A newly developed methodology for gauging the impact of operational technology (OT) security incidents aims to improve how the industry measures and responds to events. The Operational Technology Incident (OTI) Impact Score, unveiled at the S4x26 Conference in Miami, provides a framework to clarify risk and business ramifications.
Co-created by Dale Peterson of Digital Bond and Munish Walther-Puri of TPO Group, the OTI model offers a standardized way to evaluate incidents that are often difficult to contextualize. Peterson notes that stakeholders, including executives, government officials, and the public—often lack a consistent method for understanding the true magnitude of an OT event. This can lead to misperceptions where minor events are overstated or serious systemic risks are overlooked.
The OTI Impact Score Methodology
The OTI model draws inspiration from the Richter Scale used in seismology. It is designed to serve business executives, insurers, and public sector leaders by converting complex technical data into a clear impact rating.
The scoring system relies on vetted industry volunteers who assess events via an online portal, with a target of issuing a verified score within 12 hours of an incident. The score is calculated using three independent criteria:
Severity: The intensity of the disruption, ranging from minor operational variance to catastrophic destruction.
Reach: The geographic spread or population affected.
Duration: The length of time operations are impaired.
These three values are multiplied together and divided by 100 to produce the final OTI Impact Score.
Organizers state that a standardized rating system will ensure that response efforts, such as physical response teams and insurance investigations—are proportional to the actual event. Hollie Hennessy, principal analyst at Omdia, suggests the score will support decision-makers who manage industrial environments. Omdia data indicates that roughly 45% of OT security decision-makers work in dedicated OT roles, while the remainder operate within IT, infrastructure, or engineering functions.
While severe OT incidents occur less frequently than general IT security events, Omdia research shows that 30% to 40% of organizations experienced a security incident related to OT or IoT systems in the past 12 months.
Defining an OT Incident
The OTI score classifies an "OT cybersecurity incident" based on operational outcome rather than the technical entry point. If a system is unable to operate normally, it is counted as an incident, even if the unauthorized access occurred on the IT network.
This distinction is critical for accurate risk assessment. Many significant disruptions begin in corporate IT environments but ripple into industrial operations. For example, the 2023 security incident at Clorox affected IT inventory systems, which subsequently disrupted manufacturing and product shipment.
Sarah Fluchs, CTO of Admeritia, notes that this approach shifts the focus to business continuity. She argues that the distinction between IT and OT vectors is less important than the impact on the company and the population it serves. This perspective also protects operators from unfair scrutiny in cases where a detected threat is successfully contained before it causes damage.
Retrospective Analysis of Major Incidents
To demonstrate the model's utility, the creators applied the OTI Impact Score to historical events.
The 2021 Colonial Pipeline incident, which involved ransomware affecting the company's IT network, resulted in a halt to pipeline delivery operations. The OTI model assigns this event a score of 3.9 (High Impact).
Severity (8): Significant disruption to gasoline and jet fuel supply.
Reach (7): Affected approximately one-third of the U.S. population.
Duration (7): Operations were down for six days, with full restoration taking nine days.
In contrast, the 2024 unauthorized access to a water utility in Muleshoe, Texas, received a score of 0.0.
Severity (1): Potable water delivery remained safe.
Reach (1): Only a single water system tank overflowed in a town of 5,000 residents.
Duration (1): Operators identified the anomaly (a tank overflow caused by remote access manipulation) and quickly pivoted to manual operations.
Adoption and Future Development
The organizers aim to establish the OTI Score as a standard reference for the industry, seeking support from OT organizations and government bodies such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Adopting a shared baseline could reduce fragmentation across regulatory regions. However, questions remain regarding how the model captures intangible impacts. Fluchs points out that the current formula does not account for reputational damage or the long-tail effects of an investigation. As the model evolves, the industry will determine if it can serve as a comprehensive standard for characterizing OT security risks.