Industrial Cybersecurity & OT Risk calculator

USB Control Risk Reduction Calculator

USB Control Risk Reduction scores the threat posed by removable media in OT environments, where a contractor's infected USB drive remains one of the most common ways malware crosses the air gap into control systems. OT security engineers and ICS risk assessors use it to put a defensible number on USB exposure and to demonstrate, on the same scale, how much port-blocking, sanitization kiosks, or device whitelisting reduce that risk. The score multiplies impact, exposure likelihood, and the weakness of current controls, mirroring the severity-occurrence-detection logic of an FMEA. It matters because USB-borne attacks like Stuxnet and many subsequent ICS incidents prove that a single uncontrolled port can defeat network segmentation entirely.

What this calculator does

  • Score risk reduction from USB control improvements using removable media impact, exposure, and control weakness.
  • Use it when reviewing removable media policies, approved transfer stations, scanning, and exception handling for OT environments.
  • It computes a composite removable-media risk score by multiplying impact, exposure likelihood, and the weakness of existing USB controls on a consistent scale.

Formula used

  • USB control risk score = removable media impact score × removable media exposure score × USB control weakness score
  • Use the same scoring scale before and after USB control changes to compare reduction.

Inputs explained

  • Impact of removable-media compromise:
  • Likelihood of removable-media exposure:
  • USB control gap (weakness of safeguards):

How to use the result

  • Use it before and after deploying USB controls - port locks, scanning kiosks, device whitelisting - to quantify the risk reduction each measure delivers.
  • The multiplicative score is ordinal, not a probability; a score of 6 is not exactly twice as risky as 3, so use it to rank and compare states rather than as an absolute likelihood.

Common questions

  • How do you calculate USB control risk? Multiply the impact score by the exposure likelihood score by the control-weakness score on a shared scale. With impact 7, exposure 6, and control weakness 5, the composite USB control risk score lands at 6.15 on the normalized scale - high enough to prioritize remediation.
  • What is a good USB control risk score? There is no universal threshold, but the value of this tool is the before/after delta: if hardening controls drops the weakness input from 5 to 2, the composite score falls sharply, and that reduction is what you report. Aim to push composite scores into the lower third of your scale for OT zones.
  • Why use impact, exposure, and control weakness instead of severity, occurrence, detection? It is the same FMEA-style logic adapted to removable media: impact maps to severity, exposure to occurrence, and control weakness to the inverse of detection. Keeping the scoring scale identical before and after changes is what makes the comparison valid.
  • How do USB controls actually lower the score? Sanitization kiosks and device whitelisting attack the control-weakness input, while physical port blocking reduces exposure likelihood. Re-score with the same scale after deployment and the composite drops, quantifying the reduction.
  • Does this replace a full ICS risk assessment? No. It is a focused removable-media module that feeds a broader assessment. Use it to rank USB risk against other OT vectors, not as a standalone substitute for a threat-and-vulnerability program.

Last reviewed 2026-05-12.