Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shlomi_Feldman
Employee
Employee

Vulnerabilities categorization

We all understand that OT sector is different from IT concerning vulnerabilities patching. While inIT patching is a standard procedure, in OT patching is highly complicated up to impossible.

If the sectors are so different, how come we use the same method (CVSS: Common Vulnerability Scoring System) to measure the vulnerabilities. Maybe we need alternative method to measure vulnerabilities in OT, that will provide the users options to understand what he should do.

 

This method exist and it is called Stakeholder-Specific Vulnerability Categorization (SSVC) https://github.com/CERTCC/SSVC . In SSVC differently from CVSS, the vulnerabilities are not measured as a numeric score.

SSVC is a priority decision method, which categorize into four priorities: defer, scheduled, out-of-band, and immediate.

Defer:

  • Do not patch at present.

Scheduled:

  • Patch during regularly scheduled maintenance time.

Out-of-Band:

  • Patch more quickly than usual to apply the fix out-of-band during the next available opportunity, working overtime if necessary.

Immediate:

  • Patch immediately. Focus all resources on applying the fix as quickly as possible, pausing the organization's regular operations if necessary.

I do believe that this is a better method to evaluate vulnerabilities in OT sector 

0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events