What's Your Cybersecurity Breaking Point? | Rockwell Automation

By Zachary Woltjer, Data Cyber Analyst, Verve, A Rockwell Automation Company

When it comes to prioritizing vulnerabilities in operational technology (OT), many teams still lean on methods created for IT, where data protection often takes center stage. In OT, however, even a brief security lapse can halt a production line or jeopardize worker safety. Tools like the Common Vulnerability Scoring System (CVSS) offer a starting point, but they rarely capture the complexities of a bustling factory or a 24/7 power station.

OT cybersecurity is about more than just keeping operations running — it’s about identifying which systems, if compromised, could trigger widespread disruptions and prioritizing those vulnerabilities first. A single system trip in a critical production line can cause significant downtime or safety hazards, while a less crucial component might have a more limited impact. This leaves OT teams repeatedly asking the same question: Which issues need to be addressed immediately, and which ones can wait?

That dilemma springs from more than just a difference in priorities: it’s also about resources and uptime. OT systems can’t be paused for patches without risking major operational losses, and specialized staff are often spread thin. As a result, teams struggle to make headway on vulnerability backlogs.

Simply put, IT-based frameworks don’t fully address the unique demands of OT, leaving engineers, plant managers, and security professionals without a clear roadmap for meaningful progress.

Where Conventional Scoring Falls ShortThe Common Vulnerability Scoring System (CVSS) is deeply rooted in the CIA triad — Confidentiality, Integrity, and Availability, with confidentiality usually outranking other concerns. However, on a plant floor, a small hiccup that halts production can do far more damage than a stolen file ever would.

In addition, CVSS looks at each vulnerability in isolation, ignoring how multiple minor gaps can cascade into a major breakdown. It overlooks real‑world constraints too.

From the Author: The Journal’s Final Issue

“Rockwell Automation consistently pushes the boundaries of automation in the industrial control system space, and we are dedicated to pushing those same boundaries in ICS Cybersecurity to secure our customers, communities, and companies. Understanding and mapping out the impact of every device and the risk of potential vulnerabilities utilizing our calculated risk rating is the first step in achieving those goals, but it will continue to evolve and adapt to our every evolving world.

It is a tremendous honor to be a part of this amazing magazine, let alone this last historic issue; thank you to everyone from The Journal and to my fellow Verve and Rockwell coworkers for believing and supporting me.”

— Zachary Woltjer, Data Cyber Analyst, Verve, A Rockwell Automation Company

For example, you can’t always pause critical equipment to apply patches without racking up significant costs. As a result of these constraints, a so‑called “medium” issue in an office might be devastating on an assembly line if it interrupts a vital process — something not accounted for by CVSS.

In OT, you need a way to account for both how bad a failure could be and how likely it is to happen. By weighing those two elements — rather than relying on generic severity labels — teams can zero in on threats that truly endanger safety and steady operations.

A Two‑Part Lens on RiskAt the core of this approach is a fundamental principle: risk equals impact (how bad it could be) multiplied by likelihood (the chance it happens). From there, two major metrics take shape:

1. Calculated Impact Rating (CIR). CIR captures the operational, financial and safety fallout if a device goes down. Consider a large chemical plant, for instance: a brief outage on one production line might be annoying but not disastrous. But a serious failure in a key reactor control system can trigger major downtime or even place employees at risk.

When developing an impact score, security leads and plant managers usually begin by asking, “If this asset were taken offline or tampered with, how big would the disruption be?” They weigh everything from lost production hours and regulatory concerns to potential hardware damage, then assign a rating that guides how urgently each issue should be addressed.

This is an example of a risk matrix created using the Calculated Impact Rating (CIR) and the Exploit Prediction Scoring System (EPSS) probability scores to pinpoint areas of significant concern. Assets with a “Critical” or “High” CIR and high EPSS percentages are flagged as areas that demand immediate attention.

By consistently assigning these ratings, organizations translate vague concerns about “what might go wrong” into data points that can be compared across an entire operation.

2. Likelihood Rating (EPSS). Next, a Likelihood Rating — based on Exploit Prediction Scoring System (EPSS) — estimates which vulnerabilities attackers are focusing on in the real world. While some flaws see few or no exploits, others appear in active campaigns.

EPSS draws from global threat intelligence and known malware strains, and exploit proof‑of‑concepts to predict the chance that a given vulnerability will be used in an attack within a specific time frame.

In OT, the network’s layout can also raise or lower likelihood. An internet‑facing HMI might remain a prime target, while a highly segmented PLC may be comparatively safer. Adjusting these raw scores for local context — such as firewalls, physical isolation or complex authentication — helps teams see whether a “critical” flaw in theory is truly accessible to outside threats.

Combining Impact and Likelihood

Once Impact and Likelihood are calculated, they’re merged in a risk matrix or formula (see table), such as: Risk Score = Impact Rating x Likelihood Rating.

Assets or vulnerabilities that land in the high‑impact, high‑likelihood quadrant receive immediate attention, often requiring a dedicated patch cycle or stronger segmentation measures. Meanwhile, items with moderate or low likelihood might be addressed during planned maintenance or when resources become available.

Although no model can eliminate risk entirely, having a clear mechanism to rank vulnerabilities helps OT teams plan patching schedules and allocate budget more effectively.

Case in Point: Food Manufacturing

During a risk assessment exercise, a global food manufacturer expressed frustration with the limitations of relying on general‑purpose vulnerability scans. On paper, they were faced with hundreds of “critical” vulnerabilities, yet their OT team determined that many of these so‑called critical flaws posed minimal real‑world risk.

In contrast, certain “medium” vulnerabilities had the potential to disrupt packaging lines that generated the company’s highest revenue.

On-Demand Webinar

Protect Production Infrastructure from Cyberattacks

View our on-demand webinar, “Protect Production Infrastructure from Cyberattacks.” Moderated by Theresa Houck, Executive Editor of The Journal From Rockwell Automation and Our PartnerNetwork™ magazine, you’ll learn about growing risks & challenges in securing industrial OT environments on production lines, including these key takeaways:

Understand the increasing cyber risks in OT environments and their impact on manufacturing & production lines.
Harsh lessons learned from recent & past cyberattacks and how to avoid them.
How automation and allow listing can simplify security without affecting performance.
What works most effectively to stop zero days.
What 4th generation of endpoint protection is & what issues it solves.
Why robust endpoint protection for HMI and SCADA is crucial.

This educational webinar is sponsored by Rockwell Automation Technology Partner ARIA Cybersecurity Solutions, and presented by Presented by Gary Southwell, CEO.

View the on-demand webinar now.

Join Us

By adopting a two‑part rating approach, the manufacturer revisited each vulnerability with a focus on two questions: Could it force a shutdown of a vital production line, and how likely was it that attackers could reach and exploit it?

Within a few weeks, teams identified a small number of vulnerabilities needing urgent action, such as immediate patches, updated firewalls or restricted user privileges. Lower‑priority items were documented for routine maintenance windows, which allowed the plants to operate at full capacity without endless patch disruptions.

This data‑driven approach didn’t just minimize risk; it also supported compliance and aligned with broader strategic goals, ensuring the manufacturer could address pressing threats while keeping operations on track.

Final Thoughts

A risk-based approach to OT security can go beyond reducing patch lists. It helps teams manage continuous alerts more effectively by focusing on threats with the greatest potential to disrupt production or compromise safety.

As a result, noncritical issues receive less attention, and resources are more likely to be used where they have the strongest impact. In many cases, fewer unplanned shutdowns occur, and stakeholders are presented with measurable progress rather than routine, generic updates.

Adopting this perspective may also influence day-to-day operations. Staff spend less time responding to alerts of questionable severity, budgets stretch further by targeting risks with genuine consequences, and the organization becomes better prepared for technological changes or emerging threats.

In this way, a risk-based method aligns vulnerability management with practical needs, ultimately contributing to more resilient systems and a proactive security stance.

^{The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Endeavor Business Media.}