Critical Infrastructure Security,
Governance & Risk Management,
Operational Technology (OT)
System Meant to Dispel FUD Faces Uphill Climb to Widespread Adoption
The critical landscape of operational technology (OT) is now facing assessments akin to natural disasters, with a new initiative aimed at quantifying the severity of cyber incidents impacting these systems. While hurricanes and earthquakes are graded by their intensity, operational technology incidents are also moving toward a numerical scoring system known as the “OT Incident Impact Score.” However, despite its potential, this initiative is grappling with challenges in achieving widespread acceptance across different sectors of critical infrastructure.
Proponents of the scoring system argue that it is designed to mitigate the fear, uncertainty, and doubt often associated with cyberattacks that target OT systems. The complexity and specialized nature of these systems frequently lead to misunderstandings about the actual severity of incidents. Such misconceptions can lead to misallocation of resources, diverting attention from real threats where it is most needed. Munish Walther-Puri, who heads the critical infrastructure sector at TPO Group and is an educator at IANS Research, emphasizes the urgent need for improved communication regarding the severity of OT cyber incidents to non-technical audiences. He was inspired by the earthquake Richter scale to create this impact score, which incorporates peer review and adapts methodologies used for gauging the impact of wildfires and hurricanes.
Critically, the lack of accurate assessments surrounding OT attacks can have significant ramifications. Dale Peterson, a seasoned consultant and influential figure in the OT security community, reinforced this point during a conversation with Information Security Media Group (ISMG). He highlighted that misjudgment can lead to an unwarranted rush to publicize events of minor consequence while downplaying more serious incidents. Recently, Peterson assisted in bringing Walther-Puri’s vision closer to reality by launching a proof-of-concept website where OT security professionals can evaluate notable historical OT attacks based on severity, reach, and duration, with scores aggregated to provide a comprehensive impact score.
Emphasizing usability, Peterson explained that the scoring methodology was crafted to be straightforward not only for professionals assessing the incidents but also for journalists, policymakers, and the general public. He opted for a more linear scoring scale over the logarithmic format seen in the Richter scale, ensuring broader accessibility for various audiences, including laypersons and public officials. This approach aims to foster understanding of the actual consequences of an attack, thereby enhancing public discourse and response to such incidents.
While many OT and Industrial Control Systems (ICS) security experts have recognized the pressing need for a transparent and immediate assessment mechanism, there remains an air of caution regarding the initiative. Kyle Miller, Vice President of Infrastructure Cybersecurity at Booz Allen Hamilton, expressed concerns about the availability of reliable information shortly after an incident occurs. In his view, organizations may be hesitant to disclose the full scope of an impact quickly, and early assessments may not accurately capture the full extent of duration or severity.
The expectations surrounding the use of crowdsourced data for impact scoring, which relies heavily on community engagement, add another layer of complexity. As Miller noted, the initiative must achieve a significant level of adoption within the community to be trustworthy and effective. Despite these challenges, he acknowledged that the impact scoring methodology represents a positive move toward focusing on the true effects of OT incidents and fostering collaborative improvement in threat assessment.
Looking beyond the immediate challenges, Peterson and his team aim to make the scoring system publicly available soon, aspiring to have initial scores accessible within 12 hours following an incident. The hope is that early contributors will reassess their scores as more detailed information surfaces over time. Peterson noted that last year saw a “couple of hundred” OT cyber incidents, suggesting that the need for accurate scoring is critical, not just for high-profile events but even for seemingly minor incidents that could mislead stakeholders about their importance.
The classification of an OT security incident remains broad; for instance, an incident that indirectly affects operational technology through a compromise in an organization’s IT infrastructure would also fall under this scoring mechanism. Peterson framed this as an evolving process that will adapt with input from the community and ongoing experiences with the scoring system.
Aiming for further development, Peterson envisions a dedicated group of experts who can nominate significant incidents for inclusion on the scoring website. Dan Ricci, the founder of the ICS Advisory Project, which currently hosts the scoring system, highlighted the ambition for the program to evolve into a richer resource that accurately reflects the complexity of OT security incidents.
Some security experts are also advocating for the scoring system to broaden its scope to include assessments of “near misses,” situations that could have led to substantial consequences but were avoided. Sean Tufts, a field CTO at Claroty, provided the Volt Typhoon campaign as a pertinent example, highlighting that while its direct scores might indicate minimal impact, the effects on industry remediation were far-reaching, underscoring the need for a broader lens in evaluating OT incidents.
In conclusion, while the “OT Incident Impact Score” initiative is still nascent, its inception marks a pivotal move toward more rigorous and accessible assessments of cyber incidents impacting operational technology. By striving for inclusivity and contributing to a clearer understanding of these events, stakeholders hope to fortify the resilience of critical infrastructure against growing cyber threats.