Quantitative Scoring for OT Incidents: The Richter Scale Model

The cybersecurity industry has long struggled with communicating the severity of Operational Technology (OT) incidents to non-technical stakeholders. While the Common Vulnerability Scoring System (CVSS) provides a framework for software vulnerabilities, it lacks the granularity required to describe the kinetic consequences of a cyber-physical attack. To address this gap, industry experts have introduced a magnitude-based scoring system analogous to the Richter scale used in seismology, according to Dark Reading.

The Evolution of OT Risk Assessment

Traditional incident response frameworks prioritize data confidentiality, integrity, and availability (the CIA triad). However, in industrial environments, the priority shifts toward safety, reliability, and productivity (the SRP triad). When a programmable logic controller (PLC) or human-machine interface (HMI) is compromised, the primary concern is not data theft, but rather the potential for physical destruction, environmental contamination, or loss of life.

The proposed “Cyber-Physical Event Magnitude Scale” seeks to standardize how these impacts are recorded. By moving away from qualitative labels like “critical” or “high”—which are often subjective and vary between organizations—the model provides a quantitative foundation for measuring the total impact of an event. This allows stakeholders to compare disparate incidents across different sectors using a unified mathematical language.

Technical Components of the Magnitude Scale

The scale functions as a logarithmic measurement, meaning each increase in the integer represents a tenfold increase in the severity of the incident’s impact. This approach allows for the categorization of everything from minor sensor malfunctions to catastrophic infrastructure failures within the same framework.

Quantifying Physical Consequences

The model evaluates several key domains of physical impact to determine the final score:

• Safety and Human Life: Incidents are rated based on the potential for injury or fatalities among plant personnel or the surrounding community.
• Environmental Impact: This includes the release of hazardous materials, contamination of water supplies, or long-term ecological damage.
• Production and Economic Loss: Quantitative measures of downtime, equipment damage, and the financial cost of restoring operations.

Assessing Technical Sophistication

Beyond physical consequences, the scale incorporates the technical reach and sophistication of the threat actor. This includes the number of targeted systems, the persistence of the malware (e.g., firmware-level persistence versus user-land execution), and the degree of automation used to bridge the gap between IT and OT networks. By weighing the technical depth against the physical outcome, the model distinguishes between simple script-based disruptions and advanced, state-sponsored kinetic attacks.

Strategic Implications for Defenders

For security operations centers (SOC) and incident response teams, this model provides a clearer roadmap for triage. By applying a magnitude score to an ongoing event, defenders can more accurately allocate resources and communicate urgency to executive leadership without relying on hyperbolic language.

Insurance and Underwriting

The insurance industry stands to benefit significantly from a standardized OT magnitude scale. Currently, underwriting cyber-physical risks is difficult due to a lack of historical data and consistent terminology. A magnitude-based scale for OT allows for more precise actuarial modeling and risk pricing. Similarly, regulators can use this scale to mandate reporting thresholds for critical infrastructure providers, ensuring that only incidents of a certain magnitude trigger national-level responses.

Shifting to Consequence-Based Defense

The adoption of this model encourages organizations to move toward consequence-based hardening. Rather than attempting to patch every vulnerability, teams can identify the systems that, if compromised, would result in the highest magnitude score. This enables a more surgical approach to network segmentation, hardware root-of-trust implementation, and out-of-band monitoring for high-consequence assets. This methodology prioritizes the stability of the physical process above all other metrics.