The Common Vulnerability Scoring System (CVSS) is designed as a numeric measure of vulnerability and is widely used in IT organizations as a method to understand and prioritize remediation efforts. When it comes to using CVSS scores in the world of the Internet of Things (IoT), Industrial Control Systems (ICS), or more broadly Operations Technology (OT), there are many challenges, and some would argue that the system is completely broken. Here are just a few of the challenges in the OT environments:
- The CVSS score doesn't speak to physical or kinetic impact
- The CVSS score doesn't directly translate to risk – it's just one input to a risk equation (true for both IT and OT but often less understood in the OT context)
- The CVSS score is not as helpful for prioritization of remediation efforts in OT as it is in IT due to these and other issues
Organizations must have a mature vulnerability management or risk management process in order to know how to properly handle a CVSS score, otherwise valuable resources and investments can become misallocated. I have worked with two types of programs on this front:
The mature programs that use the CVSS score but look at it only through the lens of vulnerability. The program then feeds the CVSS score into a prioritization mechanism that considers impact, including the typical business impact (e.g. financial loss) but also operational and cyber-physical aspects (e.g. health, safety, and environmental concerns).
The less mature organizations that try to use CVSS as the sole prioritization. These organizations misallocate resources by focusing remediation of so called ‘Critical’ or ‘High’ rated vulnerabilities that have minimal impact, while more serious risks that don’t register as highly from a CVSS perspective are not addressed.
I addressed this challenge briefly in my discussion of patching at the S4x19 OnRamp session covering assessment techniques for ICS. Additionally, the topic was discussed at the same event in a panel session where the panelists each acknowledged the challenges of CVSS and presented their version of an alternative. Billy Rios showed how CVSS in the context of medical devices can be very misleading when it comes to understanding impact to the patient. Art Manion came out with the strong statement "Do not use. Replace". To be fair to CVSS, I'm not sure the creators ever envisioned the scoring system being used to prioritize remediation in a scenario where human life is literally at risk. This was exactly the case that Billy Rios illustrated with CVSS scores for vulnerabilities discovered in medical devices.
Alternative scoring methods proposed in the S4x19 panel ranged from Manion's simplified rating system of "Now, Next, Never" to Clint Bodungen's Industrial Vulnerability Scoring System (IVSS) that accounts for additional variables like process impact in the calculation of the score.
Watch the whole panel conversation:
Regardless of the scoring mechanism for vulnerability or risk, organizations ultimately need a way to prioritize security investments—whether that's remediation of known vulnerabilities or investments in new tools or capabilities. At Revolutionary Security, we like to think about this as "Defensive Value". This enables us to reframe the question around the value of the investments such as patching in an environment where patching is difficult and costly, adding a new monitoring or detection capability, or identifying ways to reduce potential impacts of attack or abuse. To get to this level of decision making requires understanding the operational context of the ICS system and environment as well as the potential impacts or consequences of a compromise. In short, this is something that you cannot get from any automated tool or scoring system.