Configure risk calculators
Determine which OT risk factors to use when calculating the risk of a vulnerable item on an OT device.
Before you begin
In Operational Technology, additional factors can include the OT device criticality, the Purdue Level, and the criticality of the production process that the OT device automates.
Role required: sn_vul.manage_risk_score_configuration or sn_vul.vulnerability_admin
About this task
For this step, refer to the Default Risk Calculator with OT vulnerability calculator
shipped with the Operational Technology Vulnerability Response
application demo data. The Default Risk Calculator with OT is used when risk must be
calculated differently for OT and non-OT vulnerable items.
Note:
Because only one
vulnerability calculator can be active at a time, the provided Default Risk Rule
(non OT) is used as an example for calculating risk for all non-OT vulnerable
items.
For more information, see Define fields and weights for the risk rule.
To set the risk score for OT vulnerable items, adjust the weights for the risk rule
records of the OT Default Risk Rule in the demo data. More fields available for OT
in the demo data include:
- Equipment Model Entity Criticality - Use the Service Business criticality rule.
- OT Device Criticality - Use the Configuration item OT device details Device Criticality rule.
- Purdue Level - Use the Configuration item OT device details Purdue level field.
Procedure
What to do next
To set the risk score for all other vulnerable items, copy the existing risk rules to the Default Risk Calculator with OT, and set the order to run after the OT Default Risk Rule.