Industrial Vulnerability Scoring System (IVSS)

The IVSS tool is currently undergoing a redesign and will be available again soon.


The industrial vulnerability scoring system (IVSS) is a derivative of the common vulnerability scoring system (CVSS). The IVSS, however, is designed specifically for industrial control systems vulnerabilities. The need for an industrial specific vulnerability scoring tool was identified throughout the industry, due to the CVSS focus on the confidentiality, integrity, and availability (CIA) consequences to computer systems, devices, and networks. As such, the CVSS also tends to be more enterprise IT focused. While data confidentiality, integrity, and certainly availability are still important considerations within industrial systems, the primary considerations for industrial systems, from a cyber vulnerability perspective, is how cyber-related consequences can effect the ability to monitor, view, and control industrial processes, and what the impact to safety, production, and reliability could be. The IVSS base score is still based pm same parameters as the CVSS base score. However, the local ICS environmental modifiers are where the more industrial focused parameters are taken into account.

The IVSS is not meant to be a replacement for the CVSS, but rather an industrialized alternative in terms of the environment modifiers. Just like the CVSS temporal and environment modifiers, the IVSS ICS environment modifiers are meant to be adjusted by, or with the assistance of, someone who has knowledge of the local environment for the system in question. Due to the common cross-industry acceptance and use of the CVSS, part of the redesign, currently in process, for the IVSS will be added functionality to reference and use the base CVSS score from existing CVE entries. This will then allow industrial operators to modify the CVSS score using the IVSS local ICS environment modifiers.

The current redesign is part of a study being conducted between ThreatGEN and LOGIIC (Linking the Oil  and Gas Industry to Improve Cybersecurity) as well as development support from GPA.

Development Partners: