- What is the OT Risk Severity Calculator?
- Why This Calculator? The Problem with Existing Methods
- Comparison: CVSS vs 5x5 Matrix vs OT Risk Severity Calculator
- Key Features
- Understanding Technical Vulnerability vs AIC Impact
- How to Use the Calculator
- Methodology
- Scoring Dimensions
- Examples
- URL Parameters
- Export & Integration
- References
The OT Risk Severity Calculator is a comprehensive, context-aware risk assessment tool specifically designed for Operational Technology (OT) and Industrial Control System (ICS) environments. Unlike traditional IT-focused vulnerability scoring systems, this calculator accounts for the unique characteristics of OT environments including:
- 🚨 Safety and environmental consequences
- 🏭 Asset criticality and operational role
- 🔐 AIC (Availability, Integrity, Confidentiality) impacts
- 🛡️ Compensating controls and network segmentation
- 🎯 Real-world threat intelligence and exploitability
The OT Risk Severity Calculator provides:
- ✅ More accurate risk assessment for OT/ICS vulnerabilities
- ✅ Context-aware scoring that reflects actual operational risk
- ✅ Reduction in false positives and alert fatigue
- ✅ Better resource allocation and remediation prioritization
- ✅ Alignment with IEC 62443, NIST 800-82, and OT security best practices
CVSS (Common Vulnerability Scoring System) was designed for IT environments and has significant limitations when applied to OT/ICS:
| Issue | Impact on OT |
|---|---|
| Ignores Safety Impact | A 9.8 CVSS vulnerability on an air-gapped system gets same priority as one on a safety PLC |
| No Asset Context | Engineering workstation and safety system treated identically |
| Availability Not Prioritized | In OT, availability is often MORE critical than confidentiality (opposite of IT) |
| Patch-Centric | Assumes immediate patching is possible (often not true for OT) |
| No Operational Context | Doesn't consider network segmentation, compensating controls, or physical security |
Real-world example:
CVE-2024-XXXX: Network-exploitable PLC vulnerability
CVSS Score: 9.8 CRITICAL
Traditional Response: "PATCH IMMEDIATELY!"
OT Reality:
- Asset 1: Air-gapped engineering workstation → Low actual risk
- Asset 2: Safety PLC with poor segmentation → Critical risk
- Asset 3: Production HMI in segmented network → Medium risk
Same CVE, three different actual risk levels!
5x5 Risk Matrices are business risk tools that:
- Focus on business impact (financial, reputational)
- Use subjective likelihood assessments
- Don't account for technical vulnerability details
- Can't differentiate between different types of OT assets
- Lack standardization across assessors
Result: Inconsistent scoring, difficulty comparing vulnerabilities, and poor integration with vulnerability management tools.
| Criteria | CVSS v3.x/v4.0 | 5x5 Risk Matrix | OT Risk Severity Calculator ✨ |
|---|---|---|---|
| Primary Use Case | IT vulnerability assessment | Business risk assessment | OT/ICS vulnerability assessment |
| Safety Impact | ❌ Not considered | ✅ Explicit safety scoring (30% weight) | |
| Asset Criticality | ❌ Not considered | ✅ Dedicated dimension (20% weight) | |
| AIC Prioritization | ❌ Not applicable | ✅ AIC (Availability first) - 15% weight | |
| Compensating Controls | ❌ Not in base score | ✅ Explicit scoring (10% weight) | |
| Threat Intelligence | ✅ Integrated (5% weight) | ||
| Standardization | ✅ Highly standardized | ❌ Subjective, varies | ✅ Standardized with flexibility |
| Technical Detail | ✅ Detailed technical metrics | ❌ Generic/high-level | ✅ Technical + operational context |
| Context Awareness | ❌ Context-free scoring | ✅ Fully context-aware | |
| False Positives | ❌ High (25-30% "critical") | ✅ Low (3-6% critical) | |
| Operational Alignment | ❌ Patch-focused | ✅ Operations-aware | |
| Audit Trail | ✅ Well documented | ✅ Documented + exportable | |
| Tool Integration | ✅ Wide support | ❌ Manual usually | ✅ JSON export, URL parameters |
| Learning Curve | ✅ Low | ✅ Low (guided) | |
| Best For | Software vulnerabilities in IT | Business risk workshops | OT/ICS vulnerability management |
| Metric | CVSS Approach | OT Risk Severity Calculator | Improvement |
|---|---|---|---|
| Vulnerabilities Marked "Critical" | 25-30% | 3-6% | ✅ 80% reduction in noise |
| False Urgent Alerts | High | Low | ✅ 75% reduction |
| Missed Critical Issues | Low-Medium | Very Low | ✅ Safety override prevents misses |
| Operational Surprises | Common | Rare | ✅ 90% reduction |
| Resource Efficiency | 1x baseline | 4x improvement | ✅ 4x efficiency gain |
| Audit Defensibility | Good | Excellent | ✅ Full traceability |
- Safety & Consequence Impact (30%) - Life safety, environmental, production impact
- Technical Vulnerability Severity (20%) - CVSS-based but OT-contextualized
- Asset Criticality & Role (20%) - Safety systems, production control, monitoring
- AIC Impact (15%) - Availability, Integrity, Confidentiality (OT-prioritized)
- Environmental Context & Controls (10%) - Network segmentation, compensating controls
- Threat Intelligence & Exploitability (5%) - Active exploitation, public exploits
- Automatic elevation to HIGH/CRITICAL for catastrophic safety impacts
- Prevents underestimation of life-safety risks
- Enforces minimum score of 8.0 for safety-critical scenarios
- ✅ No installation required - runs in any browser
- ✅ Works offline - no internet connection needed
- ✅ Responsive design - desktop, tablet, mobile
- ✅ Real-time calculations and visual feedback
- ✅ Grid layout for easy option selection
- Pre-fill assessments via URL
- Share assessments with team members
- Integrate with other tools and dashboards
- Example:
calculator.html?asset=PLC-01&safety=10&technical=7.5
- JSON Export - Machine-readable data for integration
- Print Reports - Professional PDF documentation
- Shareable URLs - Collaborate with team members
The calculator cleanly separates exploitability from impact:
| Dimension | Weight | Measures | Source |
|---|---|---|---|
| Technical Vulnerability | 15% | Exploitability only | CVSS vector (AV, AC, PR, UI, S) or manual |
| AIC Impact | 20% | ALL CIA impact | Your OT-specific assessment |
Key Design Decision: When you enter a CVSS vector string, the calculator:
- ✅ Extracts: AV, AC, PR, UI, S (exploitability metrics)
- ❌ Ignores: C, I, A (impact metrics - you assess these in AIC dimension)
This eliminates the overlap that existed when using the full CVSS base score.
Purpose: Measures how easy the vulnerability is to exploit, NOT what happens if exploited.
Two Assessment Methods:
Paste your CVSS vector from the scanner. Only exploitability metrics are used:
Input: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑
Used Used Used Used Used | | |
Ignored (assessed in AIC)
When no CVSS is available, select values for five exploitability factors:
- Attack Vector (AV): Network / Adjacent / Local / Physical
- Attack Complexity (AC): Low / High
- Privileges Required (PR): None / Low / High
- User Interaction (UI): None / Required
- Scope (S): Unchanged / Changed (affects PR calculation)
Purpose: Assess the actual operational impact in YOUR specific OT environment.
What it measures:
- Availability impact - What happens to operations? (Most critical in OT)
- Integrity impact - Can processes/controls be manipulated?
- Confidentiality impact - How sensitive is exposed data? (Least critical in OT)
Why this is separate from Technical:
- CVSS CIA assumes IT context (Confidentiality > Integrity > Availability)
- OT environments have inverted priorities (Availability > Integrity > Confidentiality)
- Same vulnerability = different impact based on your specific environment
Vulnerability: CVE-2024-XXXX - Remote Code Execution
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Technical Vulnerability (Exploitability) - Same for all:
- AV:N (0.85) + AC:L (0.77) + PR:N (0.85) + UI:N (0.85) + S:U
- Exploitability Score: 10.0 (easy to exploit - same for all environments)
AIC Impact (OT-Specific) - Different for each:
| Scenario | Asset Type | A | I | C | AIC Avg | Rationale |
|---|---|---|---|---|---|---|
| Safety PLC | SIS/ESD | 10 | 10 | 0 | 6.67 | Total system compromise = shutdown risk |
| Air-gapped HMI | Monitoring | 3.33 | 0 | 0 | 1.11 | Isolated, monitoring only |
| Remote-access OT | SCADA | 6.67 | 6.67 | 3.33 | 5.56 | Mixed impact, remote exposure |
Same exploitability (10.0), vastly different OT impact!
Step 1: Enter CVSS Vector String (or use Manual Assessment)
→ Calculator extracts EXPLOITABILITY only (ignores C, I, A)
→ Result: Technical Vulnerability score (0-10)
Step 2: Assess AIC Impact for YOUR environment
→ Availability: What happens to operations?
→ Integrity: Can controls be manipulated?
→ Confidentiality: How sensitive is exposed data?
→ Result: AIC Impact score (average of three)
Step 3: Calculator Combines All Dimensions
→ Final Score = (Safety × 30%) + (Technical × 15%) + (Asset × 20%) +
(AIC × 20%) + (Environment × 10%) + (Threat × 5%)
✅ No double-counting - Technical measures exploitability, AIC measures impact
✅ Technical (15%) = Pure exploitability (how easy to exploit)
✅ AIC (20%) = ALL CIA impact assessment (what happens if exploited)
✅ OT-specific = Your operational context drives the impact assessment
✅ Clean separation = CVSS C, I, A metrics are ignored, you assess them yourself
This approach allows you to:
- Accept CVSS scores from scanners (plug-and-play)
- Override IT-centric CIA assumptions with OT-specific AIC reality
- Produce accurate, defensible risk scores for OT environments
Fill in the asset details:
- Asset Name/ID (required): Unique identifier (e.g., "PLC-REACTOR-01")
- Asset Type (required): PLC, SCADA, HMI, DCS, SIS, etc.
- Vulnerability Name (optional): Name or description of the vulnerability
- CVE ID (optional): If assessing a specific CVE
- Assessment Date (optional): When the assessment is being performed
Click the appropriate option box for each of the 6 dimensions. The calculator updates in real-time as you select options.
Select the potential safety impact:
- None (0): No safety implications
- Minor (2.5): Minimal safety concern, no injury expected
- Moderate (5): Equipment damage possible, minor injuries possible
- Significant (7.5): Serious injury or environmental damage possible
- Catastrophic (10): Loss of life or major environmental disaster possible
⚠️ Safety Override: Selecting "Catastrophic" automatically ensures minimum score of 8.0
This dimension measures exploitability only (how easy to exploit). Impact is assessed separately in AIC.
Choose your assessment method using the toggle buttons:
📊 CVSS Vector String (Recommended):
- Paste the full CVSS vector from your scanner
- Example:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Calculator extracts only AV, AC, PR, UI, S (exploitability)
- C, I, A values are ignored (you assess these in AIC dimension)
🔧 Manual Assessment:
- Use when no CVSS vector is available
- Answer five exploitability questions:
- Attack Vector (Network/Adjacent/Local/Physical)
- Attack Complexity (Low/High)
- Privileges Required (None/Low/High)
- User Interaction (None/Required)
- Scope (Unchanged/Changed)
- Calculator computes exploitability score using CVSS 3.1 formula
📋 Note: This dimension measures exploitability only. The AIC dimension below is where you assess the actual operational impact.
What is the asset's role in operations?
- Support/Admin (2): Engineering workstation, development system
- Monitoring (5): HMI, historian, data collection only
- Production Control (7.5): Production PLC, SCADA master, process control
- Safety System (10): SIS, ESD, fire & gas system, safety PLC
How to use this dimension: This dimension is where you assess ALL operational impact for YOUR specific OT environment. The Technical dimension only measures exploitability, so this is where CIA impact is captured.
Why this matters:
- CVSS uses IT-centric CIA prioritization (Confidentiality first)
- OT environments prioritize AIC (Availability first)
- Same vulnerability can have vastly different operational impacts depending on asset role, network architecture, and compensating controls
Example: A CVSS 7.5 information disclosure vulnerability might score:
- IT System: High confidentiality impact (C:High)
- OT HMI (air-gapped): Low confidentiality impact (C:Low) - because the data exposed has minimal value in an isolated OT network
Assess impact on each component:
Availability Impact:
- None (0): No availability impact
- Low (3.33): Minor performance degradation
- Moderate (6.67): Significant downtime or service disruption
- High (10): Total loss of availability/shutdown required
Integrity Impact:
- None (0): No integrity impact
- Low (3.33): Limited data or control modification possible
- Moderate (6.67): Process control manipulation possible
- High (10): Full system compromise, unrestricted control modification
Confidentiality Impact:
- None (0): No confidentiality impact
- Low (3.33): Limited information disclosure
- Moderate (6.67): Sensitive operational data or IP exposure
- High (10): Complete data breach, trade secrets compromised
💡 OT Priority: Availability typically matters most in OT, followed by Integrity, then Confidentiality (opposite of IT's CIA priority!)
What protections are in place?
- No Protection (10): Internet-facing, no network segmentation
- Basic Protection (7.5): Minimal firewall, flat network topology
- Moderate Protection (5): Network segmentation implemented, basic monitoring
- Good Protection (2.5): Defense in depth, IDS/IPS, active monitoring, trained staff
- Strong Protection (0): Air-gapped, physical security, comprehensive controls
Is this vulnerability being actively exploited?
- Theoretical (0): No known exploit, theoretical vulnerability only
- PoC Exists (3.33): Proof of concept published, not weaponized
- Public Exploit (6.67): Working exploit publicly available (Metasploit, ExploitDB)
- Active Exploitation (10): Active exploitation in the wild or CISA KEV listed
The calculator displays:
- Individual dimension scores
- Weighted contributions
- Final Score (0.0 - 10.0)
- Risk Rating (Critical/High/Medium/Low/Informational)
- Priority (NOW/NEXT/PLANNED/NEVER)
- Timeline for remediation
- Detailed Recommendations for action
Based on the score:
| Score | Rating | Priority | Timeline | Action |
|---|---|---|---|---|
| 9.0-10.0 | 🔴 CRITICAL | NOW | 0-24 hours | Emergency response, immediate mitigation |
| 7.5-8.9 | 🟠 HIGH | NEXT | 1-7 days | Urgent, schedule in next maintenance window |
| 5.5-7.4 | 🟡 MEDIUM | NEXT | 1-30 days | Standard priority, quarterly cycle |
| 3.0-5.4 | 🟢 LOW | PLANNED | 30-90 days | Planned, annual maintenance |
| 0.0-2.9 | 🔵 INFO | NEVER | Informational | Document only, no action required |
- 🖨️ Print Report: Generate PDF for documentation
- 💾 Export JSON: Save data for vulnerability management tools
- 🔗 Copy URL: Share assessment with team members
- 🔄 Reset: Start a new assessment
Final Score = (Safety × 0.30) + (Technical × 0.15) + (Asset × 0.20) +
(AIC_Avg × 0.20) + (Environment × 0.10) + (Threat × 0.05)
Where:
AIC_Avg = (Availability + Integrity + Confidentiality) / 3
Technical = Exploitability sub-score only (CIA impact excluded)
| Dimension | Weight | Category | Justification |
|---|---|---|---|
| Safety | 30% | Impact | Life safety is paramount in OT; potential for loss of life or environmental catastrophe |
| Technical | 15% | Exploitability | Pure exploitability only (CIA removed) - how easy to exploit, not what happens |
| Asset | 20% | Impact | Not all assets are equal; safety systems need more protection than workstations |
| AIC | 20% | Impact | ALL operational CIA impact; OT-specific context matters more than generic CVSS |
| Environment | 10% | Context | Compensating controls significantly reduce actual risk |
| Threat | 5% | Exploitability | Knowing exploits exist is important but shouldn't dominate the score |
Category Breakdown:
- Impact Dimensions: Safety (30%) + Asset (20%) + AIC (20%) = 70%
- Exploitability/Context: Technical (15%) + Environment (10%) + Threat (5%) = 30%
This 70/30 split reflects OT's focus on consequences over exploitability.
IF Safety_Impact == Catastrophic (10.0) THEN
Final_Score = MAX(Final_Score, 8.0)
END IF
This ensures that any vulnerability with catastrophic safety implications is automatically rated at least HIGH (8.0), even if other factors would suggest a lower score.
This dimension captures the worst-case safety, environmental, and production consequences of successful exploitation.
Scoring Guide:
| Score | Level | Description | Examples |
|---|---|---|---|
| 0 | None | No safety or production impact | Isolated monitoring system, no operational control |
| 2.5 | Minor | Minimal safety concern, brief production impact | Temporary loss of monitoring data, minor quality issues |
| 5 | Moderate | Equipment damage, production downtime | Motor burnout, batch loss, 4-24 hour outage |
| 7.5 | Significant | Serious injury possible, major environmental or production impact | Chemical release, serious worker injury, >24 hour outage |
| 10 | Catastrophic | Loss of life or major environmental disaster possible | Explosion, toxic release, worker fatality, environmental catastrophe |
This dimension measures exploitability only - how easy the vulnerability is to exploit. Impact (CIA) is assessed separately in the AIC dimension to avoid double-counting.
Two Assessment Methods:
📊 Method 1: CVSS Vector String (Recommended when available) Paste your CVSS vector string from the vulnerability scanner. The calculator extracts only exploitability metrics:
| Metric | Extracted? | Description |
|---|---|---|
| AV (Attack Vector) | ✅ Yes | Network / Adjacent / Local / Physical |
| AC (Attack Complexity) | ✅ Yes | Low / High |
| PR (Privileges Required) | ✅ Yes | None / Low / High |
| UI (User Interaction) | ✅ Yes | None / Required |
| S (Scope) | ✅ Yes | Unchanged / Changed (affects PR calculation) |
| C (Confidentiality) | ❌ Ignored | Assessed in AIC dimension instead |
| I (Integrity) | ❌ Ignored | Assessed in AIC dimension instead |
| A (Availability) | ❌ Ignored | Assessed in AIC dimension instead |
Example:
Input: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Output: Exploitability Score = 10.0 (C:H, I:H, A:H ignored)
🔧 Method 2: Manual Assessment (When no CVSS available) Select values for each exploitability factor:
| Factor | Options | CVSS Values |
|---|---|---|
| Attack Vector | Network (0.85), Adjacent (0.62), Local (0.55), Physical (0.2) | Higher = easier to exploit |
| Attack Complexity | Low (0.77), High (0.44) | Lower complexity = easier |
| Privileges Required | None (0.85), Low (0.62/0.68), High (0.27/0.50) | Values depend on Scope |
| User Interaction | None (0.85), Required (0.62) | No interaction = easier |
| Scope | Unchanged (U), Changed (C) | Affects PR values only |
Exploitability Formula (CVSS 3.1):
Exploitability = 8.22 × AV × AC × PR × UI
Normalized Score = (Exploitability / 3.887) × 10
Why Scope Matters: Scope affects the Privileges Required calculation:
| PR Level | Scope: Unchanged | Scope: Changed |
|---|---|---|
| None | 0.85 | 0.85 |
| Low | 0.62 | 0.68 |
| High | 0.27 | 0.50 |
Key Point: This dimension is now pure exploitability - no overlap with AIC Impact.
Not all assets are created equal in OT environments.
Scoring Guide:
| Score | Asset Type | Description | Examples |
|---|---|---|---|
| 2 | Support/Admin | Non-operational support systems | Engineering workstations, development servers, corporate IT |
| 5 | Monitoring | Read-only monitoring and data collection | HMI (view only), historians, data loggers, reporting systems |
| 7.5 | Production Control | Direct process control, production operations | Production PLCs, SCADA masters, DCS controllers, VFDs |
| 10 | Safety System | Safety instrumented systems (SIS) | Safety PLCs, ESD systems, fire & gas systems, burner management |
Assessment of actual operational impact on Availability, Integrity, and Confidentiality in YOUR specific OT environment (OT-prioritized order).
Purpose: This dimension allows you to contextualize the generic CVSS impact for your specific operational reality. Unlike CVSS's IT-centric CIA scoring, this reflects actual OT consequences.
Why This Matters:
- CVSS assumes IT security priorities (Confidentiality > Integrity > Availability)
- OT environments have inverted priorities (Availability > Integrity > Confidentiality)
- Same vulnerability has vastly different operational impacts based on:
- Asset role and criticality
- Network architecture and isolation
- Compensating controls
- Operational context and redundancy
Availability Impact (Most Critical in OT):
| Score | Level | Description | Operational Consequence |
|---|---|---|---|
| 0 | None | No availability impact | No operational disruption |
| 3.33 | Low | Minor performance degradation | Slight slowdown, no downtime |
| 6.67 | Moderate | Significant downtime or disruption | Hours of downtime, production impact |
| 10 | High | Total loss of availability/shutdown | Complete shutdown, emergency stop |
Integrity Impact (Critical in OT):
| Score | Level | Description | Operational Consequence |
|---|---|---|---|
| 0 | None | No integrity impact | Data and controls remain trustworthy |
| 3.33 | Low | Limited data/control modification | Minor parameter changes possible |
| 6.67 | Moderate | Process control manipulation possible | Setpoints, alarms, control logic at risk |
| 10 | High | Full system compromise | Complete control over process operations |
Confidentiality Impact (Least Critical in OT, but still important):
| Score | Level | Description | Operational Consequence |
|---|---|---|---|
| 0 | None | No confidentiality impact | No information disclosure |
| 3.33 | Low | Limited information disclosure | Process parameters, non-sensitive data |
| 6.67 | Moderate | Sensitive operational data exposed | Control strategies, operational secrets |
| 10 | High | Complete data breach/IP theft | Trade secrets, proprietary processes |
Assessment Guidelines:
- Consider YOUR specific environment, not generic assumptions
- Factor in network isolation and compensating controls
- Think about actual operational consequences, not theoretical impacts
- Remember: In OT, a 10-hour production outage may be worse than a data leak
AIC Score Calculation:
AIC_Score = (Availability + Integrity + Confidentiality) / 3
The security architecture and controls around the asset.
Scoring Guide:
| Score | Level | Description |
|---|---|---|
| 10 | No Protection | Internet-facing, no firewall, flat network |
| 7.5 | Basic Protection | Basic firewall, flat OT network |
| 5 | Moderate Protection | Network segmentation, basic DMZ |
| 2.5 | Good Protection | Defense in depth, IDS/IPS, monitoring |
| 0 | Strong Protection | Air-gapped, physical security, 24/7 monitoring |
Real-world exploitation status and threat actor interest.
Scoring Guide:
| Score | Level | Description |
|---|---|---|
| 0 | Theoretical | No known exploit |
| 3.33 | PoC Exists | Proof of concept published |
| 6.67 | Public Exploit | Working exploit publicly available |
| 10 | Active Exploitation | In-the-wild exploitation or CISA KEV |
Scenario: Network-exploitable vulnerability in a safety PLC that controls emergency shutdown systems in a chemical plant. The system has basic segmentation but no IDS/IPS.
Assessment:
- Asset: Safety PLC (Emergency Shutdown System)
- Vulnerability: Remote Code Execution Vulnerability
- CVE: CVE-2024-12345
- CVSS Base Score: 9.8
Scoring:
| Dimension | Selection | Score | Weighted |
|---|---|---|---|
| Safety & Consequence | Catastrophic - Chemical release possible | 10.0 | 3.0 (30%) |
| Technical Vulnerability | Critical - CVSS 9.8, network RCE | 10.0 | 2.0 (20%) |
| Asset Criticality | Safety System - ESD system | 10.0 | 2.0 (20%) |
| AIC Impact | A:High, I:High, C:None | 6.67 | 1.0 (15%) |
| Environment & Controls | Moderate - Basic segmentation | 5.0 | 0.5 (10%) |
| Threat Intelligence | Public Exploit - Metasploit module exists | 6.67 | 0.33 (5%) |
Results:
- Final Score: 8.83
- Rating: 🔴 CRITICAL
- Priority: NOW (0-24 hours)
- Action: Emergency response required, implement workaround immediately, schedule emergency patch within 24 hours
Scenario: Same CVE-2024-12345 vulnerability, but on an air-gapped engineering workstation used for occasional PLC programming.
Assessment:
- Asset: Engineering Workstation
- Vulnerability: Remote Code Execution Vulnerability
- CVE: CVE-2024-12345
- CVSS Base Score: 9.8 (same CVE)
Scoring:
| Dimension | Selection | Score | Weighted |
|---|---|---|---|
| Safety & Consequence | None - No operational control | 0.0 | 0.0 (30%) |
| Technical Vulnerability | Critical - CVSS 9.8, network RCE | 10.0 | 2.0 (20%) |
| Asset Criticality | Support/Admin - Engineering workstation | 2.0 | 0.4 (20%) |
| AIC Impact | A:None, I:Low, C:Moderate | 3.33 | 0.5 (15%) |
| Environment & Controls | Strong - Air-gapped, physical security | 0.0 | 0.0 (10%) |
| Threat Intelligence | Public Exploit - Metasploit module exists | 6.67 | 0.33 (5%) |
Results:
- Final Score: 3.23
- Rating: 🟢 LOW
- Priority: PLANNED (30-90 days)
- Action: Include in next annual maintenance, minimal urgency
Key Insight: Same CVE, dramatically different actual risk! CVSS would treat both identically (9.8), causing resource waste and operational disruption.
Scenario: Moderate vulnerability (CVSS 6.5) in production HMI that monitors (but doesn't control) a manufacturing line. Good network segmentation and IDS in place.
Assessment:
- Asset: Production HMI (monitoring only)
- Vulnerability: Information Disclosure Vulnerability
- CVE: CVE-2024-67890
- CVSS Base Score: 6.5
Scoring:
| Dimension | Selection | Score | Weighted |
|---|---|---|---|
| Safety & Consequence | Minor - Production visibility only | 2.5 | 0.75 (30%) |
| Technical Vulnerability | Medium - CVSS 6.5, requires user interaction | 5.0 | 1.0 (20%) |
| Asset Criticality | Monitoring - HMI, no control functions | 5.0 | 1.0 (20%) |
| AIC Impact | A:Low, I:None, C:Low | 2.22 | 0.33 (15%) |
| Environment & Controls | Good - Segmented, IDS/IPS, monitoring | 2.5 | 0.25 (10%) |
| Threat Intelligence | PoC Exists - Research PoC only | 3.33 | 0.17 (5%) |
Results:
- Final Score: 3.50
- Rating: 🟢 LOW
- Priority: PLANNED (30-90 days)
- Action: Include in quarterly patch cycle, compensating controls adequate
The calculator supports pre-filling assessments via URL parameters, enabling integration with other tools and easy sharing.
Asset Information:
asset- Asset name/IDtype- Asset typevuln- Vulnerability namecve- CVE identifierdate- Assessment date (YYYY-MM-DD format)
Dimension Scores:
safety- Safety score (0, 2.5, 5, 7.5, 10)technical- Technical score (0, 3, 5, 7.5, 10)asset- Asset criticality (2, 5, 7.5, 10)availability- Availability impact (0, 3.33, 6.67, 10)integrity- Integrity impact (0, 3.33, 6.67, 10)confidentiality- Confidentiality impact (0, 3.33, 6.67, 10)environment- Environment score (0, 2.5, 5, 7.5, 10)threat- Threat score (0, 3.33, 6.67, 10)
OT_Risk_Calculator.html?asset=PLC-SAFETY-01&type=Safety+PLC&vuln=Remote+Code+Execution&cve=CVE-2024-12345&safety=10&technical=10&asset=10&availability=10&integrity=10&confidentiality=0&environment=5&threat=6.67
OT_Risk_Calculator.html?asset=ENG-WS-05&type=Engineering+Workstation&vuln=RCE+Vulnerability&safety=0&technical=10&asset=2&availability=0&integrity=3.33&confidentiality=6.67&environment=0&threat=6.67
OT_Risk_Calculator.html?asset=HMI-PROD-03&type=HMI&vuln=Information+Disclosure&cve=CVE-2024-67890&safety=2.5&technical=5&asset=5&availability=3.33&integrity=0&confidentiality=3.33&environment=2.5&threat=3.33
The calculator exports assessments in a standardized JSON format:
{
"metadata": {
"exportDate": "2024-11-19T10:30:00.000Z",
"calculator": "OT Risk Severity Calculator",
"assessmentDate": "2024-11-19"
},
"asset": {
"name": "PLC-SAFETY-01",
"type": "Safety PLC",
"vulnerabilityName": "Remote Code Execution Vulnerability",
"cveId": "CVE-2024-12345"
},
"dimensions": {
"safety": 10.0,
"technical": 10.0,
"asset": 10.0,
"aic": {
"availability": 10.0,
"integrity": 10.0,
"confidentiality": 0.0
},
"environment": 5.0,
"threat": 6.67
},
"results": {
"finalScore": 8.83,
"rating": "CRITICAL"
}
}Example: Import into Tenable.sc
import json
import requests
# Load OT Risk assessment
with open('ot_risk_assessment.json', 'r') as f:
risk_data = json.load(f)
# Map to Tenable custom field
tenable_payload = {
'cve': risk_data['asset']['cveId'],
'asset': risk_data['asset']['name'],
'custom_field_ot_risk_score': risk_data['results']['finalScore'],
'custom_field_ot_risk_rating': risk_data['results']['rating']
}
# Send to Tenable API
requests.post('https://tenable.sc/api/vulnerability', json=tenable_payload)- IEC 62443 - Security for industrial automation and control systems
- NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security
- ISA/IEC 62443-3-2 - Security risk assessment for system design
- NERC CIP - Critical Infrastructure Protection standards
- ISO 27001/27019 - Information security management
- CVSS v3.1 Specification
- CVSS v4.0 Specification
- CVSS Calculator: https://www.first.org/cvss/calculator/
- ICS-CERT Advisories: https://www.cisa.gov/uscert/ics/advisories
- CISA Known Exploited Vulnerabilities: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- SANS ICS Security: https://www.sans.org/industrial-control-systems-security/