberattacks on OT systems—areas that tend to remain esoteric and are frequently mischaracterized. Munish Walther-Puri, head of critical infrastructure at TPO Group and a faculty member at IANS Research, advocates for better communication methods regarding OT incident severity aimed at non-technical audiences. He adapted his proposal from the renowned Richter scale, leveraging peer-reviewed data and existing metrics from evaluating disasters like wildfires and hurricanes.

Consultant and advocate for OT security, Dale Peterson, has expressed serious concerns about the existing misunderstandings surrounding OT attacks. He argues that misjudgments about the severity of these incidents lead to significant misallocation of resources and attention. This misrepresentation often results in stories highlighting minor incidents that gain disproportionate media attention, overshadowing more critical situations that deserve more focus.

To address these challenges, Peterson recently launched a proof-of-concept website dedicated to the impact score system, where OT security professionals can evaluate three historic OT incidents. Using a straightforward scoring method, participants rate each incident on a scale of one to ten across three axes: severity, reach, and duration. Once scores from various participants are averaged—excluding outliers—the overall impact score for each incident is generated.

Peterson’s intention was to create a user-friendly platform that makes data gathering simple for professionals while ensuring that the published results are comprehensible to journalists, policymakers, and the general public. This drive for transparency is a cornerstone of the initiative, as emphasized by Peterson: “The scoring methodology is designed to be easily interpretable by anyone—from a concerned neighbor to elected officials.” Unlike the logarithmic nature of the Richter scale, this scoring employs a linear progression intended to highlight the impact of an attack in a more straightforward manner.

Despite the positive reception from numerous OT and ICS security experts, who recognize an urgent need for a robust incident assessment system, there remain significant concerns. Kam Chumley-Soltani, managing director for OT security at Armis, termed the initiative a “great first step” but warned about the need for continuous improvements and community engagement. He highlighted the need for dynamic adjustments as the community’s understanding of the scoring system evolves.

However, others, like Kyle Miller, the vice president of infrastructure cybersecurity at Booz Allen Hamilton, emphasized a caveat regarding the reliability of information immediately following incidents. “In the immediate aftermath of an event, reliable details can be hard to come by,” he noted. Miller pointed out that organizations recovering from an OT incident might not swiftly disclose the full extent of the impact, complicating the assessment process.

The crowdsourced nature of the initiative means that widespread community adoption will be crucial for its success. Miller remarked that achieving this level of involvement could be a daunting challenge but asserted that the scoring methodology marks meaningful progress in focusing on the true ramifications of OT incidents.

Peterson expressed aspirations that the scoring website will soon be available to the public, aiming for the first scores to be ready within 12 hours of an incident occurring. He acknowledges that last year, there were “a couple of hundred” OT-related cyber incidents and anticipates a similar frequency this year. He emphasized the importance of scoring not only major incidents but also minor events, asserting that these lesser-known occurrences are often mischaracterized in the media.

For the scoring criteria, Peterson categorized an OT incident as any event affecting operational technology, even indirectly. For example, if an organization’s factory becomes inoperative due to a ransomware attack on its IT system, that situation would qualify as an incident. He hastened to clarify that the current scoring system remains a work-in-progress, implying that adjustments and refinements will be integral to its development.

In his vision for the future, Peterson anticipates the emergence of a dedicated group of “super-users”—individuals with substantial expertise and commitment—who can play pivotal roles in nominating incidents for evaluation on the platform. Dan Ricci, founder of the ICS Advisory Project, underscored the potential of these super-users to influence the final scores, indicating a community-driven approach to the ranking process.

While many experts view the impact scoring system as a commendable initiative, others urge broader ambitions. Sean Tufts, field CTO for Claroty, articulated a desire for the scoring framework to evolve to include assessments of “near misses.” He highlighted the relevance of the so-called “Volt Typhoon” campaign as an example where the severity of the event might score low, yet the broader implications warranted serious consideration, illustrating the complexity of evaluating the impact of OT incidents.

As the initiative rolls out, it remains to be seen whether the proposed scoring system can effectively navigate the intricate landscape of OT incident assessment. Those involved share a common hope that it will not only improve understanding and communication regarding these cybersecurity events but also facilitate better management and response strategies across the critical infrastructure landscape.