Industrial Cybersecurity & OT Risk calculator
USB Control Risk Reduction Calculator
USB Control Risk Reduction scores the threat posed by removable media in OT environments, where a contractor's infected USB drive remains one of the most common ways malware crosses the air gap into control systems. OT security engineers and ICS risk assessors use it to put a defensible number on USB exposure and to demonstrate, on the same scale, how much port-blocking, sanitization kiosks, or device whitelisting reduce that risk. The score multiplies impact, exposure likelihood, and the weakness of current controls, mirroring the severity-occurrence-detection logic of an FMEA. It matters because USB-borne attacks like Stuxnet and many subsequent ICS incidents prove that a single uncontrolled port can defeat network segmentation entirely.
What this calculator does
- Score risk reduction from USB control improvements using removable media impact, exposure, and control weakness.
- Use it when reviewing removable media policies, approved transfer stations, scanning, and exception handling for OT environments.
- It computes a composite removable-media risk score by multiplying impact, exposure likelihood, and the weakness of existing USB controls on a consistent scale.
Formula used
- USB control risk score = removable media impact score × removable media exposure score × USB control weakness score
- Use the same scoring scale before and after USB control changes to compare reduction.
Inputs explained
- Impact of removable-media compromise:
- Likelihood of removable-media exposure:
- USB control gap (weakness of safeguards):
How to use the result
- Use it before and after deploying USB controls - port locks, scanning kiosks, device whitelisting - to quantify the risk reduction each measure delivers.
- The multiplicative score is ordinal, not a probability; a score of 6 is not exactly twice as risky as 3, so use it to rank and compare states rather than as an absolute likelihood.
Common questions
- How do you calculate USB control risk? Multiply the impact score by the exposure likelihood score by the control-weakness score on a shared scale. With impact 7, exposure 6, and control weakness 5, the composite USB control risk score lands at 6.15 on the normalized scale - high enough to prioritize remediation.
- What is a good USB control risk score? There is no universal threshold, but the value of this tool is the before/after delta: if hardening controls drops the weakness input from 5 to 2, the composite score falls sharply, and that reduction is what you report. Aim to push composite scores into the lower third of your scale for OT zones.
- Why use impact, exposure, and control weakness instead of severity, occurrence, detection? It is the same FMEA-style logic adapted to removable media: impact maps to severity, exposure to occurrence, and control weakness to the inverse of detection. Keeping the scoring scale identical before and after changes is what makes the comparison valid.
- How do USB controls actually lower the score? Sanitization kiosks and device whitelisting attack the control-weakness input, while physical port blocking reduces exposure likelihood. Re-score with the same scale after deployment and the composite drops, quantifying the reduction.
- Does this replace a full ICS risk assessment? No. It is a focused removable-media module that feeds a broader assessment. Use it to rank USB risk against other OT vectors, not as a standalone substitute for a threat-and-vulnerability program.
Last reviewed 2026-05-12.