What is CVSS?
CVSS (Common Vulnerability Scoring System) is an internationally standardised system for assessing the severity of vulnerabilities in software or systems.
The scoring model produces a value between 0 and 10, where 10 represents the highest criticality. CVSS is widely used in Vulnerability Scanning, patch management and Risk Management.
In OT, CVSS helps prioritise vulnerabilities in PLCs, HMIs and embedded Firmware β provided it is interpreted correctly in the context of availability and safety.
π― Why is CVSS useful in OT?
| Use in OT security | Example |
|---|---|
| Prioritising vulnerabilities | Firmware issue with CVSS 9.8 = urgent patch policy |
| Risk assessment under IEC 62443 | Substantiation of risk score or SL-T impact |
| Decisions on patch management | Defer or schedule urgently? |
| Visibility of supplier risks | Tracking CVEs in delivered software |
π’ How does CVSS work?
A CVSS score consists of three main components:
| Component | Description |
|---|---|
| Base Score | Fundamental severity of the vulnerability (vector: AV, AC, UI, etc.) |
| Temporal Score | Accounts for exploitability and availability of mitigations |
| Environmental Score | Adjustable to your specific OT environment |
π Example CVSS vector
Example for a vulnerability in a PLC web interface:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Vector field | Value | Meaning |
|---|---|---|
| AV (Attack Vector) | N (Network) | Attack possible over the network |
| AC (Attack Complexity) | L (Low) | No advanced knowledge required |
| PR (Privileges Required) | N (None) | No authentication required |
| UI (User Interaction) | N (None) | No user interaction required to trigger |
| C/I/A (Impact) | H/H/H | High impact on confidentiality, integrity and availability |
π₯ Result: score = 9.8 β Critical
π‘οΈ OT-specific considerations
| CVSS doesnβt always tell the whole storyβ¦ | Additional considerations in OT |
|---|---|
| High score β always high impact in OT | Air-gapped system? Not directly reachable? |
| Low score can still be critical | If the system is safety-critical (e.g. SIS or ESD) |
| CVSS does not consider process safety | Consider supplementary scoring per IEC 62443-3-2 or SIL |
β Best practices
- Use CVSS as a starting point, but add contextual impact analysis
- Link CVSS scores to your risk register and Asset Inventory
- Adjust the Environmental Score for factors such as zone, network separation and impact on safety
- Work with thresholds: e.g. >8.0 = immediate action, 5β8 = scheduled maintenance
- Involve Engineering or Maintenance in assessing OT relevance
π In summary
CVSS helps prioritise vulnerabilities objectively, but in OT it should always be enriched with knowledge of the installation, the process and the impact on people and safety.