The industrial vulnerability scoring system (IVSS) is a derivative of the common vulnerability scoring system (CVSS). The IVSS, however, is designed specifically for industrial control systems vulnerabilities. The need for an industrial specific vulnerability scoring tool was identified throughout the industry, due to the CVSS focus on the confidentiality, integrity, and availability (CIA) consequences to computer systems, devices, and networks. As such, the CVSS also tends to be more enterprise IT focused. While data confidentiality, integrity, and certainly availability are still important considerations within industrial systems, the primary considerations for industrial systems, from a cyber vulnerability perspective, is how cyber-related consequences can affect the ability to monitor, view, and control industrial processes, and what the impact to safety, production, and reliability could be. The IVSS base score is still based pm same parameters as the CVSS base score. However, the local ICS environmental modifiers are where the more industrial focused parameters are taken into account.
The IVSS is not meant to be a replacement for the CVSS, but rather an industrialized supplement in terms of the environment modifiers. Just like the CVSS temporal and environment modifiers, the IVSS ICS environment modifiers are meant to be adjusted by, or with the assistance of, someone who has knowledge of the local environment for the system in question. Due to the common cross-industry acceptance and use of the CVSS, part of the redesign, currently in process, for the IVSS will be added functionality to reference and use the base CVSS score from existing CVE entries. This will then allow industrial operators to modify the CVSS score using the IVSS local ICS environment modifiers.
A more detailed usage guide will be provided by Q4 2022.
Formulas & Calculations
The formulas and calculations used for the current version will be provided by the end of Q4 2022.
The IVSS tool is still in beta and under active development. The version of the tool on this page is subject to change often until version 1 is released. (Projected version 1 release: Q4 2022)
The current development uses feedback from a study being conducted between ThreatGEN and LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity).
If you would like to provide comments, feedback, or suggestions, click on the button below.