BASE PARIMETERS |
|
|
|
ReportConfidence = case ReportConfidence of |
|
(RC) |
Unconfirmed |
0.3 |
|
Uncorroborated |
0.5 |
|
Confirmed |
1 |
|
Not defined |
1 |
|
|
|
BaseConsequence = case BaseConsequence of |
|
(BC) |
Information Exposure |
0.1 |
|
Data Manipulation |
0.3 |
|
Temporary Denial |
0.5 |
|
Sustained Denial or Loss |
0.7 |
|
Control |
1 |
|
|
|
RemediationLevel = case RemediationLevel of |
|
(RL) |
|
|
Official Fix |
0 |
|
Compensating Controls |
0.8 |
|
Unavailable |
1 |
|
Not defined |
1 |
|
|
|
|
|
BASE SEVERITY SCORE (BS): |
((RC+(BC*2)+RL)/4)*10 |
|
|
|
|
|
|
|
|
ExploitComplexity = case ExploitComplexity of |
|
(EC) |
Low |
1 |
|
Moderate |
0.5 |
|
High |
0.2 |
|
|
|
Exploitability = case Exploitability of |
|
|
(EX) |
Unproven that exploit exists |
0.5 |
|
Proof of concept code |
0.8 |
|
Functional exploit exists |
1 |
|
Not defined |
1 |
|
|
|
Authentication = case Authentication of |
|
(AU) |
Admin/Root |
0.2 |
|
User |
0.6 |
|
None |
1 |
|
|
|
|
UserInteractionRequired = case UserInteractionRequired of |
(UI) |
Yes |
0.3 |
|
No |
1 |
|
|
|
|
|
BASE EXPLOITABILITY SCORE (BEX): |
((EC+EX+AU+UI)/4)*10 |
|
|
|
|
|
AccessVector = case AccessVector of |
|
(AV) |
Physical |
0.2 |
|
Local Host |
0.4 |
|
Local Network |
0.7 |
|
Remote |
1 |
|
|
|
|
|
|
ACCESSIBILITY: |
AV*10 |
|
|
|
|
|
|
TOTAL BASE SCORE: |
((BS+EX+(AV*2))/4) |
|
|
|
|
LOCAL ICS ENVIRONMENT |
|
|
|
LocalAccessVector = case LocalAccessVector of |
|
(LA) |
Physical Access Only |
0 |
|
Local Host Authenticated |
0.3 |
|
Local Network |
0.5 |
|
Adjacent or Remote Network |
1 |
|
|
|
CommumicationPaths = case CommumicationPaths of |
(CP) |
None |
0 |
|
Low (1) |
0.5 |
|
Medium (2-4) |
0.8 |
|
High (5+) |
1 |
|
|
|
|
|
ACCESSIBILITY (ACC): |
(((LA*2)+CP)/3)*10 |
|
|
|
|
|
VisibilityImpact = case VisibilityImpact of |
|
(VI) |
None |
0 |
|
Partial |
0.5 |
|
Complete |
1 |
|
|
|
MonitoringImpact = case MonitoringImpact of |
|
(MI) |
None |
0 |
|
Partial |
0.5 |
|
Complete |
1 |
|
|
|
ControlImpact = case ControlImpact of |
|
(CI) |
None |
0 |
|
Partial |
0.5 |
|
Complete |
1 |
|
|
|
|
CascadingConsequences = case CascadingConsequences of |
(CC) |
|
|
|
None |
0.7 |
|
Low (1) |
0.7 |
|
Medium (2-4) |
0.9 |
|
High (5+) |
1 |
|
|
|
|
|
CONSEQUENCES (CON): |
(((VI+MI+CI)/3)*(CC*10) |
|
|
|
|
CollateralDamagePotential = case CollateralDamagePotential of |
(CD) |
None |
0.6 |
|
Low (light loss) |
0.6 |
|
Low-medium |
0.7 |
|
Medium-high |
0.9 |
|
High (Catastrophic loss) |
1 |
|
Not defined |
1 |
|
|
|
ProductionImpact = case ProductionImpact of |
|
(PI) |
None |
0 |
|
Low |
0.4 |
|
Medium |
0.7 |
|
High |
1 |
|
Not Defined |
1 |
|
|
|
ReliabilityImpact = case ReliabilityImpact of |
|
(RI) |
None |
0 |
|
Low |
0.3 |
|
Medium |
0.7 |
|
High |
1 |
|
Not Defined |
1 |
|
|
|
SafetyImpact = case SafetyImpact of |
|
(SI) |
None |
0 |
|
Low |
0.5 |
|
Medium |
0.8 |
|
High |
1 |
|
Not Defined |
1 |
|
|
|
|
|
IMPACT (IMP): |
(((PI*2)+RI+(SI*2))/5)*(CD*10) |
|
|
|
|
|
|
ADJUSTED ACCESSIBILITY (ADJACC): |
(AV+LA)/2 |
|
|
|
|
ADJUSTED CRITICALITY (ADJCRIT): |
(BS+CON+(IMP*2))/4 |
|
|
|
|
|
FINAL SCORE: |
(ADJCRIT+BEX+(ADJACC*2))/4 |