The common vulnerability scoring system (CVSS) provides a way for organisations to assess the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The CVSS has proven to be useful to consistently assess vulnerabilities and to standardise security policies. However, it has also showed some shortcomings in addressing the needs of users outside of traditional IT environments. In this article Jonathan Wilkins, director at industrial parts supplier EU Automation, explains.

When fully protected, technological devices, both on and offline, can optimise a number of processes on the factory floor. By connecting devices to the Industrial Internet of Things (IIoT), manufacturers can collect data for a variety of purposes, such as monitoring production in real-time, detecting bottlenecks, optimising energy consumption and facilitating predictive maintenance.

However, the growing number of devices connected to the IIoT also means that hackers have more opportunities to infiltrate a company, access sensitive data and disrupt production. According to NETSCOUT’s Threat Intelligence Report, the average time required to attack and IIoT device is just five minutes. SonicWall reports that IoT malware attacks jumped increased by 215.7 per cent in 2018, and the rate of cyberattacks is expected to keep increasing.

Take a programmable logic controller (PLC) as an example. It is an automated decision-making tool that monitors the state of connected devices and makes decisions to streamline processes. As technology has advanced, PLCs have become equipped with remote access capabilities for ease of maintenance and increased flexibility when controlling other devices.

To remotely monitor and control processes, PLCs must be connected to the internet. However, this exposes the technology to cyber-attacks, which could lead to extremely serious consequences, such as the Siberian gas pipeline explosion in 1982. The CVSS allows manufacturers to categorise their PLC’s potential vulnerabilities and ensure that the most dangerous are patched before an attack occurs.

Understanding the metrics

The first version of the CVSS was developed by the National Infrastructure Advisory Council (NIAC) and launched in 2005 with the goal of providing a free and universally standardised method to assess software vulnerabilities.

Currently, the CVSS has reached version 3.1 and consists of three metric groups: base, temporal and environmental.

The base score, measured from zero to ten, represents the intrinsic characteristics of a vulnerability, which are constant over time and across all user environments. This metric considers the impact of the vulnerability should it be exploited.

It also provides information on how difficult it would be to access that vulnerability, such as the level of complexity of the required attack and the number of times an attacker must authenticate to be successful.

The base score is composed of two sets of metrics: exploitability and impact. The exploitability metrics represent the characteristics of the component that is vulnerable, typically a software application. The impact metrics represent the consequences of a successful exploit on the impacted component, which could be a software application, a hardware device or a network resource.

The temporal score represents the characteristics of the vulnerability that may change over time. It considers the level of remediation available for the vulnerability at the time of measurement, as well as the current state of exploit techniques or code availability. Since these parameters may drastically change, so too can the temporal score.

Finally, the environmental score enables analysts to customise the CVSS score depending on the importance of the affected IT asset to an organisation. This score allows businesses to calculate the collateral damage potential of a vulnerability in case of successful exploit. In other words, this is about the impact on other equipment, people and businesses if the vulnerability is uncovered. This may drastically change depending on the sector the organisation operates in.

Sets of CVSS metrics are usually represented with a textual vector string, which allows users to record the parameters of a vulnerability in a concise format.

All about that base

Base scores are usually provided by the company selling and maintaining the vulnerable product. Typically, only base scores are published, since they are the only ones that do not change over time and are common to all environments.

Base scores can provide a good starting point to assess a vulnerability, but are not enough to have a clear idea of all the risks involved. For example, you might have a vulnerability that, currently, is very hard if not impossible to exploit. However, one year from now someone might release a new tool that allows hackers to exploit it easily. Moreover, base scores don’t consider how critical the vulnerable component is to the workflow of a specific company.

Organisations should, therefore, supplement base scores with temporal and environmental metrics to produce a more accurate scoring, specific to their application and industrial sector.

Organisations might also want to personalise the scoring by considering factors such as the number of customers on a product line, the monetary losses in case of a breach and public opinion in case of highly publicised vulnerabilities.

A vital parameter organisation should consider is the potential impact of a successful exploit on living beings. This is currently not a metric in the CVSS, however, it is of the utmost importance for businesses working in sensitive environments such as the medical device industry or the automotive sector.

Without these considerations, you’ll only be able to tell how bad a vulnerability is hypothetically, not whether it is a cause for concern. Worrying about a vulnerability based on its base score alone would be like worrying about a disease based solely on how deadly it could be, and not on whether you might be in a position to catch it.

Current version and future developments

Currently, the Special Interest Group (SIG) at the Forum of Incident Response and Security Teams (FIRST) is responsible for developing and maintaining the CVSS.

On June 17, 2019, FIRST released the latest version of the scoring system, CVSS v3.1, with the goal of improving the overall ease of use of the 3.0 version without introducing new metrics. This means the latest developments focused on usability and clarity, rather than on substantial changes. For example, the definitions in the user guide were revised.

The SIG, which is composed of academics and representatives from a broad range of industry sectors, is currently working on improvements to characterise the next version of the CVSS standard. Based on input from users, the SIG has already created a comprehensive list of potential improvements, which can be consulted in full on their website.

One of the most important suggested amendments is the possibility to distinguish attacks available only on specific networks, such as a corporate intranet, from attacks that can be launched from anywhere else on the internet.

The SIG is also considering the possibility of introducing new metrics, such as the concept of ‘survivability’ after an attack and ‘wormability,’ since computer worms represent some of the most common and dangerous malware in cyberattacks.

Finally, a major future challenge is finding a way to quantify the damage that a successful exploit would inflict on living beings, something likely to happen in sectors such as healthcare, aerospace and automotive.

These are just some of the issues the next versions of the CVSS are expected to tackle, and users are encouraged to contribute to its continuous improvement by sending suggestions to [email protected]

It’s virtually impossible for companies, especially small to medium-sized ones, to patch every vulnerability as soon as it is found. When installing new equipment and connecting it to the internet, manufacturers must choose suppliers that prioritise security in both software and hardware.

By relying on trustworthy suppliers and using the CVSS scores as a support, manufacturers can implement digital technologies to improve their workflows, without having to choose between security and digitalisation.