OT Security Community Calls for New Risk Methodology Beyond CVSS 4.0
What Happened – Leading operational‑technology (OT) experts argue that the Common Vulnerability Scoring System (CVSS), even in its latest 4.0 revision, remains ill‑suited for assessing OT risk. They advocate for a risk‑first methodology that weighs cascading impacts, cross‑sector dependencies, and consequence management rather than a single vulnerability score.
Why It Matters for TPRM –
- OT environments (energy, manufacturing, critical infrastructure) often sit behind third‑party supply chains; mis‑scored vulnerabilities can hide systemic risk.
- Traditional CVSS scores may under‑represent safety‑critical impacts, leading to inadequate vendor controls and oversight.
- A shift to risk‑centric scoring demands new data‑sharing practices and governance frameworks between enterprises and OT suppliers.
Who Is Affected – Energy & utilities, manufacturing, transportation, critical infrastructure operators, and their third‑party OT service providers.
Recommended Actions –
- Review OT vendor contracts for clauses requiring risk‑based vulnerability assessment beyond CVSS.
- Incorporate OT‑specific risk metrics (cascading impact, safety, environmental) into your TPRM scoring models.
- Engage with OT vendors to obtain contextual data needed for “environmental” scoring or adopt emerging OT‑focused frameworks.
Technical Notes – The critique centers on CVSS’s reliance on a single numeric score, which fails to capture OT‑specific factors such as safety impact, process interdependencies, and real‑world consequence severity. CVSS 4.0 adds optional environmental metrics, but gathering the required contextual data is resource‑intensive and often unavailable to OT operators. No specific CVE is discussed. Source: DataBreachToday