We all understand that OT sector is different from IT concerning vulnerabilities patching. While inIT patching is a standard procedure, in OT patching is highly complicated up to impossible.

If the sectors are so different, how come we use the same method (CVSS: Common Vulnerability Scoring System) to measure the vulnerabilities. Maybe we need alternative method to measure vulnerabilities in OT, that will provide the users options to understand what he should do.

This method exist and it is called Stakeholder-Specific Vulnerability Categorization (SSVC) https://github.com/CERTCC/SSVC . In SSVC differently from CVSS, the vulnerabilities are not measured as a numeric score.

SSVC is a priority decision method, which categorize into four priorities: defer, scheduled, out-of-band, and immediate.

Defer:

• Do not patch at present.

Scheduled:

• Patch during regularly scheduled maintenance time.

Out-of-Band:

• Patch more quickly than usual to apply the fix out-of-band during the next available opportunity, working overtime if necessary.

Immediate:

• Patch immediately. Focus all resources on applying the fix as quickly as possible, pausing the organization's regular operations if necessary.

I do believe that this is a better method to evaluate vulnerabilities in OT sector