Introducing Calculated Risk Rating: A Data-Driven Revolution in OT Risk Assessment

Traditional Approaches to Risk Assessment Fall Short

As the complexities of Operational Technology (OT) continue to multiply, the shortcomings of traditional risk assessments are increasingly evident. Relying on umbrella metrics such as the National Vulnerability Database (NVD) and Common Vulnerability Scoring System (CVSS) is insufficient for identifying the vulnerabilities and intricacies inherent to OT, leading many organizations to inefficient resource allocation and increased risk.

From Client Challenge to Actionable Solution

During cybersecurity strategy consultations with a large food manufacturing client, the limitations of conventional risk assessments became evident as the client faced challenges in setting priorities for their intricate OT environment. As a result, they expressed a need for a more customized risk assessment approach that would deliver a detailed understanding of their vulnerabilities while optimizing resource allocation.

This clear call for a more granular approach inspired our innovation of a more advanced technique for risk assessment: the Calculated Risk Rating (CRR).

Impact: A Deep Dive into CRR’s Calculated Property

To address the client’s concerns, we took a fundamental cybersecurity principle: risk is the product of impact and likelihood. Leveraging this formula, we created an initial calculated property that effectively maps out the potential impact of each asset in the client’s OT landscape.

Risk Assessment & Impact Prioritization: The first step is a thorough risk assessment to identify various levels of impact. We categorized them into three primary buckets:

1. Site Impact: How would the organization be affected if this site were compromised or went down?

2. Network Impact: What would be the ramifications if this network were to fail?

3. Hardware Type Impact: What is the impact level if a specific type of hardware, like a server or control system, goes down?

Scale Utilization: Each impact category is rated from 1-3 or 1-5. This quantification turns abstract levels of impact into concrete, actionable data.

Input into Calculated Property: These rated impacts are fed into the Calculated Impact Rating (CIR) property to produce an aggregated, comprehensive risk profile for each asset.

Resultant CIR Property

CIR by Asset: Every asset in the client’s organization receives an individual impact rating, specifying how its absence or compromise would impact the entire enterprise.

CIR by Vulnerability: This data can be further visualized through a pie chart that breaks down the impact level of each asset against its corresponding vulnerabilities, offering an easily digestible view of the risk landscape.

Likeliness: Exploit Prediction Scoring System (EPSS)

We integrated data from the Exploit Prediction Scoring System (EPSS) to make our risk assessment even more robust. This system ingests information from MITRE CVEs (Common Vulnerabilities and Exposures) and CVSS base scores and further refines it by adding context items like real-world evidence of exploitation. EPSS produces a probability score ranging from 0-1 (or 0%-100%), quantifying the likelihood of a vulnerability being exploited within the next 30 days.

The Ultimate Risk Heat Map: CIR and EPSS

We created a nuanced risk heat map matrix by incorporating the EPSS data into our CRR framework. This heat map uses the calculated CIR impact ratings and the EPSS probability scores to pinpoint areas of significant concern. Assets with a ‘Critical’ or ‘High’ CIR rating and high EPSS percentages are flagged as areas that demand immediate attention.

Evolving Towards Tailored Cybersecurity in OT Environments

Navigating the complexities of Operational Technology (OT) requires an approach to cybersecurity that evolves in tandem with the ever-changing threat landscape. With our Calculated Impact Rating (CIR) and its seamless integration with the Exploit Prediction Scoring System (EPSS) to create a Calculated Risk Rating (CRR), we are making strides toward a tailored, data-driven model of risk assessment that transcends the limitations of traditional methods like the National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS).

While the system is still in its developmental phase, the initial feedback has been overwhelmingly positive. Our client now has a more nuanced, actionable understanding of their specific vulnerabilities and the potential impacts within their OT environment, making it easier to prioritize resources and responses with high precision.

This groundbreaking work represents more than just a technological leap forward; it also exemplifies Verve’s dedication to client-centered service. We understand the subtleties and problems unique to OT environments and are driven to create technologies that exceed client expectations.

As we move forward, we are encouraged by the potential of this new approach to risk assessment. In addition to helping businesses keep up with cybersecurity threats, we hope to give them the analytical tools necessary to be more proactive in identifying and responding to vulnerabilities, thereby ensuring a safer, more efficient, and secure operational future.