IACS System Testing and Assessment Rating Score Calculator
Likelihood Factors
Threat Actor Factors
Skill Level
0 - N/A
1 - Limited Information Technology (IT), network, and no Operational Technology (OT) skills
2
3 - Moderate IT, limited network, and no OT technical skills
4
5 - Advanced IT, moderate network, and limited OT technical skills
6 - Advanced IT, advanced network, and moderate OT technical skills
7
8 - Advanced OT technical skills
9 - Security penetration skills and knowledge of OT technologies
Motive
0 - N/A
1 - No reward or intention to impact control environment
2 - Theft of operational data or equipment
3 - Create loss of view and control as a result of target-of-opportunity access to assets
4
5 - Limit access to file shares and prevent view and control using common malware
6 - Prevent view and control using specially designed malware
7
8 - Manipulate view and control using privileged remote access and/or specially designed malware
9 - Prevent operation of safety equipment or cause a catastrophic failure
Opportunity
0 - Physical access and local authentication are required and response time is less than fifteen minutes
1 - Physical access and local authentication are required but response time is more than fifteen minutes
2
3 - Physical and remote access is possible, local authentication required, and active monitoring is enabled
4
5 - Limited logging of physical or remote access but administrative privileges are required to access network devices, systems, and applications
6 -Undetected physical or remote access but administrative privileges are required to access network devices, systems, and applications
7
8 - Undetected physical or remote access that provides requires authentication to some network devices, systems, and applications
9 - Undetected physical or remote access that provides elevated permissions to network devices, systems, and applications
Access
0 - N/A
1 - Physical owner/operator users
2 - Physical vendor/integrator users
3 - Remote owner/operator users with MFA
4 - Remote vendor/integrator users with MFA
5 - Remote owner/operator users without MFA
6 - Remote vendor/integrator users without MFA
7 - Remote access without MFA or logging
8 - Physical malicious users
9 - Remote anonymous internet users
Threat Actor Factor:
Vulnerability Factors
Ease of Discovery
0 - N/A
1 - Requires physical access to environment or OT device
2 - Requires physical access to environment or IT device
3 - Remotely accessible but countermeasures protecting OT technology
4 - Remotely accessible but countermeasures protecting IT technology
5
6 - Remotely accessible but no automated tools to discover for OT technology
7 - Remotely accessible but no automated tools to discover for IT technology
8 - Remotely accessible and automated tools available for IT technology
9 - Remotely accessible and automated tools available for OT technology
Ease of Exploit
0 - N/A
1 - No known proof of concept
2 - Countermeasures protecting OT technology
3 - Denial-of-Service possible but no code execution
4
5 - Custom scripts / tools can be made to exploit IT technology
6 - Custom scripts / tools can be made to exploit OT technology
7
8 - Automated tools available for IT technology
9 - Automated tools available for OT technology
Awareness
0 - N/A
1 - Unknown OT Vulnerability
2 - Unknown IT Vulnerability
3 - Not publicly known but common configuration vulnerability
4
5 - Publicly identified on vendor website or within NVD Vulnerabilities database but no known exploit available
6 - Publicly identified on vendor website or within NVD Vulnerabilities database, no known exploit available but identified threat actor group can develop exploit
7
8 - Publicly identified on vendor website, vulnerability databases, and exploit available in public forums, i.e. Metasploit, Exploit-DB
9 - Public identified and in CISA Known Exploited Vulnerabilities Catalog
Intrusion Detection
0 - N/A
1 - Centrally logged with alerts and formal review and response plan
2
3 - Centrally logged with alerts and formal review but no response plan
4
5
6 - Centrally logged with alerts, but no formal review or response plan
7 - Centrally logged and without review
8 - Locally logged without review
9 - Not logged
Vulnerability Factor:
Likelihood Factor:
Consequence Factors
Technical Impact Factors
Loss of Confidentiality
0 - No data lost
1
2 - Minimal architecture configuration data disclosed
3
4 - Minimal network configuration data but no device configuration data disclosed
5
6 - Extensive network configuration data and some device configuration data disclosed
7 - Some process network and device configuration data disclosed
8
9 - All process network and device configuration data disclosed
Loss of Integrity
0 - N/A
1 - Modification of historical data not used for control
2 - Modification of historical data used for control
3
4 - Local modification of set points used for non-critical functions
5 - Remote modification of set points used for non-critical functions
6 - Remote modification of device configurations used for non-critical functions
7 - Local modification of set points used for critical functions
8 - Remote modification of set points used for critical functions
9 - Remote modification of device configurations used for critical functions
Loss of Availability
0 - N/A
1 - Minimal production interruption and easily recoverable
2
3 - Device or service interrupted but process not impacted
4 - Production services temporarily interrupted by easily recoverable
5
6 - Production services interrupted but does not affect other processes
7 - Production services interrupted and impacts other processes
8 - All production services completely lost
9 - Loss of process safety functionality
Loss of Accountability
0 - N/A
1 - Central logging, Multifactor Authentication (MFA), and cameras
2 - Central logging, Multifactor Authentication (MFA), but no cameras
3 - Local logging, Multifactor Authentication (MFA), and cameras but no central logging
4
5 - Local logging and cameras but no MFA and no central logging
6
7 - Local logging but no MFA, no central logging, and no cameras
8
9 - No local or central logging, no MFA, and no cameras
Technical Impact Factor:
Safety Impact Factors
Environment Damage
0 - No environmental impact
1 - Environment damage limited by safety equipment, active, and passive protections
2 - Environment damage limited by active and passive protections
3
4 - Environment damage limited by passive protections only
5 - Safety equipment not remotely accessible and active and passive protections are in place
6
7 - Safety equipment remotely accessible but active and passive protections are sufficient
8 - Safety equipment remotely accessible and situation might overwhelm active protections but passive protections are sufficient
9 - Safety equipment on production network and situation might overwhelm active or passive protections
Process Damage
0 - No devices can be damaged and configurations cannot be modified
1 - Device or monitoring systems / applications can be modified but do not damage device or process
2
3 - Device device configuration can be changed but easily recoverable
4 - Device damaged requiring manual update but limited impact to process
5
6 - Device damaged requiring manual update but significant impact to process
7 - Safety equipment configuration changed but limited impact to process
8 - Safety equipment damaged but limited impact to process
9 - Safety equipment damaged causing process failure or automatic shutdown
Safety Equipment
0 - Safety equipment not required for process
1 - Safety equipment required for process but not remotely accessible or on the same network as vulnerability
2 - Safety equipment required for process, remotely accessible, and requires MFA but not on the same network as vulnerability
3 - Safety equipment required for process and remotely accessible but does not require MFA and not on the same network as vulnerability
4 - Safety equipment required for process, remotely accessible, requires MFA, and on the same network as vulnerability
5 - Safety equipment required for process, remotely accessible, does not require MFA, and on the same network as vulnerability
6 - Safety equipment vulnerable and remotely accessible but requires MFA
7 - Safety equipment vulnerable and remotely accessible but requires authentication but no MFA
8 - Safety equipment vulnerable and remotely accessible but requires authentication but but default/hardcoded password in place and no MFA
9 - Safety equipment vulnerable, remotely accessible, and does not require authentication
Recoverability
0 - Vulnerability will not require or limit recovery operations
1 - Process will automatically recover with no manual efforts
2 - Process will recover with minimal manual efforts
3
4 - Process will recover with extensive manual efforts
5
6 - Recovery not possible without vendor / integrator assistance
7 - Recovery not possible without limited government and vendor / integrator assistance
8 - Recovery not possible without moderate government and vendor / integrator assistance
9 - Recovery not possible without significant government and vendor / integrator assistance
Safety Impact Factor:
Consequence Factor:
Overall Risk Severity:
This Risk Rating Calculator is based on IACS System Testing and Assessment Rating (STAR) Methodology . To understand how to effectively use this calculator to score implementation vulnerabilities, please have the stakeholders and assessment team read the methodology documentation to understand the likelihood and consequence factors. Threat actor factor scores will, most likely, be consistent for all situations involving the System-Under-Consideration (SUC). Stakeholders may be required to accurately score the safety impact factors for each issue being reviewed.
This Risk Rating Calculator was generated using the example of OWASP's Risk Rating Calculator .
This project was developed and is supported by Cutaway Security, LLC.