Industry Talk

Regular Industry Development Updates, Opinions and Talking Points relating to Manufacturing, the Supply Chain and Logistics.

New CVSS 4.0 scoring system

It’s encouraging to see FIRST moving forward with CVSS 4.0. Vulnerability scoring has long been a challenge and scrutinized by users as too subjective. The applicability of a CVSS score varies from organization to organization, and the likelihood of exposure to attack depends on many factors; basing a response strategy on a score should be only part of the equation for defenders.

We should applaud some of the changes to the scoring, including an additional focus on ICS/SCADA/OT. Safety and availability requirements have a massive impact on industrial processes and these considerations must be taken into account when assessing the criticality of a vulnerability. Overall, the addition of new base metrics and values should make scores less subjective, and conveys an understanding of the current criticisms levelled against the current system.