Provide howto/tutorial for ICS and OT stakeholders

[j---]

Be clear about how Industrial Control System and Operations Technology stakeholders are handled. In many cases they may use the usual SSVC v1 decision points, but with a different risk tolerance or suggested tree. Consider demonstrating how such stakeholders might have a different tree. For any changes to v2 are to accommodate these stakeholders and give them appropriate flexibility, document those clearly in one place.

[ahouseholder]

For reference: ICS-Patch is Dale Petersen's idea on how to adapt SSVC for ICS.

• https://www.linkedin.com/pulse/ics-patch-what-patch-when-dale-peterson/ and
• https://dale-peterson.com/wp-content/uploads/2020/10/ICS-Patch-0_1.pdf

[ahouseholder]

Notes from conversation on 2021-02-24:

This issue is related to #74 and how things like exposure change in response to mitigations.

Evaluation in this context might conclude that safety or mission impacts are too high or too low. However, in the conversation both positions were expressed by folks who don't have ICS/OT experience, which is taken as an indication that we need input from those who do.

A likely next step is to identify and work with an ICS or OT partner to evaluate the deployer tree with an eye toward either

• "0" acceptance of that tree as-is (existing tree is sufficient)
• "1" specific modifications to make it acceptable (one more tree would be sufficient)
• "many" a description characterizing the variance one might expect to encounter in different deployment scenarios (multiple new trees may be necessary)

Note: new tree in the above includes something where the decision points and options remain the same but the decision itself changes.

[ahouseholder]

This would be a good fit for a how to document, I think.

We could also potentially provide an example tree with an appropriate description.

We'd need to source the tree from someone who actually knows how the ICS/OT part of this works though.