├── .gitignore
├── CNAME
├── CutSec_IACS-STAR_Methodology_20230916.pdf
├── README.md
├── config
└── default.yaml
├── custom
└── .gitignore
├── html
├── iacs_star_calculator.html
├── images
│ ├── istar_scoring_categories_20230721.jpg
│ └── istar_unmitigated_risk_categories_20230721.jpg
└── methodology.html
├── index.html
├── requirements.txt
├── scripts
└── generate_calculator.py
└── templates
└── calculator_template.ctpl
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Ll]og/
33 | [Ll]ogs/
34 |
35 | # Visual Studio 2015/2017 cache/options directory
36 | .vs/
37 | # Uncomment if you have tasks that create the project's static files in wwwroot
38 | #wwwroot/
39 |
40 | # Visual Studio 2017 auto generated files
41 | Generated\ Files/
42 |
43 | # MSTest test Results
44 | [Tt]est[Rr]esult*/
45 | [Bb]uild[Ll]og.*
46 |
47 | # NUnit
48 | *.VisualState.xml
49 | TestResult.xml
50 | nunit-*.xml
51 |
52 | # Build Results of an ATL Project
53 | [Dd]ebugPS/
54 | [Rr]eleasePS/
55 | dlldata.c
56 |
57 | # Benchmark Results
58 | BenchmarkDotNet.Artifacts/
59 |
60 | # .NET Core
61 | project.lock.json
62 | project.fragment.lock.json
63 | artifacts/
64 |
65 | # ASP.NET Scaffolding
66 | ScaffoldingReadMe.txt
67 |
68 | # StyleCop
69 | StyleCopReport.xml
70 |
71 | # Files built by Visual Studio
72 | *_i.c
73 | *_p.c
74 | *_h.h
75 | *.ilk
76 | *.meta
77 | *.obj
78 | *.iobj
79 | *.pch
80 | *.pdb
81 | *.ipdb
82 | *.pgc
83 | *.pgd
84 | *.rsp
85 | *.sbr
86 | *.tlb
87 | *.tli
88 | *.tlh
89 | *.tmp
90 | *.tmp_proj
91 | *_wpftmp.csproj
92 | *.log
93 | *.tlog
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
298 | *.vbp
299 |
300 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
301 | *.dsw
302 | *.dsp
303 |
304 | # Visual Studio 6 technical files
305 | *.ncb
306 | *.aps
307 |
308 | # Visual Studio LightSwitch build output
309 | **/*.HTMLClient/GeneratedArtifacts
310 | **/*.DesktopClient/GeneratedArtifacts
311 | **/*.DesktopClient/ModelManifest.xml
312 | **/*.Server/GeneratedArtifacts
313 | **/*.Server/ModelManifest.xml
314 | _Pvt_Extensions
315 |
316 | # Paket dependency manager
317 | .paket/paket.exe
318 | paket-files/
319 |
320 | # FAKE - F# Make
321 | .fake/
322 |
323 | # CodeRush personal settings
324 | .cr/personal
325 |
326 | # Python Tools for Visual Studio (PTVS)
327 | __pycache__/
328 | *.pyc
329 |
330 | # Cake - Uncomment if you are using it
331 | # tools/**
332 | # !tools/packages.config
333 |
334 | # Tabs Studio
335 | *.tss
336 |
337 | # Telerik's JustMock configuration file
338 | *.jmconfig
339 |
340 | # BizTalk build output
341 | *.btp.cs
342 | *.btm.cs
343 | *.odx.cs
344 | *.xsd.cs
345 |
346 | # OpenCover UI analysis results
347 | OpenCover/
348 |
349 | # Azure Stream Analytics local run output
350 | ASALocalRun/
351 |
352 | # MSBuild Binary and Structured Log
353 | *.binlog
354 |
355 | # NVidia Nsight GPU debugger configuration file
356 | *.nvuser
357 |
358 | # MFractors (Xamarin productivity tool) working folder
359 | .mfractor/
360 |
361 | # Local History for Visual Studio
362 | .localhistory/
363 |
364 | # Visual Studio History (VSHistory) files
365 | .vshistory/
366 |
367 | # BeatPulse healthcheck temp database
368 | healthchecksdb
369 |
370 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
371 | MigrationBackup/
372 |
373 | # Ionide (cross platform F# VS Code tools) working folder
374 | .ionide/
375 |
376 | # Fody - auto-generated XML schema
377 | FodyWeavers.xsd
378 |
379 | # VS Code files for those working on multiple tools
380 | .vscode/*
381 | !.vscode/settings.json
382 | !.vscode/tasks.json
383 | !.vscode/launch.json
384 | !.vscode/extensions.json
385 | *.code-workspace
386 |
387 | # Local History for Visual Studio Code
388 | .history/
389 |
390 | # Windows Installer files from build outputs
391 | *.cab
392 | *.msi
393 | *.msix
394 | *.msm
395 | *.msp
396 |
397 | # JetBrains Rider
398 | *.sln.iml
399 |
400 | venv
401 | /.idea/misc.xml
402 | /.idea/modules.xml
403 | /.idea/inspectionProfiles/profiles_settings.xml
404 | /.idea/inspectionProfiles/Project_Default.xml
405 | /.idea/vcs.xml
406 | /.idea/IACS_STAR_Methodology.iml
407 | /.idea/.gitignore
408 |
--------------------------------------------------------------------------------
/CNAME:
--------------------------------------------------------------------------------
1 | iacs-star-calculator.com
--------------------------------------------------------------------------------
/CutSec_IACS-STAR_Methodology_20230916.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cutaway-security/IACS_STAR_Methodology/fc5037185ab5bbcf7b965d15e094dde300ab1087/CutSec_IACS-STAR_Methodology_20230916.pdf
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # IACS System Testing and Assessment Rating (STAR) Methodology (IACS STAR)
2 | A methodology for scoring implementation vulnerabilities identified when testing and performing cybersecurity assessments of industrial and automation control environments.
3 |
4 | Get started with the [IACS STAR Calculator](#iacs-star-calculator)
5 |
6 | ## Contributions
7 |
8 | * Development Committee: [Don C. Weber](https://www.linkedin.com/in/cutaway/), [Christoph Bless](https://www.linkedin.com/in/christoph-bless-111374199/), [Jessa Davis](https://www.linkedin.com/in/davisjessa/)
9 | * Author: Don C. Weber
10 | * IACS/OT Contributors: Oscar Delgado, Danielle Jablanski, Tim Conway, Brandon Workentin
11 | * IT/Infosec Contributors: Jeff Williams (Author of original OWASP Risk Rating Methodology)
12 |
13 | # Introduction
14 |
15 | Security assessments and penetration testing of an Industrial and Automation Control Systems (IACS) / Operational Technology (OT) environment are two types of vulnerability assessments that feed information into the [ISA/IEC 62443](https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards) risk assessment process. The Cyber Security Management System (CSMS) process, detailed in the ISA/IEC-62443-2-1 standard, requires a detailed risk assessment which is outlined in full within the ISA/IEC-62443-3-2 standard. The detailed risk assessment requires that a vulnerability assessment is conducted to identify unmitigated risk. These vulnerability assessments require that the assessment findings be qualitatively rated according to the threat, likelihood, and consequences should the vulnerability be exploited and threat actor success realized.
16 |
17 | The IACS System Testing and Assessment Rating (STAR) Methodology (IACS STAR) is intended to be a methodology to estimate the severity of identified risks to the IACS/OT environment. This methodology includes the classic qualitative risk calculation elements while adding the consequence considerations necessary for understanding risks to IACS/OT processes and equipment. Having a system in place that addresses IACS/OT concerns for rating risks will save time and eliminate arguing about prioritizations and improve countermeasure selection to quickly reduce risk.
18 |
19 | The authors of this methodology have tried hard to make this model simple to use, while keeping enough detail for accurate risk estimates to be made. Please reference the section below on customization for more information about tailoring the model for use in a specific organization.
20 |
21 |
22 | Click the arrow for resources that help explain the challenges and obstacles for analyzing and rating risk in IACS/OT environments.
23 |
24 | - [The Blind Spot: How to Simply Calculate Cyber Attack Likelihood Using the Exploitability Assessment](https://www.cybersecureot.info/post/the-blind-spot-how-to-simply-calculate-cyber-attack-likelihood-using-the-exploitability-assessment)
25 | - [Maximizing Limited Resources in OT Security - Spiceworks](https://www.spiceworks.com/tech/devops/guest-article/maximizing-limited-resources-in-ot-security/amp/)
26 |
27 |
28 | # Risk Analysis Overview
29 |
30 | Over the years there has been a lot of debate about how to rate risk within industrial and automation control environments. Rating risk is difficult due to the varying ideas about likelihood, frequency, consequences, and impact ratings. This project is an effort to update the [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) to be usable when conducting security assessments and penetration tests within IACS/OT environments. It is not designed to replace a mature organization's risk rating methodology. It is intended for assessment teams to use when a specific methodology has not been defined or when a quicker method is needed to quickly rate and reduce risk.
31 |
32 |
33 | For background, there are other more mature, popular, or well-established Risk Rating Methodologies that can be followed. Click the arrow for a list.
34 |
35 | - [ISA/IEC 62443 Series of Standards](https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards)
36 | - [NIST 800-30 - Guide for Conducting Risk Assessments](https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final)
37 | - [National Vulnerability Database (NVD) Common Vulnerability Scoring System Version 3 (CVSSv3) Calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
38 | - [Government of Canada - Harmonized TRA Methodology](https://cyber.gc.ca/en/guidance/harmonized-tra-methodology-tra-1)
39 | - Mozilla resources:
40 | - [Risk Assessment Summary](https://infosec.mozilla.org/guidelines/assessing_security_risk)
41 | - [Rapid Risk Assessment (RRA)](https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html)
42 |
43 |
44 |
45 | The risk and vulnerability assessment process is augmented by threat modeling to identify and prioritize potential attack vectors and successful exploitations.
46 |
47 |
48 | Click the arrow for list of methods to help with the threat modeling process.
49 |
50 | - [FIRST.org: Threat Modelling](https://www.first.org/global/sigs/cti/curriculum/threat-modelling)
51 | - [The Operational Resilience Framework](https://www.grf.org/orf)
52 | - [Microsoft Threat Modeling Tool threats](https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats) - aka STRIDE
53 | - [MITRE's Threat Assessment and Remediation Analysis (TARA)](https://www.mitre.org/news-insights/publication/threat-assessment-and-remediation-analysis-tara)
54 | - [ICS Layered Threat Modeling](https://sansorg.egnyte.com/dl/fztutwiK5J)
55 | - [OWASP Threat Modeling](https://owasp.org/www-community/Threat_Modeling)
56 | - [OWASP Application Threat Modeling](https://owasp.org/www-community/Application_Threat_Modeling)
57 | - [OWASP pytm](https://owasp.org/www-project-pytm/) - Pythonic framework for threat modeling
58 | - [OWASP Threat Dragon](https://owasp.org/www-project-threat-dragon/) - threat modeling tool
59 |
60 |
61 | The ISA/IEC 62443 CSMS Detailed Risk Assessment process requires that considerations for the criticality of processes, equipment, and procedures are calculated and documented. Each process environment are unique to themselves. While the technologies and implementation details may be similar their implementation, management procedures, and selected countermeasures will be different for each instance. Indeed, the most effective way to secure these environments is to consider what the actual process is designed to accomplish and considering issues that might not necessarily be tied to common technological vulnerabilities that are evaluated by traditional risk and vulnerability assessment processes.
62 |
63 |
64 | The following resources provide some details and insight into the considerations for this process. Click the arrow for more details.
65 |
66 | - [Idaho National Labs Cyber Informed Engineering](https://inl.gov/cie/)
67 | - [Idaho National Labs Consequence-driven Cyber-Informed Engineering](https://inl.gov/cce/)
68 | - [Critical infrastructure cybersecurity prioritization: A cross-sector methodology for ranking operational technology cyber scenarios and critical entities](https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/critical-infrastructure-cybersecurity-prioritization/)
69 | - [Common Vulnerability Scoring System Version 4.0](https://www.first.org/cvss/v4-0/) - CVSS version 4.0 is the next generation of the Common Vulnerability Scoring System standard.
70 |
71 |
72 | # Approach
73 |
74 | The ISA/IEC-62443-2-1 standard outlines that risk is calculated by taking the likelihood that an event will occur and scaling it with the consequences should the event be realized. Hence the equation **Risk = Likelihood * Consequence**. The assignment of the likelihood and consequence variables is the typical debate.
75 |
76 | Most IACS/OT likelihood calculations, sometimes referred to as frequency, take into consideration the commonly understood cases of equipment failure. Industrial and automation equipment have specific usage tolerances that, when calculated with known usage, can provide a measurable likelihood that the equipment will experience a problem. This often results in a likelihood table that uses specific timetables for an event to occur. A simple example could be:
77 |
78 | - High: will occur in the next year
79 | - Moderate: will occur in the next 10 years
80 | - Low: no history of occurrence and therefore unlikely
81 |
82 | These typical likelihood ratings are not applicable when considering cybersecurity and the likelihood or frequency that a threat actor will attempt to exploit a vulnerability. In 2008 the Federal Energy Regulatory Commission (FERC) determined that electric utilities required specific guidance to understand how to address likelihood and frequency when calculating risk. In [FERC Order 706 Mandatory Reliability Standards for Critical Infrastructure Protection](https://www.ferc.gov/sites/default/files/2020-04/E-2_11.pdf) the following guidance was provided:
83 |
84 | - "Because there is insufficient data available to determine frequency, it should be assumed that an event will occur."
85 | - "Risk-based assessment methodology should focus on the consequences of an outage, not the likelihood of an outage.“
86 |
87 | In the sections below, the factors that make up "likelihood" and "consequences" for IACS/OT environments are broken down as defined in the 'ISA/IEC-62443-3-2 Zone and Conduit Requirements (ZCR) 5: Perform a detailed cyber security risk assessment' section. The assessment team is shown how to leverage these factors to determine the overall severity for risks identified during a vulnerability assessment.
88 |
89 | - Step 1: ZCR 5.1: Identify Threats
90 | - Step 2: ZCR 5.2: Identify Vulnerabilities
91 | - Step 3: ZCR 5.3: Factors for Estimating Consequences and Impact
92 | - Step 4: ZCR 5.4: Factors for Estimating Likelihood
93 | - Step 5: ZCR 5.5: Calculate Unmitigated Cybersecurity Risk
94 | - Step 6: Reporting Vulnerabilities and Vector Scores
95 | - Step 7: IACS STAR Calculator
96 |
97 |
98 | ## Step 1: Identify Threats (ISA/IEC-62443-3-2 ZCR 5.1)
99 |
100 | Following the model of the OWASP risk rating system there are a few factors that aid in the determination of risk. This effort has modified the OWASP model slightly to fit into the IACS/OT model. These factors are used when modeling attack scenarios to prioritize assessment efforts. The factors are also used when calculating the risk rating for each vulnerability and will vary according to the specifics of the situation. These factors include:
101 |
102 | - a description of the threat actor group,
103 | - the capabilities or skill-level of the threat actors,
104 | - the possible motivations for the threat actors,
105 | - the opportunities provided to the threat actors by the environment's architecture, and
106 | - the level of access achieved when successfully exploiting the vulnerability.
107 |
108 | ### Threat Actor Factors
109 |
110 | It is important to understand threat actor groups when considering the skills, motivation, opportunities, and population of potential attackers. There are many lists that outline specific threat actor groups that are known to attack IACS/OT environments. These include [Wikipedia: threat actor](https://en.wikipedia.org/wiki/Threat_actor), [MITRE](https://attack.mitre.org/groups/), [Mandiant](https://www.mandiant.com/resources/insights/apt-groups), [CrowdStrike](https://www.crowdstrike.com/adversaries/), [Dragos](https://www.dragos.com/threat-groups/), and more. To perform vulnerability assessments there needs to be an easier list that allows all stakeholders to agree. Each of these groups are more accurately defined by their skills, likelihood of success, and primary objectives.
111 |
112 |
113 | The following is one possible breakdown of threat actors associated with IACS/OT environments, each with their own levels of skill, motivation, opportunities, and group size. Click the arrow to view these.
114 |
115 | - **Malware**: Malicious programs that have a specific effect on vulnerable / compromised systems. This includes general malware, IACS/OT malware, and custom malware.
116 | - **Script Kiddies**: Uses tools, techniques, and malware that are known, common, and easily accessible.
117 | - **Cybercriminal**: An advanced group that has the maturity and financial backing to obtain or develop tools, hire technology experts, and time to conduct research and development to achieve goals.
118 | - **Hacker**: Individuals that are mainly comprised of security researchers and sensationalists. Their activities are typically limited to conducting vulnerability research on products. Select individuals may progress to attempting to gain unauthorized access to understand risk and publicly disclose information.
119 | - **Competitor**: Direct competitors with team members that will have access to specific knowledge that will apply in the case of specialized software and equipment.
120 | - **Employee**: Disgruntled and reckless employees that have privileged access to systems and devices as well as knowledge about the technologies and networks.
121 | - **Vendor**: Rogue vendor, integrator, or consultant that is disgruntled, reckless, or malicious. Have knowledge about technologies and may have privileged access to systems, networks, and devices.
122 | - **Cyberwarrior**: Nation-state threat actors that typically operate in groups to achieve specific goals. Trained to live-off-the-land, steal credentials, and exfiltrate information. Has access to custom tools and malware designed to maintain persistence, propagate, and achieve their goals.
123 |
124 |
125 | To compute the likelihood that a threat actor group will be successful the following numerical ratings will be assigned to skill level, motivation, opportunity, and size categories. The level of each category can be estimated to calculate the Threat Agent Factor which will be used to compute the overall likelihood that an event will be realized.
126 |
127 | Click the arrow to reivew the likelidhood factors.
128 |
129 | - **Skill Level** - How technically skilled is this group of threat actors?
130 | - Limited Information Technology (IT), network, and no Operational Technology (OT) skills (1)
131 | - Moderate IT, limited network, and no OT technical skills (3)
132 | - Advanced IT, moderate network, and limited OT technical skills (5)
133 | - Advanced IT, advanced network, and moderate OT technical skills (6)
134 | - Advanced OT technical skills (8)
135 | - Security penetration skills and knowledge of OT technologies (9)
136 | - **Motive** - How motivated are the threat actors once they obtain access to the control environment? An excellent guide for this is the Impact column of the [MITRE ATT&CK ICS Matrix](https://attack.mitre.org/matrices/ics/).
137 | - No reward or intention to impact control environment (1)
138 | - Theft of operational data or equipment (2)
139 | - Create loss of view and control as a result of target-of-opportunity access to assets (3)
140 | - Limit access to fileshares and prevent view and control using common malware (5)
141 | - Prevent view and control using specially designed malware (6)
142 | - Manipulate view and control using privileged remote access and/or specially designed malware (8)
143 | - Prevent operation of safety equipment or cause a catastrophic failure (9)
144 | - **Opportunity** - When accessing the control environment, how are the threat actors limited by deployed countermeasures?
145 | - Physical access and local authentication are required and response time is less than fifteen minutes (0)
146 | - Physical access and local authentication are required but response time is more than fifteen minutes (1)
147 | - Physical and remote access is possible, local authentication required, and active monitoring is enabled (3)
148 | - Limited logging of physical or remote access but administrative privileges are required to access network devices, systems, and applications (5)
149 | - Undetected physical or remote access but administrative privileges are required to access network devices, systems, and applications (6)
150 | - Undetected physical or remote access but requires authentication to some network devices, systems, and applications (8)
151 | - Undetected physical or remote access that provides elevated permissions to network devices, systems, and applications (9)
152 | - **Access** - What are the physical or remote access capabilities achieved by successful exploitation within the process?
153 | - Physical owner/operator users (1)
154 | - Physical vendor / integrator users (2)
155 | - Physical non-malicious civilian users (4)
156 | - Remote owner/operator users (5)
157 | - Remote vendor / integrator users (7)
158 | - Physical malicious users (8)
159 | - Remote anonymous internet users (9)
160 |
161 |
162 | ## Step 2: Identify Vulnerabilities (ISA/IEC-62443-3-2 ZCR 5.2)
163 |
164 | The identification of vulnerabilities depends on the type of vulnerability assessment being conducted. Every IACS/OT environment will have a list of vulnerabilities that are a combination of known hardware and software vulnerabilities, configuration vulnerabilities, and technology implementation vulnerabilities. Some vulnerabilities can be identified using online research i.e., the [NVD Vulnerabilities search page](https://nvd.nist.gov/vuln/search) and vendor cybersecurity resources pages. Configuration and implementation vulnerabilities are identified using passive and active vulnerability testing methods. The factors that play into rating identified vulnerabilities include:
165 |
166 | - the ease of access,
167 | - the ease of exploitation,
168 | - public awareness of the vulnerability, and
169 | - detection and response of attempts to exploit the vulnerability.
170 |
171 | ### Vulnerability Factors
172 |
173 | The next set of factors are related to understanding the identified vulnerability. The goal here is to estimate the likelihood that the particular vulnerability will be exploited and used to gain access to the environment, provide persistence on a system or device, or be used to achieve the threat actor's goals. To understand the vulnerability the factors involving access, exploitation, and public awareness should be considered. Additionally, one of the Foundational Requirements outlined in the ISA/IEC 62443 series of standards includes Timely Response to Events (TRE). This should be added to the factors when understanding the vulnerability within the IACS/OT environment.
174 |
175 | Click the arrow to review the vulnerability factors.
176 |
177 | - **Ease of Access** - How easy is it for this group of threat agents to access the environment and discover the existence of the vulnerability?
178 | - Requires physical access to environment or OT device (1)
179 | - Requires physical access to environment or IT device (2)
180 | - Remotely accessible but countermeasures protecting OT technologies (3)
181 | - Remotely accessible but countermeasures protecting IT technologies (4)
182 | - Remotely accessible but no automated tools to discover for OT technologies (6)
183 | - Remotely accessible but no automated tools to discover for IT technologies (7)
184 | - Remotely accessible and automated tools available for IT technologies (8)
185 | - Remotely accessible and automated tools available for OT technologies (9)
186 | - **Ease of Exploit** - How easy is it to actually exploit the vulnerability?
187 | - No known proof of concept (1)
188 | - Countermeasures protecting OT technologies (2)
189 | - Denial-of-Service possible but no code execution (3)
190 | - Custom scripts / tools can be made to exploit IT technologies (5)
191 | - Custom scripts / tools can be made to exploit OT technologies (6)
192 | - Automated tools available for IT technologies (8)
193 | - Automated tools available for OT technologies (9)
194 | - **Awareness** - How well known is this vulnerability?
195 | - Unknown OT Vulnerability (1)
196 | - Unknown IT Vulnerability (2)
197 | - Not publicly known but common [configuration vulnerability](https://cwe.mitre.org/) (3)
198 | - Publicly identified on vendor website or within [NVD Vulnerabilities database](https://nvd.nist.gov/vuln/search) but no known exploit available (5)
199 | - Publicly identified on vendor website or within [NVD Vulnerabilities database](https://nvd.nist.gov/vuln/search) no known exploit available but target threat actor group can develop exploit (6)
200 | - Publicly identified on vendor website, vulnerability databases, and exploit available in public forums, e.g. [Metasploit](https://www.metasploit.com/), [Exploit-DB](https://www.exploit-db.com/) (8)
201 | - Public identified and in [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (9)
202 | - **Detection/Response** - How likely is an exploit to be detected?
203 | - Centrally logged with alerts and formal review and response plan (1)
204 | - Centrally logged with alerts and formal review but no response plan (3)
205 | - Centrally logged with alerts, but no formal review or response plan (6)
206 | - Centrally logged and without review (7)
207 | - Locally logged without review (8)
208 | - Not logged (9)
209 |
210 |
211 | ## Step 3: Estimating Consequences and Impact (ISA/IEC-62443-3-2 ZCR 5.3)
212 |
213 | The original OWASP risk rating methodology used a combination of technical and business impact factors to analyze the impact when a vulnerability's exploitation was realized. While useful these are not the best ways to understand the impact of an exploited vulnerability to an IACS/OT environment. The Impact column of the [MITRE ATT&CK ICS Matrix](https://attack.mitre.org/matrices/ics/) provides good details about what can happen after successful exploitation. These Impacts are a combination of denial, loss, and manipulation to the process or locations that monitor the process. The FIRST.org [CVSSv4.0](https://www.first.org/cvss/v4-0/) scoring system has been updated to include a new supplemental metric group which includes rating factors that involve safety, automatable, recovery, value density, vulnerability response effort, and provider urgency. Hence, the IACS STAR will estimate consequences and impacts using technical factors and safety factors.
214 |
215 | ***NOTE***: Business impacts are still an important factor for rating risk. However, business impact factors are considerations that should be left to the Detailed Risk Analysis. The IACS STAR is designed to be used when rating the risk of vulnerabilities which feed into the Detailed Risk Analysis process. Therefore, the IACS STAR calculations will attempt to understand the safety impact factors rather than the business impact factors. (Business impact factors may be incorporated into IACS STAR calculations at a future date.)
216 |
217 | ### Technical Impact Factors
218 |
219 | Technical impact can be broken down into factors aligned with the traditional security areas of concern: confidentiality, integrity, availability, and accountability. The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited.
220 |
221 | Click the arrow to review the technical impact factors.
222 |
223 | - **Loss of Confidentiality** - How much data could be disclosed and how sensitive is it?
224 | - No data lost (0)
225 | - Minimal architecture configuration data disclosed (2)
226 | - Minimal network configuration data but no device configuration data disclosed (4)
227 | - Extensive network configuration data and some device configuration data disclosed (6)
228 | - Some process network and device configuration data disclosed (7)
229 | - All process network and device configuration data disclosed (9)
230 | - **Loss of Integrity** - How is the process data changed and does it impact critical functions?
231 | - Modification of historical data not used for control (1)
232 | - Modification of historical data used for control (2)
233 | - Local modification of set points used for non-critical functions (4)
234 | - Remote modification of set points used for non-critical functions (5)
235 | - Remote modification of device configurations used for non-critical functions (6)
236 | - Local modification of set points used for critical functions (7)
237 | - Remote modification of set points used for critical functions (8)
238 | - Remote modification of device configurations used for critical functions (9)
239 | - **Loss of Availability** - How are production and safety services impacted?
240 | - Minimal production interruption and easily recoverable (1)
241 | - Device or service interrupted but process not impacted (3)
242 | - Production services temporarily interrupted but easily recoverable (4)
243 | - Production services interrupted but does not affect other processes (6)
244 | - Production services interrupted and impacts other processes (7)
245 | - All production services completely lost (8)
246 | - Loss of process safety functionality (9)
247 | - **Loss of Accountability** - Are the threat actor actions traceable to an individual?
248 | - Central logging, Multifactor Authentication (MFA), and cameras (1)
249 | - Central logging, Multifactor Authentication (MFA), but no cameras (2)
250 | - Local logging, Multifactor Authentication (MFA), and cameras but no central logging (3)
251 | - Local logging and cameras but no MFA and no central logging (5)
252 | - Local logging but no MFA, no central logging, and no cameras (7)
253 | - No local or central logging, no MFA, and no cameras (9)
254 |
255 |
256 | ### Safety Impact Factors
257 |
258 | The safety impact stems from the technical impact and requires a deep understanding of the process itself. The stakeholders of the System-Under-Consideration (SUC) will understand how each system and device within the SUC affects safe operations. These stakeholders will be able to provide details relating to how a situation, should exploitation of a condition be realized, will affect the environment, process, equipment, and issues related to recoverability.
259 |
260 | Rating these factors takes a discussion between all team members. Initial ratings can be selected according to the information provided and conditions witnessed during the assessment. Selecting an initial rating will allow follow on discussions that will rate the factors more accurately.
261 |
262 | Click the arrow to review the safety impact factors.
263 |
264 | - **Environment Damage** - How much damage to the local environment, plant or public, will be realized by successful exploitation?
265 | - No environmental impact (0)
266 | - Environment damage limited by safety equipment, active, and passive protections (1)
267 | - Environment damage limited by active and passive protections (2)
268 | - Environment damage limited by passive protections only (4)
269 | - Safety equipment not remotely accessible and active and passive protections are in place (5)
270 | - Safety equipment remotely accessible but active and passive protections are sufficient (7)
271 | - Safety equipment remotely accessible and situation might overwhelm active protections but passive protections are sufficient (8)
272 | - Safety equipment on production network and situation might overwhelm active or passive protections (9)
273 | - **Process Damage** - How much damage to the process equipment will be realized by successful exploitation?
274 | - No devices can be damaged and configurations cannot be modified (0)
275 | - Device or monitoring systems / applications can be modified but do not damage device or process (1)
276 | - Device configuration can be changed but easily recoverable (3)
277 | - Device damaged requiring manual update but limited impact to process (4)
278 | - Device damaged requiring manual update and significant impact to process (6)
279 | - Safety equipment configuration changed but limited impact to process (7)
280 | - Safety equipment damaged but limited impact to process (8)
281 | - Safety equipment damaged causing process failure or automatic shutdown (9)
282 | - **Safety Equipment** - How well is digital safety equipment deployed and protected?
283 | - Safety equipment not required for process (0)
284 | - Safety equipment required for process but not remotely accessible or on the same network as vulnerability (1)
285 | - Safety equipment required for process, remotely accessible, and requires MFA but not on the same network as vulnerability (2)
286 | - Safety equipment required for process and remotely accessible but does not require MFA and not on the same network as vulnerability (3)
287 | - Safety equipment required for process, remotely accessible, requires MFA, and on the same network as vulnerability (4)
288 | - Safety equipment required for process, remotely accessible, does not require MFA, and on the same network as vulnerability (5)
289 | - Safety equipment vulnerable and remotely accessible but requires MFA (6)
290 | - Safety equipment vulnerable and remotely accessible but requires authentication without MFA (7)
291 | - Safety equipment vulnerable and remotely accessible but requires authentication but default/hardcoded password in place and no MFA (8)
292 | - Safety equipment vulnerable, remotely accessible, and does not require authentication (9)
293 | - **Recoverability** - How well is the organization / process team prepared to recover during successful exploitation?
294 | - Vulnerability will not require or limit recovery operations (0)
295 | - Process will automatically recover with no manual efforts (1)
296 | - Process will recover with minimal manual efforts (2)
297 | - Process will recover with extensive manual efforts (4)
298 | - Recovery not possible without vendor or integrator assistance (6)
299 | - Recovery not possible without limited government and vendor/integrator assistance (7)
300 | - Recovery not possible without moderate government and vendor/integrator assistance (8)
301 | - Recovery not possible without significant government and vendor/integrator assistance (9)
302 |
303 |
304 | ## Step 4: Estimating Likelihood (ISA/IEC-62443-3-2 ZCR 5.4) and Consequences
305 |
306 | The likelihood that the exploitation of a vulnerability will be realized is defined using the factors calculated when identifying threats and vulnerabilities. The scores of the threat and vulnerability factors, respectively, are added together and divided by the number of factors used in the calculation. The resulting values can then be assigned a less granular categorization (e.g., low, medium, and high) to limit subjectivity and improve consensus.
307 |
308 | The same method will be used when calculating scores for consequences and impacts. The scores for the technical and safety impacts will be combined to achieve a low, medium, or high categorization.
309 |
310 | Click on the arrow to review the table.
311 |
312 | To calculate the likelihood and consequences rating category the 0 to 9 scale is split into three parts:
313 |
314 | 
315 |
316 |
335 |
336 |
337 | ## Step 5: Calculate Unmitigated Cybersecurity Risk (ISA/IEC-62443-3-2 ZCR 5.5)
338 |
339 | Once the likelihood and consequence ratings have been determined the overall risk associated with the vulnerability can be calculated. This calculation will result in the unmitigated risk rating for the vulnerability which is required for input into the ISA/IEC 62443 Detailed Risk Analysis. The following table will be used to combine the resulting likelihood and consequence categories and assign an unmitigated risk score.
340 |
341 |
342 | Click on the arrow to review the table.
343 |
344 | 
345 |
346 |
383 |
384 |
385 | ## Step 6: Reporting Vulnerabilities and Vector Scores
386 |
387 | The assessment report is the most important part of an assessment. It provides context about the scope of the assessment, the assets involved, the communications between assets and across enforcement boundaries, the methodology used to gather information, details about the findings, and the vulnerability scores for these findings. The report should be clearly written to convey all this information and the results should be reviewed by all stakeholders. Eventually the information from the assessment will be used in a Detailed Risk Assessment. To this end, like the OWASP risk rating methodology, the IACS STAR scores can be categorized using a vector score. This vector score provides the likelihood and consequence factor scores when rating the risk. This allows easy integration with most automated risk and vulnerability management systems and scoring calculators. To aid the generation of a vector score each of the factors have been provided an identifier.
388 |
389 | - Skill Level (SL)
390 | - Motive (M)
391 | - Opportunity (O)
392 | - Access (A)
393 | - Ease of Access (EA)
394 | - Ease of Exploit (EE)
395 | - Awareness (AW)
396 | - Detection/Response (DR)
397 | - Loss of Confidentiality (LC)
398 | - Loss of Integrity (LI)
399 | - Loss of Availability (LA)
400 | - Loss of Accountability (LAC)
401 | - Environmental Damage (ED)
402 | - Process Damage (PD)
403 | - Safety Equipment (SE)
404 | - Recoverability (R)
405 |
406 | Once computed the resulting score vector would be represented in the following format:
407 |
408 | ```
409 | (SL:0/M:0/O:0/A:0/EA:0/EE:0/AW:0/DR:0/LC:0/LI:0/LA:0/LAC:0/ED:0/PD:0/SE:0/R:0)
410 | ```
411 |
412 | # IACS STAR Calculator
413 |
414 | The IACS STAR score calculator (website coming soon) has been set up to aid in the calculation of the IACS STAR vulnerability scores. This calculator follows the model provided by the [OWASP Risk Rating Calculator](https://owasp-risk-rating.com/). It can be used when considering the scoring of each of the factors that are used to calculate likelihood and consequence. It is intended to aid in discussions and to move towards consensus amongst stakeholders. It can also be used to provide the vector score to be added to the assessment findings.
415 |
416 | ## Online IACS STAR Calculator
417 |
418 | The online calculator: [IACS-STAR Calculator](https://iacs-star-calculator.com/)
419 |
420 | The online documentation: [IACS-STAR Methodology](https://iacs-star-calculator.com/methodology.html)
421 |
422 | ## On Premise IACS STAR Calculator
423 | To run this calculator locally clone this repository, open a terminal to the repo directory, and run a Python web server with the following command:
424 |
425 | ```
426 | python3 -m http.server 9000
427 | ```
428 |
429 | Open your web browser to your [local IACS STAR score calculator](http://localhost:9000/iacs_star_calculator.html).
430 |
431 |
432 | ## Generate or update the IACS STAR Calculator
433 |
434 | The IACS STAR calculator can be generated based on data specified in YAML file. This allows to easily change the wording of the risk descriptions or to create yaml files for different languages.
435 |
436 | The generator requires PyYAML and Jinja2 as dependencies. Those can be installed with `pip install -r requirements.txt`.
437 |
438 | ### Usage:
439 |
440 | The calculator generation script is designed to work on Windows and Linux. The following is the common help statement for the calculator generation script.
441 |
442 | ```PowerShell
443 | PS CutSec [08/12/2024 16:56:13]> py .\generate_calculator.py -h
444 | usage: generate_calculator.py [-h] [-c FILENAME.yaml] [-t FILENAME.html]
445 |
446 | Generate a custom static IACS calculator file from YAML input.
447 |
448 | options:
449 | -h, --help show this help message and exit
450 | -c FILENAME.yaml, --config FILENAME.yaml
451 | Filename for the YAML configuration file. (default: default.yaml)
452 | -t FILENAME.html, --template FILENAME.html
453 | Filename for the calculator's HTML template file. (default: calculator_template.html)
454 | ```
455 |
456 | By default the calculator generation will use the `config/default.yaml` file as the configuration file. The default template file is `templates/calculator_template.html`. The following example outputs a new calculator named `custom-iacs_star_calculator.html` in the `html` directory. Update the YAML file in the configuration directory to create your own calculator.
457 |
458 | ```zsh
459 | (venv) ➜ ./generate_calculator.py
460 | [*] Reading config file: default.yaml
461 | [*] Using template file: calculator_template.cptl
462 | [*] Wrote new calculator html file: \home\iacs-user\Tools\IACS-STAR_Methodology\html\custom-iacs_star_calculator.html
463 | [*] To start a local web server open a terminal, change to the 'html' directory, and run 'python3 -m http.server 9000'
464 | [*] Use new calculator by navigating to http://localhost:9000:/custom-iacs_star_calculator.html
465 | ```
466 |
467 | Calculators can be generated for difference IACS sectors. The following example demonstrates the creation of a calculator for the Pharmaceutical industry. The `pharma.yaml` file has been updated with verbiage from this industry and placed in the `config` directory.
468 |
469 | ```zsh
470 | (venv) ➜ ./generate_calculator.py --config pharma.yaml
471 | [*] Reading config file: pharma.yaml
472 | [*] Using template file: calculator_template.cptl
473 | [*] Wrote new calculator html file: \home\iacs-user\Tools\IACS-STAR_Methodology\html\pharma-iacs_star_calculator.html
474 | [*] To start a local web server open a terminal, change to the 'html' directory, and run 'python3 -m http.server 9000'
475 | [*] Use new calculator by navigating to http://localhost:9000:/pharma-iacs_star_calculator.html
476 | ```
477 |
478 | Calculators templates can be used to change colors and other calculator functions. The following example demonstrates the creation of a calculator for a paper mill industry. An updated calculator with a dark theme is being used for this calculator version. The `dark_calc.ctpl` file has been updated with new calculator functionality and placed in the `template` directory.
479 |
480 | ```zsh
481 | (venv) ➜ ./generate_calculator.py -c papermill.yaml --template dark_calc.ctpl
482 | [*] Reading config file: papermill.yaml
483 | [*] Using template file: dark_calc.cptl
484 | [*] Wrote new calculator html file: \home\iacs-user\Tools\IACS-STAR_Methodology\html\paper_dark-iacs_star_calculator.html
485 | [*] To start a local web server open a terminal, change to the 'html' directory, and run 'python3 -m http.server 9000'
486 | [*] Use new calculator by navigating to http://localhost:9000:/paper_dark-iacs_star_calculator.html
487 | ```
488 |
489 | ### Editing the YAML Configuration File
490 |
491 | The yaml configuration files allows currently contain 3 main areas.
492 | 1. section *outfile* allows to specify the file name of the output file that will be generated in the html folder
493 | 2. section *option_strings* contains different subsections for the option fields. Each subsection needs to specify *option_0* to *option_9* that will be used as text description for the options in the corresponding drop down fields.
494 | 3. section *risk_weigh* allows to adjust the weighing for calculation of the
495 |
496 | ```YAML
497 | outfile:
498 | #specifing the filename of the output file that will be created in output folder "html"
499 | filename: custom-iacs_star_calculator.html
500 |
501 | option_strings:
502 | TAF_SL:
503 | # Threat Actor Skill level: How technically skilled is this group of threat actors?
504 | option_0: "0 - N/A"
505 | option_1: "1 - Limited Information Technology (IT), network, and no Operational Technology (OT) skills"
506 | option_2: "2"
507 | option_3: "3 - Moderate IT, limited network, and no OT technical skills"
508 | option_4: "4"
509 | option_5: "5 - Advanced IT, moderate network, and limited OT technical skills"
510 | option_6: "6 - Advanced IT, advanced network, and moderate OT technical skills"
511 | option_7: "7"
512 | option_8: "8 - Advanced OT technical skills"
513 | option_9: "9 - Security penetration skills and knowledge of OT technologies"
514 |
515 | [...]
516 |
517 | risk_weight:
518 | # ( TIF_LC + TIF_LI + TIF_LA + TIF_LAC ) / 4 = must result in "1" to be accepted
519 | TIF_LC: 1
520 | TIF_LI: 1
521 | TIF_LA: 1
522 | TIF_LAC: 1
523 |
524 |
525 | # ( SIF_ED + SIF_PD + SIF_SE + SIF_R ) / 4 = must result in "1" to be accepted
526 | SIF_ED: 1
527 | SIF_PD: 1
528 | SIF_SE: 1
529 | SIF_R: 1
530 | ```
--------------------------------------------------------------------------------
/config/default.yaml:
--------------------------------------------------------------------------------
1 | outfile:
2 | #specifying the filename of the output file that will be created in output folder "html"
3 | filename: custom-iacs_star_calculator.html
4 |
5 | target:
6 | # Local site configuration
7 | schema: http
8 | host: localhost:9000
9 |
10 | # Main site configuration, include html subdirectory name for GitHub Pages
11 | #schema: https
12 | #host: iacs-star-calculator.com/html
13 |
14 | option_strings:
15 | TAF_SL:
16 | option_comment: "Threat Actor Skill level: How technically skilled is this group of threat actors?"
17 | option_title: "How technically skilled is this group of threat actors?"
18 | option_0: "0 - N/A"
19 | option_1: "1 - Limited Information Technology (IT), network, and no Operational Technology (OT) skills"
20 | option_2: "2"
21 | option_3: "3 - Moderate IT, limited network, and no OT technical skills"
22 | option_4: "4"
23 | option_5: "5 - Advanced IT, moderate network, and limited OT technical skills"
24 | option_6: "6 - Advanced IT, advanced network, and moderate OT technical skills"
25 | option_7: "7"
26 | option_8: "8 - Advanced OT technical skills"
27 | option_9: "9 - Security penetration skills and knowledge of OT technologies"
28 |
29 | TAF_M:
30 | option_comment: "Threat Actor Motive: How motivated of the threat actors once they obtain access to the control environment? An excellent guide for this is the Impact column of the [MITRE ATT&CK ICS Matrix](https://attack.mitre.org/matrices/ics/)."
31 | option_title: "How motivated of the threat actors once they obtain access to the control environment?"
32 | option_0: "0 - N/A"
33 | option_1: "1 - No reward or intention to impact control environment"
34 | option_2: "2 - Theft of operational data or equipment"
35 | option_3: "3 - Create loss of view and control as a result of target-of-opportunity access to assets"
36 | option_4: "4"
37 | option_5: "5 - Limit access to file shares and prevent view and control using common malware"
38 | option_6: "6 - Prevent view and control using specially designed malware"
39 | option_7: "7"
40 | option_8: "8 - Manipulate view and control using privileged remote access and/or specially designed malware"
41 | option_9: "9 - Prevent operation of safety equipment or cause a catastrophic failure"
42 |
43 | TAF_O:
44 | option_comment: "Threat Actor Opportunity: When accessing the control environment, how are the threat actors limited by deployed countermeasures?"
45 | option_title: "When accessing the control environment, how are the threat actors limited by deployed countermeasures?"
46 | option_0: "0 - Physical access and local authentication are required and response time is less than fifteen minutes"
47 | option_1: "1 - Physical access and local authentication are required but response time is more than fifteen minutes"
48 | option_2: "2"
49 | option_3: "3 - Physical and remote access is possible, local authentication required, and active monitoring is enabled"
50 | option_4: "4"
51 | option_5: "5 - Limited logging of physical or remote access but administrative privileges are required to access network devices, systems, and applications"
52 | option_6: "6 -Undetected physical or remote access but administrative privileges are required to access network devices, systems, and applications"
53 | option_7: "7"
54 | option_8: "8 - Undetected physical or remote access that provides requires authentication to some network devices, systems, and applications"
55 | option_9: "9 - Undetected physical or remote access that provides elevated permissions to network devices, systems, and applications"
56 |
57 | TAF_A:
58 | option_comment: "Threat Actor Access: What is the physical or remote access capabilities achieved by successful exploitation within the process?"
59 | option_title: "What is the physical or remote access capabilities achieved by successful exploitation within the process?"
60 | option_0: "0 - N/A"
61 | option_1: "1 - Physical owner/operator users"
62 | option_2: "2 - Physical vendor/integrator users"
63 | option_3: "3 - Remote owner/operator users with Multifactor Authentication (MFA)"
64 | option_4: "4 - Remote vendor/integrator users with Multifactor Authentication (MFA)"
65 | option_5: "5 - Remote owner/operator users without Multifactor Authentication (MFA)"
66 | option_6: "6 - Remote vendor/integrator users without Multifactor Authentication (MFA)"
67 | option_7: "7 - Remote access without Multifactor Authentication (MFA) or logging"
68 | option_8: "8 - Physical malicious users"
69 | option_9: "9 - Remote anonymous internet users"
70 |
71 | # Vulnerability Factor
72 | VF_EA:
73 | option_comment: "Vulnerability/Ease of discovery: How easy is it for this group of threat actors to access the environment and discover the existence of the vulnerability?"
74 | option_title: "How easy is it for this group of threat actors to access the environment and discover the existence of the vulnerability?"
75 | option_0: "0 - N/A"
76 | option_1: "1 - Requires physical access to environment or OT device"
77 | option_2: "2 - Requires physical access to environment or IT device"
78 | option_3: "3 - Remotely accessible but countermeasures protecting OT technology"
79 | option_4: "4 - Remotely accessible but countermeasures protecting IT technology"
80 | option_5: "5"
81 | option_6: "6 - Remotely accessible but no automated tools to discover for OT technology"
82 | option_7: "7 - Remotely accessible but no automated tools to discover for IT technology"
83 | option_8: "8 - Remotely accessible and automated tools available for IT technology"
84 | option_9: "9 - Remotely accessible and automated tools available for OT technology"
85 |
86 | VF_EE:
87 | option_comment: "Vulnerability/Ease of exploit: How easy is it to actually exploit the vulnerability?"
88 | option_title: "How easy is it to actually exploit the vulnerability?"
89 | option_0: "0 - N/A"
90 | option_1: "1 - No known proof of concept"
91 | option_2: "2 - Countermeasures protecting OT technology"
92 | option_3: "3 - Denial-of-Service possible but no code execution"
93 | option_4: "4"
94 | option_5: "5 - Custom scripts / tools can be made to exploit IT technology"
95 | option_6: "6 - Custom scripts / tools can be made to exploit OT technology"
96 | option_7: "7"
97 | option_8: "8 - Automated tools available for IT technology"
98 | option_9: "9 - Automated tools available for OT technology"
99 |
100 | VF_AW:
101 | option_comment: "Vulnerability/Awareness: How well known is this vulnerability?"
102 | option_title: "How well known is this vulnerability?"
103 | option_0: "0 - N/A"
104 | option_1: "1 - Unknown OT Vulnerability"
105 | option_2: "2 - Unknown IT Vulnerability"
106 | option_3: "3 - Not publicly known but common configuration vulnerability"
107 | option_4: "4"
108 | option_5: "5 - Publicly identified on vendor website or within NVD Vulnerabilities database but no known exploit available"
109 | option_6: "6 - Publicly identified on vendor website or within NVD Vulnerabilities database, no known exploit available but identified threat actor group can develop exploit"
110 | option_7: "7"
111 | option_8: "8 - Publicly identified on vendor website, vulnerability databases, and exploit available in public forums, i.e. Metasploit, Exploit-DB"
112 | option_9: "9 - Public identified and in CISA Known Exploited Vulnerabilities Catalog"
113 |
114 | VF_DR:
115 | option_comment: "Detection/Response - How likely is an exploit to be detected?"
116 | option_title: "How likely is an exploit to be detected?"
117 | option_0: "0 - N/A"
118 | option_1: "1 - Centrally logged with alerts and formal review and response plan"
119 | option_2: "2"
120 | option_3: "3 - Centrally logged with alerts and formal review but no response plan"
121 | option_4: "4"
122 | option_5: "5"
123 | option_6: "6 - Centrally logged with alerts, but no formal review or response plan"
124 | option_7: "7 - Centrally logged and without review"
125 | option_8: "8 - Locally logged without review"
126 | option_9: "9 - Not logged"
127 |
128 | TIF_LC:
129 | option_comment: "Loss of Confidentiality - How much data could be disclosed and how sensitive is it?"
130 | option_title: "How much data could be disclosed and how sensitive is it?"
131 | option_0: "0 - No data lost"
132 | option_1: "1"
133 | option_2: "2 - Minimal architecture configuration data disclosed"
134 | option_3: "3"
135 | option_4: "4 - Minimal network configuration data but no device configuration data disclosed"
136 | option_5: "5"
137 | option_6: "6 - Extensive network configuration data and some device configuration data disclosed"
138 | option_7: "7 - Some process network and device configuration data disclosed"
139 | option_8: "8"
140 | option_9: "9 - All process network and device configuration data disclosed"
141 |
142 | TIF_LI:
143 | option_comment: "Loss of Integrity - How is the process data changed and does it impact critical functions?"
144 | option_title: "How is the process data changed and does it impact critical functions?"
145 | option_0: "0 - N/A"
146 | option_1: "1 - Modification of historical data not used for control"
147 | option_2: "2 - Modification of historical data used for control"
148 | option_3: "3"
149 | option_4: "4 - Local modification of set points used for non-critical functions"
150 | option_5: "5 - Remote modification of set points used for non-critical functions"
151 | option_6: "6 - Remote modification of device configurations used for non-critical functions"
152 | option_7: "7 - Local modification of set points used for critical functions"
153 | option_8: "8 - Remote modification of set points used for critical functions"
154 | option_9: "9 - Remote modification of device configurations used for critical functions"
155 |
156 | TIF_LA:
157 | option_comment: "Loss of Availability - How are production and safety services impacted?"
158 | option_title: "How are production and safety services impacted?"
159 | option_0: "0 - N/A"
160 | option_1: "1 - Minimal production interruption and easily recoverable"
161 | option_2: "2"
162 | option_3: "3 - Device or service interrupted but process not impacted"
163 | option_4: "4 - Production services temporarily interrupted by easily recoverable"
164 | option_5: "5"
165 | option_6: "6 - Production services interrupted but does not affect other processes"
166 | option_7: "7 - Production services interrupted and impacts other processes"
167 | option_8: "8 - All production services completely lost"
168 | option_9: "9 - Loss of process safety functionality"
169 |
170 | TIF_LAC:
171 | option_comment: "Loss of Accountability - Are the threat actor actions traceable to an individual?"
172 | option_title: "Are the threat actor actions traceable to an individual?"
173 | option_0: "0 - N/A"
174 | option_1: "1 - Central logging, Multifactor Authentication (MFA), and cameras"
175 | option_2: "2 - Central logging, Multifactor Authentication (MFA), but no cameras"
176 | option_3: "3 - Local logging, Multifactor Authentication (MFA), and cameras but no central logging"
177 | option_4: "4"
178 | option_5: "5 - Local logging and cameras but no MFA and no central logging"
179 | option_6: "6"
180 | option_7: "7 - Local logging but no MFA, no central logging, and no cameras"
181 | option_8: "8"
182 | option_9: "9 - No local or central logging, no MFA, and no cameras"
183 |
184 | SIF_ED:
185 | option_comment: "Environment Damage - How much damage to the local environment, plant or public, will be realized by successful exploitation?"
186 | option_title: "How much damage to the local environment, plant or public, will be realized by successful exploitation?"
187 | option_0: "0 - No environmental impact"
188 | option_1: "1 - Environment damage limited by safety equipment, active, and passive protections"
189 | option_2: "2 - Environment damage limited by active and passive protections"
190 | option_3: "3"
191 | option_4: "4 - Environment damage limited by passive protections only"
192 | option_5: "5 - Safety equipment not remotely accessible and active and passive protections are in place"
193 | option_6: "6"
194 | option_7: "7 - Safety equipment remotely accessible but active and passive protections are sufficient"
195 | option_8: "8 - Safety equipment remotely accessible and situation might overwhelm active protections but passive protections are sufficient"
196 | option_9: "9 - Safety equipment on production network and situation might overwhelm active or passive protections"
197 |
198 | SIF_PD:
199 | option_comment: "Process Damage - How much damage to the process equipment will be realized by successful exploitation?"
200 | option_title: "How much damage to the process equipment will be realized by successful exploitation?"
201 | option_0: "0 - No devices can be damaged and configurations cannot be modified"
202 | option_1: "1 - Device or monitoring systems / applications can be modified but do not damage device or process"
203 | option_2: "2"
204 | option_3: "3 - Device device configuration can be changed but easily recoverable"
205 | option_4: "4 - Device damaged requiring manual update but limited impact to process"
206 | option_5: "5"
207 | option_6: "6 - Device damaged requiring manual update but significant impact to process"
208 | option_7: "7 - Safety equipment configuration changed but limited impact to process"
209 | option_8: "8 - Safety equipment damaged but limited impact to process"
210 | option_9: "9 - Safety equipment damaged causing process failure or automatic shutdown"
211 |
212 | SIF_SE:
213 | option_comment: "Safety Equipment - How well are digital safety equipment deployed and protected?"
214 | option_title: "How well are digital safety equipment deployed and protected?"
215 | option_0: "0 - Safety equipment not required for process"
216 | option_1: "1 - Safety equipment required for process but not remotely accessible or on the same network as vulnerability"
217 | option_2: "2 - Safety equipment required for process, remotely accessible, and requires MFA but not on the same network as vulnerability"
218 | option_3: "3 - Safety equipment required for process and remotely accessible but does not require MFA and not on the same network as vulnerability"
219 | option_4: "4 - Safety equipment required for process, remotely accessible, requires MFA, and on the same network as vulnerability"
220 | option_5: "5 - Safety equipment required for process, remotely accessible, does not require MFA, and on the same network as vulnerability"
221 | option_6: "6 - Safety equipment vulnerable and remotely accessible but requires MFA"
222 | option_7: "7 - Safety equipment vulnerable and remotely accessible but requires authentication but no MFA"
223 | option_8: "8 - Safety equipment vulnerable and remotely accessible but requires authentication but but default/hardcoded password in place and no MFA"
224 | option_9: "9 - Safety equipment vulnerable, remotely accessible, and does not require authentication"
225 |
226 | SIF_R:
227 | option_comment: "Recoverability - How well is the organization / process team prepared to recover during successful exploitation?"
228 | option_title: "How well is the organization / process team prepared to recover during successful exploitation?"
229 | option_0: "0 - Vulnerability will not require or limit recovery operations"
230 | option_1: "1 - Process will automatically recover with no manual efforts"
231 | option_2: "2 - Process will recover with minimal manual efforts"
232 | option_3: "3"
233 | option_4: "4 - Process will recover with extensive manual efforts"
234 | option_5: "5"
235 | option_6: "6 - Recovery not possible without vendor / integrator assistance"
236 | option_7: "7 - Recovery not possible without limited government and vendor / integrator assistance"
237 | option_8: "8 - Recovery not possible without moderate government and vendor / integrator assistance"
238 | option_9: "9 - Recovery not possible without significant government and vendor / integrator assistance"
239 |
240 | risk_weight:
241 | # ( TIF_LC + TIF_LI + TIF_LA + TIF_LAC ) / 4 = must result in "1" to be accepted
242 | TIF_LC: 1
243 | TIF_LI: 1
244 | TIF_LA: 1
245 | TIF_LAC: 1
246 |
247 | # ( SIF_ED + SIF_PD + SIF_SE + SIF_R ) / 4 = must result in "1" to be accepted
248 | SIF_ED: 1
249 | SIF_PD: 1
250 | SIF_SE: 1
251 | SIF_R: 1
--------------------------------------------------------------------------------
/custom/.gitignore:
--------------------------------------------------------------------------------
1 | # Use this file to keep an empty directory
2 | # Ignore all files put here, which could happen during testing.
3 | *
4 | # Except this file
5 | !.gitignore
--------------------------------------------------------------------------------
/html/iacs_star_calculator.html:
--------------------------------------------------------------------------------
1 |
4 |
5 |
6 |
7 | IACS STAR
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
23 |
85 |
267 |
268 |
269 |
270 |
271 |
IACS System Testing and Assessment Rating Score Calculator
272 |
273 |
274 |
275 |
276 | Republish Score Vector:
277 |
278 |
279 |
280 |
281 |
Likelihood Factors
282 |
283 |
284 |
Threat Actor Factors
285 |
286 |
Skill Level
287 |
299 |
300 |
301 |
Motive
302 |
314 |
315 |
316 |
Opportunity
317 |
329 |
330 |
331 |
Access
332 |
344 |
345 | Threat Actor Factor:
346 |
347 |
348 |
349 |
Vulnerability Factors
350 |
351 |
Ease of Discovery
352 |
364 |
365 |
366 |
Ease of Exploit
367 |
379 |
380 |
381 |
Awareness
382 |
394 |
395 |
396 |
Intrusion Detection
397 |
409 |
410 | Vulnerability Factor:
411 |
412 |
413 |
414 |
415 | Likelihood Factor:
416 |
417 |
418 |
419 |
Consequence Factors
420 |
421 |
422 |
Technical Impact Factors
423 |
424 |
Loss of Confidentiality
425 |
437 |
438 |
439 |
Loss of Integrity
440 |
452 |
453 |
454 |
Loss of Availability
455 |
467 |
468 |
469 |
Loss of Accountability
470 |
482 |
483 | Technical Impact Factor:
484 |
485 |
486 |
487 |
Safety Impact Factors
488 |
489 |
Environment Damage
490 |
502 |
503 |
504 |
Process Damage
505 |
517 |
518 |
519 |
Safety Equipment
520 |
532 |
533 |
534 |
Recoverability
535 |
547 |
548 | Safety Impact Factor:
549 |
550 |
551 |
552 |
553 | Consequence Factor:
554 |
555 |
556 |
557 |
558 | Overall Risk Severity:
559 |
560 |
561 | Score Vector:
562 |
563 |
564 |
This Risk Rating Calculator is based on IACS System Testing and Assessment Rating (STAR) Methodology. To understand how to effectively use this calculator to score implementation vulnerabilities, please have the stakeholders and assessment team read the methodology documentation to understand the likelihood and consequence factors. Threat actor factor scores will, most likely, be consistent for all situations involving the System-Under-Consideration (SUC). Stakeholders may be required to accurately score the safety impact factors for each issue being reviewed.