By Denny Wan and Daniel Marsh
The Common Vulnerability Scoring System (CVSS) is used throughout various industries for scoring vulnerabilities based on several metrics. These metrics focus on confidentiality, integrity and availability, the very well known CIA triad ingrained in the mentality of cybersecurity professionals and extends to maturity and environmental when and where the additional information is required. This allows CVSS to have the scores “weighted” based on organisational nuances and discrepancies. For example, a vulnerability with a CVSS score of 10 may could be lowered based on the temporal and environmental factors such as protected by an air-gapped network.
When working in industrial environments the context of vulnerability can be vastly different for ICS vulnerabilities. CVSS does not include an estimation for the potential economic impact from the successful exploitation of a vulnerability. Blindly applying CVSS to any environment without addressing context can result in inappropriate prioritisation and resources and effort being misdirected, leading to potentially disastrous consequences. A remote code execution (RCE) vulnerability is critical for any exposed system, however, in a segmented and isolated environment that the same RCE does not have the required exposure factors. The temporal CVSS scores should help to reduce it slightly, but not necessarily enough to reduce it from the highest score for vulnerabilities in the environment. A high CVSS score does not necessarily mean the vulnerability is critical to an ICS and treating CVSS like this can result in massive economic loss, including the loss of life…Click here to read full article.