| BASE PARIMETERS |
|
|
|
| ReportConfidence = case ReportConfidence of |
|
| (RC) |
Unconfirmed |
0.3 |
|
Uncorroborated |
0.5 |
|
Confirmed |
1 |
|
Not defined |
1 |
|
|
|
| BaseConsequence = case BaseConsequence of |
|
| (BC) |
Information Exposure |
0.1 |
|
Data Manipulation |
0.3 |
|
Temporary Denial |
0.5 |
|
Sustained Denial or Loss |
0.7 |
|
Control |
1 |
|
|
|
| RemediationLevel = case RemediationLevel of |
|
| (RL) |
|
|
Official Fix |
0 |
|
Compensating Controls |
0.8 |
|
Unavailable |
1 |
|
Not defined |
1 |
|
|
|
| |
|
| BASE SEVERITY SCORE (BS): |
((RC+(BC*2)+RL)/4)*10 |
|
|
|
|
|
|
| |
|
| ExploitComplexity = case ExploitComplexity of |
|
| (EC) |
Low |
1 |
|
Moderate |
0.5 |
|
High |
0.2 |
|
|
|
| Exploitability = case Exploitability of |
|
|
| (EX) |
Unproven that exploit exists |
0.5 |
|
Proof of concept code |
0.8 |
|
Functional exploit exists |
1 |
|
Not defined |
1 |
|
|
|
| Authentication = case Authentication of |
|
| (AU) |
Admin/Root |
0.2 |
|
User |
0.6 |
|
None |
1 |
|
|
|
| |
| UserInteractionRequired = case UserInteractionRequired of |
| (UI) |
Yes |
0.3 |
|
No |
1 |
|
|
|
| |
|
| BASE EXPLOITABILITY SCORE (BEX): |
((EC+EX+AU+UI)/4)*10 |
|
|
|
| |
|
| AccessVector = case AccessVector of |
|
| (AV) |
Physical |
0.2 |
|
Local Host |
0.4 |
|
Local Network |
0.7 |
|
Remote |
1 |
|
|
|
| |
|
|
| ACCESSIBILITY: |
AV*10 |
|
|
|
|
| |
|
| TOTAL BASE SCORE: |
((BS+EX+(AV*2))/4) |
|
|
|
| |
| LOCAL ICS ENVIRONMENT |
|
|
|
| LocalAccessVector = case LocalAccessVector of |
|
| (LA) |
Physical Access Only |
0 |
|
Local Host Authenticated |
0.3 |
|
Local Network |
0.5 |
|
Adjacent or Remote Network |
1 |
|
|
|
| CommumicationPaths = case CommumicationPaths of |
| (CP) |
None |
0 |
|
Low (1) |
0.5 |
|
Medium (2-4) |
0.8 |
|
High (5+) |
1 |
|
|
|
| |
|
| ACCESSIBILITY (ACC): |
(((LA*2)+CP)/3)*10 |
|
|
|
| |
|
| VisibilityImpact = case VisibilityImpact of |
|
| (VI) |
None |
0 |
|
Partial |
0.5 |
|
Complete |
1 |
|
|
|
| MonitoringImpact = case MonitoringImpact of |
|
| (MI) |
None |
0 |
|
Partial |
0.5 |
|
Complete |
1 |
|
|
|
| ControlImpact = case ControlImpact of |
|
| (CI) |
None |
0 |
|
Partial |
0.5 |
|
Complete |
1 |
|
|
|
| |
| CascadingConsequences = case CascadingConsequences of |
| (CC) |
|
|
|
None |
0.7 |
|
Low (1) |
0.7 |
|
Medium (2-4) |
0.9 |
|
High (5+) |
1 |
|
|
|
| |
|
| CONSEQUENCES (CON): |
(((VI+MI+CI)/3)*(CC*10) |
|
|
|
| |
| CollateralDamagePotential = case CollateralDamagePotential of |
| (CD) |
None |
0.6 |
|
Low (light loss) |
0.6 |
|
Low-medium |
0.7 |
|
Medium-high |
0.9 |
|
High (Catastrophic loss) |
1 |
|
Not defined |
1 |
|
|
|
| ProductionImpact = case ProductionImpact of |
|
| (PI) |
None |
0 |
|
Low |
0.4 |
|
Medium |
0.7 |
|
High |
1 |
|
Not Defined |
1 |
|
|
|
| ReliabilityImpact = case ReliabilityImpact of |
|
| (RI) |
None |
0 |
|
Low |
0.3 |
|
Medium |
0.7 |
|
High |
1 |
|
Not Defined |
1 |
|
|
|
| SafetyImpact = case SafetyImpact of |
|
| (SI) |
None |
0 |
|
Low |
0.5 |
|
Medium |
0.8 |
|
High |
1 |
|
Not Defined |
1 |
|
|
|
| |
|
| IMPACT (IMP): |
(((PI*2)+RI+(SI*2))/5)*(CD*10) |
|
|
|
| |
|
|
| ADJUSTED ACCESSIBILITY (ADJACC): |
(AV+LA)/2 |
|
|
|
|
| ADJUSTED CRITICALITY (ADJCRIT): |
(BS+CON+(IMP*2))/4 |
|
|
|
| |
|
| FINAL SCORE: |
(ADJCRIT+BEX+(ADJACC*2))/4 |
