ThreatGEN® Red vs. Blue Cybersecurity Gamification

Industrial Vulnerability Scoring System (IVSS) BETA

Overview

The industrial vulnerability scoring system (IVSS) is a derivative of the common vulnerability scoring system (CVSS). The IVSS, however, is designed specifically for industrial control systems vulnerabilities. The need for an industrial specific vulnerability scoring tool was identified throughout the industry, due to the CVSS focus on the confidentiality, integrity, and availability (CIA) consequences to computer systems, devices, and networks. As such, the CVSS also tends to be more enterprise IT focused. While data confidentiality, integrity, and certainly availability are still important considerations within industrial systems, the primary considerations for industrial systems, from a cyber vulnerability perspective, is how cyber-related consequences can affect the ability to monitor, view, and control industrial processes, and what the impact to safety, production, and reliability could be. The IVSS base score is still based pm same parameters as the CVSS base score. However, the local ICS environmental modifiers are where the more industrial focused parameters are taken into account.

The IVSS is not meant to be a replacement for the CVSS, but rather an industrialized supplement in terms of the environment modifiers. Just like the CVSS temporal and environment modifiers, the IVSS ICS environment modifiers are meant to be adjusted by, or with the assistance of, someone who has knowledge of the local environment for the system in question. Due to the common cross-industry acceptance and use of the CVSS, part of the redesign, currently in process, for the IVSS will be added functionality to reference and use the base CVSS score from existing CVE entries. This will then allow industrial operators to modify the CVSS score using the IVSS local ICS environment modifiers.

Development

Development of this tool used feedback from a study conducted by ThreatGEN and LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity). ThreatGEN has discontinued development of the tool and a more detailed usage guide in favor of future development by LOGIIC or other associated organizations.

Feedback

As ThreatGEN has discontinued development, we are no longer accepting feedback.

Formulas & Calculations

The formulas and calculations used for the current version are available within the following document.

Download IVSS Calculations