New OT Security Frameworks Emphasize Incident Impact Scoring and Edge-Based Defense
ICS/OT security practitioners introduced a new framework for communicating the real-world severity of operational technology incidents: the Operational Technology Incident (OTI) Impact Score, a “Richter Scale”-inspired scoring system intended to quickly convey business and physical consequences of OT cyber events. The model, created by Digital Bond’s Dale Peterson and slated for release at the S4x26 conference, is positioned as a way to reduce both overhyped and underreported OT incident narratives and to help executives, governments, insurers, and responders align resources (including ICS and physical response teams) to the actual impact.
Separately, Palo Alto Networks Unit 42 described joint research with the Siemens Cybersecurity Lab and Idaho National Laboratory arguing that disruptive OT incidents are often not “OT-native” but instead begin with upstream IT compromises and progress over time toward industrial environments. The research advocates shifting detection and response “left” to the network edge between IT and OT, using earlier visibility and predictive threat behavior to turn dwell time into a defensive advantage; detailed findings were published in a companion whitepaper, Intelligence-Driven Active Defense: Securing Operational Technology Environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
OTI Impact Score is unveiled at the S4x26 Conference
ICS/OT experts introduced the Operational Technology Incident Impact Score at the S4x26 Conference in Miami as a standardized way to communicate the real-world magnitude of OT cyber incidents. The model combines severity, reach, and duration into a single score and is intended for use by executives, governments, insurers, media, and the public.
Unit 42 publishes guidance to shift OT defense toward edge-focused SecOps
Palo Alto Networks Unit 42 published recommendations for an OT SecOps maturity model centered on segmentation, passive visibility, pre-approved active defense actions at the edge, and closer IT-OT SOC coordination. The guidance argued that roughly 70% of OT-impacting attacks originate in IT and that long precursor phases, averaging about 185 days, create time for earlier intervention.
Joint OT research identifies the IT-OT edge as a key defense point
Research by Palo Alto Networks' OT Threat Research Lab, Siemens Cybersecurity Lab, and Idaho National Laboratory concluded that many disruptive OT incidents begin in IT environments and that the IT-OT network edge offers earlier opportunities to detect attacker activity. The work highlighted indicators such as authentication anomalies, protocol misuse, and reconnaissance at this boundary.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Proposal for an OT Incident Impact Score Modeled on Natural-Disaster Severity Scales
A new proposal to standardize how **operational technology (OT)** cyber incidents are communicated and compared is being promoted as an **“OT Incident Impact Score”**, using a numerical severity model inspired by natural-disaster scales (e.g., earthquakes, hurricanes, wildfires). Proponents say OT incidents are frequently misunderstood by non-specialists, leading to **fear, uncertainty, doubt (FUD)** and threat inflation, and argue that a consistent scoring approach could improve executive and cross-sector decision-making in critical infrastructure. Munish Walther-Puri (TPO Group; IANS Research faculty) described the concept as analogous to the Richter scale but incorporating **peer review** and lessons from established disaster-impact measurement systems. OT security practitioner Dale Peterson warned that poor understanding of OT incident severity can drive **misallocation of resources** and distorted risk prioritization, underscoring the need for clearer, more comparable impact communication; however, the effort is described as facing an **uphill climb to broad adoption** across critical infrastructure sectors.
Mar 21, 2026
OT Security Pushes Beyond CVSS for Risk Assessment
Operational technology security practitioners are increasingly arguing that **CVSS** is not an adequate way to measure risk in industrial environments, even after the release of **CVSS 4.0**. The reporting says OT defenders view traditional vulnerability severity scoring as poorly suited to environments where safety, uptime, physical process impact, and sector interdependencies matter more than the characteristics of an individual software flaw. Experts cited in the coverage say OT risk assessment needs to focus on **cascading consequences**, cross-sector dependencies, and consequence management rather than trying to refine a vulnerability-centric scoring model. The articles describe a broader shift in OT security thinking: instead of treating CVSS as a universal standard, organizations operating critical infrastructure are being urged to adopt methodologies that better reflect real-world operational impact and the administrative realities of industrial systems.
Mar 21, 2026
Rising OT Threat From Credential Abuse and 'Living-off-the-Plant' Techniques
Security reporting and expert commentary warn that **operational technology (OT)** environments remain highly exposed due to fragile access controls and that attacker capability is trending toward more dangerous, process-aware operations. Lessons drawn from the 2015 **Ukraine power grid** disruption emphasize that remote connectivity, vendor access, and broad VPN permissions can become the “soft underbelly” of critical infrastructure, with recurring real-world examples of disruption tied to **misused remote access and stolen credentials** (including the **Colonial Pipeline** shutdown following a compromised password). The core takeaway is that OT systems are no longer “too specialized” to be targeted, and that common enterprise intrusion paths—credential compromise and remote access abuse—continue to translate into operational impact when they bridge into industrial environments. Separately, OT-focused threat analysis highlights early signs that attackers are gaining the “process comprehension” historically missing from many intrusions into industrial systems. A forthcoming RSA Conference 2026 presentation is expected to demonstrate **“living-off-the-plant”** techniques—analogous to living-off-the-land in IT—where adversaries leverage native industrial tooling and legitimate functions inside plants to blend in and potentially manipulate physical processes. The reporting argues that “security by obscurity” (attackers’ unfamiliarity with bespoke/legacy OT) has limited the severity of many incidents so far, but that this advantage is eroding as adversaries become more comfortable operating within industrial environments, increasing the risk of more consequential OT attacks.
Mar 21, 2026