Where does the media get the information and quotes that turn a couple of residential swimming pools of water spilling out of a water tank (Muleshoe) into a major story and congressional hearing … from us, the OT security community.
Since we are part of the problem, let’s be the solution.
We introduced the OT Incident Impact Score (Impact Score) at S4x26. It is based on Munish W.alther-Puri’s brilliant session at S4x25 that posited we need a Richter scale for OT security incidents. Something simple that your Mom & Dad, neighbor, media, and elected official can look at and quickly determine if the Impact of an OT cyber incident is worth their attention.
KEY: This is not a metric for the OT security community, the asset owner being hit, or even that sector. They will want more nuanced information.
THE GOOD NEWS: The site is up and running thanks to the good pro bono work by Dan Ricci. We are ready to score the next OT cyber incident. It is at https://impact.icsadvisoryproject.com, more on the site later.
Goals Of The Impact Score
- Easy to understand. A score between 0 and 10. This can be translated to impact levels, and people will get used to the score like they have with hurricanes and earthquakes.
- Available to all people in 12 hours or sooner of the incident being reported. Speed is key.
- Crowd sourced online scoring by OT community. No single person or entity controls the score.
- The Impact Score is updated if more information becomes available.
The Impact Score Calculation
There are three elements to the Impact Score
- Severity (1 – 10) What is the severity of the incident?
- Reach (1 – 10) How widespread is the incident, geographically and as a percentage of all available sources?
- Duration (1 – 10) How long until recovery?
Score = (Severity x Geography x Duration) / 100
The score will be rounded to the nearest tenth, and it will be 0.0 and 10.0.
Examples:
- JLR Ransomware: 3.7
- 2015 Ukraine Attack: 2.9
- Oldsmar Water Incident: 0.5
- Muleshoe Water Incident: 0.0
- Colonial Pipeline: 3.9
What you quickly realize is that an incident has to score high in all three dimensions to have a Severe or Catastrophic Impact on society.
Speed & Crowd Sourced Scoring
There is an excellent and rigorous similar effort in the UK, the Cyber Monitoring Cyber. They take 30 days or more to come up with a score. This is good for after incident analysis, but bad for controlling the narrative that is written in the first 48 hours. The Impact Score sacrifices that rigor for speed, the wisdom of crowds, and a precision level that is sufficient for the media, elected officials, and the general public.
The scoring will be done by OT professionals who are minimally vetted. (Are they a real person and are they involved in OT). The site is up now. We encourage OT professionals to create a login and score a couple of past incidents to be ready to score the next OT cyber incident. Again the site is https://impact.icsadvisoryproject.com.
Our 3 month goal is to have 100 registered scorers and each future incident to be scored by at least 20 people. Obviously greater numbers are better, and this is just a start.
When you go to score an incident you will see the three scroe dimensions (severity, reach and duration) as a slider. As you move the slider you will see the description for each score, and your calculated Impact Score will change as you change any dimension value. After you submit your score it will be another input point for the Consensus Score.
There is another class of user on the site, the admin. The admin role does two things. One, perform the minimal vetting of new scorers. And two, add new incidents to the scoring portal. Currently Dan and I are the admins. We would like to have ten admins so that a new incident quickly gets on the scoring portal. Let us know if you would like to be an admin. Again our goal is to have a score for the media and general public within 12 hours of the incident becoming public.
Incident impact can change over time, especially the duration dimension since it is time- based. A scorer can go in and update their score at any time. The scoring portal will display their last entered score, and the scorer can adjust and resubmit.
Asks
Since this is a crowd sourced effort we need your help. Here are the direct asks:
- If you are an OT professional, create a login, score a couple historical incidents, and be ready to score future OT cyber incidents.
- If you are an OT security professional consider referencing the Impact Score when you discuss future incidents with the general public, media, and elected officials (again this is not a score for OT security professional consumption; you will want more details, TTP, near miss consideration, …)
- If you are in the media please consider the Impact Score when you frame your story. Even better would be to include the Impact Score and category in your story.
