OTRSC - OT Risk Severity Calculator v2.0

🚨 1. Safety & Consequence Impact

Weight: 30%

0.0

None

Score: 0

No safety impact

Minor

Score: 2.5

Minimal safety concern

Moderate

Score: 5

Equipment damage possible

Significant

Score: 7.5

Injury or environmental damage

Catastrophic

Score: 10

Loss of life or major disaster

🔧 2. Technical Vulnerability (Exploitability)

Weight: 15%

0.0

Note: This dimension measures exploitability only (how easy to exploit). Impact (CIA) is assessed separately in the AIC Impact dimension below.

Paste CVSS vector string from your vulnerability scanner. The calculator will extract only the exploitability metrics (AV, AC, PR, UI, S) and ignore CIA impact metrics.

CVSS Vector String:

🏭 3. Asset Criticality & Role

Weight: 20%

0.0

Support/Admin

Score: 2

Engineering workstation, dev system

Monitoring

Score: 5

HMI, historian, data collection

Production Control

Score: 7.5

Production PLC, SCADA master

Safety System

Score: 10

SIS, ESD, fire & gas, safety PLC

🔐 4. AIC Impact (Availability, Integrity, Confidentiality)

Weight: 20%

0.0

Note: Assess the actual operational impact in YOUR OT environment. This overrides the IT-centric CIA assumptions in CVSS. In OT, Availability typically matters most (opposite of IT's CIA priority). Consider: network isolation, asset role, redundancy, and real operational consequences.

Availability Impact:

None

Score: 0

No availability impact

Low

Score: 3.33

Minor performance degradation

Moderate

Score: 6.67

Significant downtime or disruption

High

Score: 10

Total loss of availability/shutdown

Integrity Impact:

None

Score: 0

No integrity impact

Low

Score: 3.33

Limited data/control modification

Moderate

Score: 6.67

Process control manipulation

High

Score: 10

Full system compromise

Confidentiality Impact:

None

Score: 0

No confidentiality impact

Low

Score: 3.33

Limited data exposure

Moderate

Score: 6.67

Sensitive operational data leaked

High

Score: 10

Complete data breach/IP theft

🛡️ 5. Environmental Context & Compensating Controls

Weight: 10%

0.0

No Protection

Score: 10

Internet-facing, no segmentation

Basic Protection

Score: 7.5

Minimal firewall, flat network

Moderate Protection

Score: 5

Network segmentation, basic monitoring

Good Protection

Score: 2.5

Defense in depth, IDS/IPS, monitoring

Strong Protection

Score: 0

Air-gapped, physical security

🎯 6. Threat Intelligence & Exploitability

Weight: 5%

0.0

Theoretical

Score: 0

No known exploit, theoretical only

PoC Exists

Score: 3.33

Proof of concept published

Public Exploit

Score: 6.67

Working exploit publicly available

Active Exploitation

Score: 10

Active exploitation in the wild/CISA KEV

🛡️ OT Risk Severity Calculator

📋 Asset Information

⚠️ CRITICAL SAFETY IMPACT DETECTED

🚨 1. Safety & Consequence Impact

🔧 2. Technical Vulnerability (Exploitability)

Attack Vector (AV):

Attack Complexity (AC):

Privileges Required (PR):

User Interaction (UI):

Scope (S):

🏭 3. Asset Criticality & Role

🔐 4. AIC Impact (Availability, Integrity, Confidentiality)

Availability Impact:

Integrity Impact:

Confidentiality Impact:

🛡️ 5. Environmental Context & Compensating Controls

🎯 6. Threat Intelligence & Exploitability

📊 OTRSC Assessment Results

Safety & Consequence

Technical Vulnerability

Asset Criticality

AIC Impact

Environment & Controls

Threat Intelligence

Final OTRSC Score

🎯 Recommended Actions: