Cynable
Sign in Request a demo
Platform/Risk Management
M02THE RISK MODULE

A risk score that
moves with the plant.

Score OT risk the IEC 62443 way, threat times vulnerability times consequence, on the assets you already modeled. Watch the number change as firmware, exposure and controls change, instead of once a year.

68
live OT Risk Score
4
open high-severity risks
6d
mean time to remediate
SL2
vs SL3 target
THE PROBLEM

A risk score in a slide deck is a guess with a decimal point.

Consultants score risk once, by hand, against a snapshot of the plant. By the time the deck is presented, a patch has landed, a device has been swapped, an exposure has opened. The number is precise and wrong.

01
Scored once, then frozen
A yearly assessment can't track a plant that changes weekly.
02
No line to the asset
A spreadsheet score can't tell you which device to fix first.
03
No shared method
Every site scores differently, so numbers can't be compared or rolled up.
THE RISK LIFECYCLE

Identify, assess, treat, and keep watching.

{{ ph.step }}

{{ ph.title }}

{{ ph.body }}

CAPABILITIES

Scoring that stands up to an auditor.

IEC 62443 methodology

Threat, vulnerability and consequence combine into a defensible risk index, with the target and achieved Security Levels tracked per zone.

Tied to the real asset

Every score points at a specific device in a specific zone, so the fix list is ranked by what actually reduces risk fastest.

High-severity tracking

Open HS risks surface first, with owners and due dates attached.

MTTR you can prove

Every treatment is timestamped, so mean time to remediate is measured, not estimated.

Rolls up the hierarchy

One asset's risk flows up to its zone, site and the whole group.

THE RISK DASHBOARD

Four numbers leadership actually asks for.

Every metric is live and rolls up the hierarchy, so the board sees one number and the engineer sees the device behind it.

OT RISK SCORE
68
↓ 12 QoQ
0 = clean · 100 = critical exposure
OPEN HIGH-SEVERITY RISKS
4
2 overdue · 2 in treatment
MEAN TIME TO REMEDIATE
6
days
down from 21 days last year
SECURITY LEVEL vs TARGET
SL2
/ SL3
1 2 3 4
1 level to close in Process Control Zone
HOW RISK IS SCORED

Threat × vulnerability × consequence.

The IEC 62443 model, made tangible. Set the three factors for one asset and watch the risk index, severity band and recommended action update live.

ASSET · PLC-A17 · PROCESS CONTROL ZONE
Allen-Bradley 1756-L71
Threatlikelihood of a capable actor
Vulnerabilityexposure & control gaps
Consequenceimpact if compromised
RISK INDEX
18
T×V×C
2 × 3 × 3
HIGH requires SL3
RECOMMENDED ACTION

Prioritize this asset. Close control gaps and re-segment the zone to reduce vulnerability.

A scored risk is only worth it if you can prove you closed it.

Audits & Compliance turns your treated risks into evidence chains that hold up in front of any auditor. See how the two modules work together.