The Common Vulnerability Scoring System (CVSS) offers a way for companies to assess the fundamental features of a vulnerability and produce a numerical score showcasing its severity. The CVSS has proven to be beneficial to assess vulnerabilities and to standardize security policies. But, it has also shown some inadequacies in addressing the needs of users outside of traditional IT environments.
When fully protected, technological devices, online and offline, can optimize a wide range of processes on the factory floor. By connecting devices to servers and workstations, manufacturers can collect data for a wide range of purposes, such as detecting bottlenecks, monitoring production in real-time, facilitating predictive maintenance and optimizing energy consumption.
However, the growing number of devices connected to the servers and workstations also means that hackers have more opportunities to infiltrate an organization, access sensitive data and disrupt production. Take a programmable logic controller (PLC) as an example. It’s an automated decision-making tool that monitors the state of connected devices and makes decisions to restructure and streamline processes. As technology has advanced, PLCs have become equipped with remote access capabilities for ease of maintenance and increased flexibility when controlling other devices.
To remotely control and monitor processes, PLCs must be connected to the internet. But, this exposes the technology to cyber-attacks, which may lead to serious consequences. The CVSS allows manufacturers to classify their PLC’s potential vulnerabilities and ensure that the most dangerous are patched before an attack occurs.
Understanding the Metrics
The first version of the CVSS was developed by the National Infrastructure Advisory Council (NIAC) and launched in 2005 with the objective of providing a universal and free standardized way to assess software vulnerabilities.
Presently, the CVSS has reached version 3.1 and consists of three metric groups which are base, temporal and environmental.
The base score, measured from 0-10, represents the essential features of a vulnerability, which are constant over time and across all user environments. This metric considers the impact of the vulnerability should it be exploited.
It also offers information on how challenging it would be to access that vulnerability, such as the number of times an attacker must authenticate to be successful and the level of complexity of the required attack.
The base score is composed of two sets of metrics which are impact and exploitability. The exploitability metrics represent the features of the component that is vulnerable, usually a software application. The impact metrics represent the consequences of a successful exploit on the impacted component, which could be a hardware device, a network resource or a software application.
The temporal score represents the features of the vulnerability that may change over time. It considers the level of remediation available for the vulnerability at the time of measurement, as well as the current state of exploit techniques. Since these parameters may significantly change, so too can the temporal score.
Finally, the environmental score enables analysts to modify the CVSS score based on the importance of the affected IT asset to a company. This score allows businesses to calculate the collateral damage potential of a vulnerability in case of a successful exploit. In other words, this is about the impact on people and businesses if the vulnerability is uncovered. This may change depending on the sector the company operates in.
Things to Know about Base Score
Base scores are typically offered by the company selling and maintaining the vulnerable product. Typically, only base scores are published, because they are the only ones that are common to all environments and do not change over time.
Base scores offer a good starting point to assess a vulnerability. However, they are not enough to have a clear idea of all the risks involved. For instance, you may have a vulnerability that is very difficult to exploit. But, one year from now someone might release a new tool that allows hackers to exploit it effortlessly. Furthermore, base scores don’t consider how critical the vulnerable component is to the workflow of a particular organization. Therefore, organizations should supplement base scores with temporal and environmental metrics to produce a more accurate scoring, specific to their application and industrial sector.
A major parameter company should consider is the potential impact of a successful exploit on living beings. This is currently not a metric in the CVSS, but it's of the utmost importance for businesses working in sensitive environments such as the automotive sector or medical device industry.
Without these considerations, you will only be able to tell how bad a vulnerability is hypothetically, not whether it’s a cause for concern. Worrying about a vulnerability based on its base score alone would be like worrying about a disease based on how deadly it could be, and not on whether you might catch it.
The Current Version and Future Developments
Presently, the Special Interest Group (SIG) at the Forum of Incident Response and Security Teams (FIRST) is responsible for developing and maintaining the Common Vulnerability Scoring System (CVSS).
In 2019, FIRST released the latest version of the scoring system, CVSS v3.1, with the objective of enhancing the overall ease of use of the 3.0 version without introducing new metrics. This means the latest developments focused on clarity and usability, rather than on substantial changes.
The SIG, which is composed of academics and representatives from a wide range of industry sectors, is currently working on improvements to characterize the next version of the CVSS standard. Based on input from users, the SIG has already created an all-inclusive list of potential improvements, which can be consulted in full on their website.
One of the most important amendments is the possibility to distinguish attacks available only on specific networks, such as a corporate intranet, from attacks that can be launched from anywhere else on the internet.
Lastly, a major future challenge is finding a way to quantify the damage that a successful exploit would inflict on living beings, something likely to happen in sectors such as aerospace, automotive and healthcare. By depending on reliable suppliers and using the CVSS scores as support, manufacturers can implement digital technologies to improve their workflows, without having to choose between digitalization and security.
Photo by Delorean Rental on Unsplash