The common vulnerability scoring system (CVSS) provides manufacturers a way to assess the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

Understanding the Common Vulnerability Scoring System
Understanding the Common Vulnerability Scoring System

Claudia Jarrett, Country Manager | EU Automation

This can then be translated into a qualitative representation, such as low, medium, high or critical, to help organizations in their vulnerability management processes. Here, Claudia Jarrett, country manager at industrial parts supplier EU Automation, explains the core concepts of the CVSS.

When fully protected, technological devices, both on and offline, can optimize a number of processes on the factory floor. However, advances in technology are allowing manufacturers to streamline and monitor processes by connecting devices to monitor production in real-time.

Take a programmable logic controller (PLC) as an example. It is an automated decision-making tool that monitors the state of connected devices and makes decisions to streamline processes. As technology has advanced, PLCs have begun offering remote access for ease of maintenance and more flexibility to control other devices.

To monitor and control processes, PLCs must be connected to the internet. However, this exposes the technology to cyber-attacks. When installing these devices, manufacturers must choose the correct supplier that prioritizes security in both the device and its programming tools. 

As the number of devices connected to the internet increases, so does the number of vulnerabilities. The CVSS allows manufacturers to categorize these potential vulnerabilities to ensure that the most dangerous are patched before an attack occurs. 

 

What’s the score?

The CVSS was developed by the National Infrastructure Advisory Council (NIAC) and consists of three metric groups; base, temporal and environmental. The base score severity range is a metric, measured zero to ten, which represents the characteristics of the vulnerability. This part of the score takes into account the impact of the vulnerability if it was exploited. It also considers the exploitability — how the vulnerability is accessed, the complexity of the required attack and the number of times an attacker must authenticate to be successful. 

The temporal score represents the characteristics of the vulnerability that are not fixed. Again, this covers the exploitability, but also the techniques or code that change over time. It also takes into account the level of remediation that is available for the vulnerability and the level of confidence in the existence of the vulnerability. 

Finally, the environmental score is all about the user’s environment, including the collateral damage potential of the vulnerability. In other words, this is about the impact on other equipment, people and businesses if the vulnerability is uncovered.

It’s virtually impossible for companies, especially those that are small to medium sized, to patch every vulnerability as soon as it is found. The CVSS gives an intuitive way of understanding which attacks will have the biggest impact, meaning that you can continue implementing digital technologies that will improve your workflow, without having to worry about breaches. 

 
The content & opinions in this article are the author’s and do not necessarily represent the views of ManufacturingTomorrow

Comments (0)

This post does not have any comments. Be the first to leave a comment below.


Post A Comment

You must be logged in before you can post a comment. Login now.

Featured Product

ResinDek® Panels, The Flooring Solution for Mezzanines

ResinDek® Panels, The Flooring Solution for Mezzanines

ResinDek flooring panels are designed for elevated platforms such as mezzanines, pick modules, and work platforms. They have the proven structural integrity to support dynamic and static rolling limits from 2,000 to 8,000 lbs. ResinDek flooring panels are available in a multitude of options that are customized for load capacities, required finish type, volume and type of traffic including heavy rolling pallet jack loads and robotic traffic with AGVs and AMRs.