Understanding the Common Vulnerability Scoring System
The common vulnerability scoring system (CVSS) provides manufacturers a way to assess the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
This can then be translated into a qualitative representation, such as low, medium, high or critical, to help organizations in their vulnerability management processes. Here, Claudia Jarrett, country manager at industrial parts supplier EU Automation, explains the core concepts of the CVSS.
When fully protected, technological devices, both on and offline, can optimize a number of processes on the factory floor. However, advances in technology are allowing manufacturers to streamline and monitor processes by connecting devices to monitor production in real-time.
Take a programmable logic controller (PLC) as an example. It is an automated decision-making tool that monitors the state of connected devices and makes decisions to streamline processes. As technology has advanced, PLCs have begun offering remote access for ease of maintenance and more flexibility to control other devices.
To monitor and control processes, PLCs must be connected to the internet. However, this exposes the technology to cyber-attacks. When installing these devices, manufacturers must choose the correct supplier that prioritizes security in both the device and its programming tools.
As the number of devices connected to the internet increases, so does the number of vulnerabilities. The CVSS allows manufacturers to categorize these potential vulnerabilities to ensure that the most dangerous are patched before an attack occurs.
What’s the score?
The CVSS was developed by the National Infrastructure Advisory Council (NIAC) and consists of three metric groups; base, temporal and environmental. The base score severity range is a metric, measured zero to ten, which represents the characteristics of the vulnerability. This part of the score takes into account the impact of the vulnerability if it was exploited. It also considers the exploitability — how the vulnerability is accessed, the complexity of the required attack and the number of times an attacker must authenticate to be successful.
The temporal score represents the characteristics of the vulnerability that are not fixed. Again, this covers the exploitability, but also the techniques or code that change over time. It also takes into account the level of remediation that is available for the vulnerability and the level of confidence in the existence of the vulnerability.
Finally, the environmental score is all about the user’s environment, including the collateral damage potential of the vulnerability. In other words, this is about the impact on other equipment, people and businesses if the vulnerability is uncovered.
It’s virtually impossible for companies, especially those that are small to medium sized, to patch every vulnerability as soon as it is found. The CVSS gives an intuitive way of understanding which attacks will have the biggest impact, meaning that you can continue implementing digital technologies that will improve your workflow, without having to worry about breaches.