Munish Walther-Puri has extensive experience measuring and mitigating risk on large scales, in particular during a career stop four years ago as the Director of Cyber Risk for the City of New York Cyber Command.
At the recent S4 Conference, Walther-Puri unveiled a first pass at a homegrown scale for measuring the severity of operational technology (OT) cybersecurity incidents, which he hopes will fill a metrics gap that accounts for the impact, magnitude, and duration of OT events. On the latest episode of the Nexus Podcast, he dives deeply into the Infrastructure Cyber Incident Scale (INCI).
INCI draws from the Richter Scale and other tools used in measuring natural disasters beyond earthquakes, but also hurricanes and volcanic eruptions. Its aim is to present not only OT asset owners but also emergency response teams, public officials, and the media with an understandable scale—and comparable to others they may be familiar with such as the Richter Scale—that paints a true picture of incident magnitude and response preparations needed.
“Thinking about weather and other natural disasters got me thinking. When you’re in an incident, you don’t know how bad it is. It takes a while after to figure out how bad it actually was. Can we tell pretty close to the moment how big and how bad this is going to be,” he said. “That’s what drove me to this.”
Walther-Puri’s thesis is that, as a society, we know that a 5.0 magnitude earthquake is much less severe than a 6.9 magnitude earthquake, or that a category 3 hurricane, while serious, is not as devastating as a category 5. And while there may be thousands of smaller impact earthquakes a year, we only hear about the few larger magnitude events a year. Similarly in cybersecurity, a typical organization may fend off thousands of network access attempts a day, but only major incidents reach the public depending on breadth and magnitude. This was the foundational approach for his scale.
Therefore in building a similar model for OT cybersecurity incidents, Walther-Puri concentrated on measuring:
The intensity of an incident, or severity of an incident’s impact on operations and human lives)
The magnitude, which is focused on the breadth of an incident and how many are affected. “Are we affecting a single system, multiple systems, or all the way up to disrupting natural infrastructure or having a catastrophic impact on most or all of national infrastructure,” he asked during his presentation.
The duration of an incident, anywhere from a few days to years-long impacts.
During his session, Walther-Puri unveiled INCI scores for nine high-profile incidents impacting OT and critical infrastructure. The 2017 NotPetya wiper attack targeting Ukraine’s software supply chain graded out as the highest impact incident, with the Oldsmar incident as the lowest.
Walther-Puri hopes that the scale will help response teams and public officials understand incidents as they compare to others.
“There’s a dearth of major incidents. We do this as humans generally when something new happens. We have the heuristic of: ‘Does this fit something I already know?’” he said. “Those of us in the field of security and risk have refined that rubric of ‘Is this something I’ve seen before?’”
“That comparison allows people to put this in categories and figure out what tiering of response is needed,” he said. “This comes from tiering in emergency management. When you’re in that moment and you see or feel the blast, you know this is going to be bad.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
