A new scoring system called the Operational Technology Incident (OTI) Impact Score has been developed to measure the severity of cybersecurity events in industrial control and operational technology environments. Modeled after the Richter Scale, it rates incidents based on their severity, geographic reach, and duration to provide a clear, standardized assessment of business impact. The tool aims to help executives, insurers, and the media better understand and respond to OT cyber incidents, which are often mischaracterized. The score will be determined by vetted industry volunteers through an online portal shortly after an event occurs.
'Richter Scale' Model Measures Magnitude of OT Cyber Incidents
ICS/OT experts have devised a scoring system for rating the severity and effects of cybersecurity events in operational technology environments.
S4x26, MIAMI — Feb. 24, 2026 — A newly developed method for gauging the impact of an OT cybersecurity incident could pave the way for more accurate measurement and response to an event, and also shine light on risk and business ramifications.
The Operational Technology Incident (OTI) Impact Score — which will be unveiled today at the ICS/OT industry's S4x26 Conference in Miami — aims to provide rapid clarity on the actual effects of OT cyber incidents, which often get over- or under-hyped, according to Dale Peterson, co-creator of the OTI model and head of ICS/OT consulting and research firm Digital Bond.
The OTI model, inspired by the Richter Scale used for measuring earthquake intensity and impact, is meant for OT business executives, governments, cyber insurers, the media, and the general public, according to Peterson, who is the founder and program chair of S4.
"The problem is that politicians, business owners, the media, and the general public don't understand the impact in an OT attack," Peterson explains. "They either have the belief that it's much more serious than it is [or], on the flip side, there's one [event] that's really serious but gets no attention."
A standard way to rate an OT cyber incident will help ensure that appropriate response and resources are applied to the attack, such as ICS and physical response teams, and cyber-insurance claims investigations, according to OTI organizers.
Hollie Hennessy, principal analyst at Omdia, says the OTI score could be helpful for decision-makers in OT. She points to Omdia data showing that some 45% of decisionmakers for OT security actually work in an pure OT role, while the rest are "IT, infrastructure, network engineering, application engineers, technology managers," in industrial organizations, she says.
While serious OT cyberattacks remain rare, she says, Omdia research shows that, during the past 12 months, some 30% to 40% of organizations have suffered a cyber-incident related to OT or IoT systems.
OTI Impact Score Formula for Cybersecurity Incidents
The concept for a cyber-incident scoring mechanism was first raised in a session at last year's S4 Conference by Munish Walther-Puri, principal and head of critical infrastructure at TPO Group and a member of the faculty at IANS Research. Walther-Puri and Peterson teamed up over the past few months to create the scoring system, which focuses on three criteria: severity (from minor disruption to catastrophic destruction), reach (geographic spread), and duration (length of time) of the incident.
The OTI score defines an "OT cybersecurity incident" as one where the OT system is unable to operate normally, whether or not the attack directly touched the industrial network. That's an important distinction, because most cyber incidents do not actually reach the OT network itself: they involve the organization's IT network, which then in turn disrupts an industrial organization's operation. For example, if a manufacturer's inventory system on its IT network gets infected with ransomware and is knocked offline (as was the case for Clorox in 2023), it can cause ripple effects on the manufacturing and shipment of the company's products.
Volunteers vetted from the ICS/OT industry will score OT cyber events via an OTI online scoring portal, with the goal of issuing the assessment within 12 hours at most. Each of the three areas (severity, reach, and duration) is scored independently, and the resulting numbers for each are multiplied together and divided by 100 for the resulting OTI Impact Score.
Here's how the OTI Impact Scores are defined:
Source: OTI Impact Score
Industry experts say the OTI would help shift the conversation to the business impact of an OT incident, a key element that often gets lost in the fog of the event reporting. When an industrial organization suffers a cyberattack, there is often confusion or debate over whether it should be considered a pure OT incident, especially if the attack didn't reach the OT network, says Sarah Fluchs, chief technology officer (CTO) of OT cybersecurity consultancy Admeritia.
"In the end, it doesn't really matter if it was an incident targeted at OT" or not, Fluchs says. "What matters is the impact on the company, on the business, or on the population — and that's what we should be talking about. Not if it's an IT, OT, or whatever incident."
There also are cases where a publicized OT incident gets spotted and stopped in its tracks, but still gets negative attention. "It's often so unfair to operators because, in the end, they prevented it and nothing happened," she says.
Colonial Pipeline Cyberattack Scores High
To illustrate how the OTI Impact Score would apply to a previously reported OT cyber incident, the creators of the methodology calculated scores for the infamous 2021 Colonial Pipeline cyberattack, when a ransomware attack on the company's IT network forced the company to halt pipeline delivery operations, leading to a state of emergency in the US East Coast due to fuel shortages.
Colonial Pipeline received an OTI Impact Score of 3.9 for "high impact." The attack scored an 8 for severity due to gasoline delivery disruption and jet fuel supply shortages; a 7 for reach, given that a third of the U.S. population was affected; and a 7 for duration, because the company suffered six days of downtime and took nine days to fully restore pipeline delivery operations.
At the other extreme was the cyberattack on a water utility in Muleshoe, Tex., in 2024 that resulted in a single water system tank overflowing for 30 to 45 minutes after attackers broke into the industrial control system via a remote login application. Muleshoe got a 0.0 score from the OTI organizers; a severity score of 1 since potable water was safely delivered; a reach score of 1 since only a single water system at the utility was affected in the town of 5,000 residents; and a duration score of 1 because the operators shut off the hacked system and pivoted to manual operations once they spotted the water overflow.
But it remains to be seen whether the OTI Score can officially land as the gold standard for characterizing the impact of an OT cybersecurity incident. The organizers are hoping to gain traction with support from OT industry organizations and possibly government entities, such as the US Cybersecurity and Infrastructure Security Agency (CISA).
There may be incentive for regulatory and standards bodies, according to Omdia's Hennessy. "These bodies are often looking for industry involvement. Having something like this adopted can help with creating a baseline of understanding across multiple regions — reducing friction, fragmentation, and complexity across guidance and mandates," she says.
Even so, there are still questions over how the OTI Impact Score would work in a real-world incident. It's unclear, according to Fluchs, how the OTI could be used to measure fallout such as damage to a victim organization's reputation: "And when is a cyber incident done? When are you finished measuring it?"
Meridiano
.jpg?width=1280&auto=webp&quality=80&disable=upscale)