While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading, which can have negative consequences for organizations, particularly if they rely solely on CVSS for prioritizing patches.
Maintained by the CVSS Special Interest Group (SIG), CVSS “provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.” The score, which reflects the severity of a vulnerability, should help organizations assess and prioritize weaknesses in their systems. The score can reflect a low (0.1-3.9), medium (4.0-6.9), high (7.0-8.9) or critical (9.0-10.0) severity.
The current version of the system, CVSSv3, allows users to calculate a base score – which is constant over time and across environments – using factors such as attack vector, attack complexity, required privileges, user interaction, scope, confidentiality, integrity, and availability. The temporal score, which reflects characteristics that may change over time but not across environments, is calculated based on exploit code maturity, remediation level, and report confidence. The environmental score, which represents attributes relevant to a particular user’s environment, is calculated based on the importance of the affected asset, measured in terms of confidentiality, integrity and availability.
The way a CVSS score is calculated is transparent, but it’s still not uncommon for vendors and researchers to disagree on the severity rating assigned to a vulnerability.
In a presentation at SecurityWeek’s ICS Cyber Security Conference in Atlanta last month, Radiflow CEO and Founder Ilan Barda pointed out that CVSS scoring was originally developed for IT systems and is often not accurate in the case of industrial systems, which can be problematic for organizations. Several other industrial cybersecurity experts contacted by SecurityWeek agree.
The use of CVSS for rating ICS vulnerabilities
Moreno Carullo, co-founder and CTO of Nozomi Networks, believes that while CVSS has value because it standardizes vulnerability scoring, it should only serve as a guide.
“You should always have a look at the vector and evaluate your own ‘score,’ based on what makes the most sense for your environment,” Carullo said.
Paolo Emiliani, industrial and SCADA research security analyst at Positive Technologies, says the CVSS score should be applied to specific industrial processes for it to be efficient in prioritizing vulnerabilities.
Vladimir Dashchenko, head of vulnerability research at Kaspersky Lab’s ICS CERT group, noted that the classic CVSS can be useful for OT environments as it shows how a vulnerability can “become a problem from an IT point of view.” The problem, he says, it that it does not take into account the impact on technological processes and the possible cyber-physical impact of a flaw.
“The difference between IT and OT brings up not a negative impact, but more like an unsaid meaning,” Dashchenko explained. “The OT/ICS community always says ‘those IT bugs work differently in an OT environment,’ and this is true. We see a totally different potential impact for the business owners in the IT and OT fields. For OT, sometimes this impact can be calculated not only in money, but also in physical damage and people’s lives.”
John Elder, senior ICS security consultant at Applied Risk, believes CVSS scores can be misleading in both IT and ICS environments due to the different scenarios required for exploitation. However, he says the CVSS score can be a good starting point when assessing the full impact of a vulnerability.
Sipke Mellema, who is also an ICS security consultant at Applied Risk, agrees that CVSS scores can be misleading for both IT and OT. “The main problem with ICS is that it’s closely bound to physical security, with which CVSS scoring doesn’t fit well (how would you score a social engineering attack?),” he told SecurityWeek.
Learn More About ICS Vulnerabilities at SecurityWeek’s ICS Cyber Security Conference
Radiflow’s CTO, Yehonatan Kfir, believes that the environmental score is more appropriate for ICS, but it’s in most cases ignored. In the case of industrial systems – unlike in the case of IT, where confidentiality is most important – availability is most important as any disruption to processes can have serious financial and physical consequences.
“Another argument against the effectiveness of CVSS scoring for ICS devices is the numerical values of the exploitability weights,” Kfir told SecurityWeek. “The current numerical weight values are calculated based on historical and statistical data of cyber-incidents, which are mostly from IT networks. As a consequence, the scoring based on this method is biased against ICS devices as there is not a wide historical database of incidents for numerically estimating the ‘exploitability’ value on ICS networks.”
SecurityWeek has also reached out to ICS-CERT for an opinion on the effectiveness of CVSS scoring – all of the agency’s advisories list CVSS scores for disclosed vulnerabilities – but its vulnerability management team has not made any comments on the topic.
Examples of misleading CVSS scores
Unsurprisingly, the representatives of companies involved in finding vulnerabilities in ICS products can provide several examples of flaws that have been assigned low CVSS scores despite posing a serious risk to industrial environments.
David Atch, VP of research at CyberX, provided CVE-2015-5374 as an example. This vulnerability was exploited by the notorious Industroyer/Crashoverride malware to perform a DoS attack on Siemens SIPROTEC relays, but it only has a CVSS score of 7.8.
“Because SIPROTEC devices have a significant role in power generation environments, the score of 7.8 doesn’t fully reflect the true risk,” Atch explained.
Kaspersky’s Dashchenko pointed to CVE-2017-6021, a DoS vulnerability in Schneider Electric’s EcoStruxure Geo SCADA Expert (ClearSCADA) remote SCADA management software.
Dashchenko highlighted that DoS flaws are often not considered too severe in the case of IT systems, but they can cause serious damage if exploited.
Radiflow’s Kfir makes an interesting comparison between CVE-2018-7795, a cross-site scripting (XSS) flaw in Schneider Electric’s PowerLogic PM5560 power management system, and CVE-2018-7789, a DoS vulnerability the expert found in Schneider’s Modicon M221 PLCs.
The first security hole has a CVSS score of 8.2, while the DoS flaw, which allows an attacker to remotely reboot a PLC, has a CVSS score of only 4.8. However, if availability and integrity are taken into account, the score for the DoS vulnerability increases to 8.1. If availability and integrity are taken into account in the case of the XSS flaw, its score drops to 7.1, Kfir said.
“While comparing those two CVEs without the additional optional scoring, it may seem that CVE-2018-7795 is much more critical,” Kfir explained. “However, when re-scoring with additional weights to availability, it is clear that the PLC reboot (CVE-2018-7789) is more critical than a confidentiality issue in a power management system.”
Applied Risk researchers pointed out that a vulnerability with a low CVSS score may have a significant impact when combined with other flaws.
“We recently discovered multiple critical vulnerabilities in a device, which will have high CVSS scores (i.e. command injection as root user.) These vulnerabilities require authentication to exploit,” Elder explained. “However, there is also a directory traversal vulnerability in the same device, which will have a lower CVSS score. Using this vulnerability, you can retrieve the necessary credentials to login to the device and exploit the aforementioned higher scored vulnerabilities.”
Impact of misleading CVSS scores on organizations
Misleading CVSS scores can have a serious impact on industrial organizations, according to the experts contacted by SecurityWeek.
“The misleading score makes it more difficult for the operators of ICS networks to prioritize the risk to their devices and to their physical processes,” Kfir said. “The vulnerability assessment tools used today detect vulnerabilities and provide users with scores according to the CVSS metric. Prioritizing the vulnerability fixes and mitigations merely according to the CVSS score will not necessarily result in dealing with the highest risks.”
CyberX’s Atch believes that misleading CVSS scores can have a negative impact on industrial organizations “because users might ignore mitigation of high-risk vulnerabilities because they have a lower score. For example, they might skip patching or, if they are unable to patch, implementing compensating controls such as continuous monitoring and network segmentation.”
Elder says he is not aware of any industrial company that prioritizes vulnerabilities based only on their CVSS score. On the other hand, the researcher notes that there are however many systems that are not patched at all.
Adapting CVSS to ICS and alternative scoring systems
Some experts believe that CVSS can still work for ICS vulnerabilities as long as the score is adapted accordingly and not used on its own. Recommendations include focusing on the environmental score, assessing the impact of a flaw in the context of the entire environment rather than just the impacted software or device, and using CVSS in conjunction with other risk assessment methods.
“The optimal approach is a risk-based rating that takes into account the potential impact of a compromise as well as the ease of exploitation. How crucial is the device to the ICS environment? Could the vulnerability be exploited in a chain of compromises resulting in major safety or environmental issues or costly downtime?” said Atch.
“Experts like Idaho National Labs (INL) recommend a risk-based approach to prioritize mitigation of vulnerabilities, using threat modeling to identify the highest-risk attack vectors to your most important assets and processes (your ‘crown jewels’),” he added.
Others believe the industry should work together on developing a new scoring system that focuses on the factors that are critical for ICS security. While this has occasionally been discussed, we are a long way from a new system actually being implemented and used on a wide scale.
“My preference goes out to just using CIA, or AIC for ICS, as it’s easier to get your head around,” said Applied Risk’s Mellema. “With both CVSS and AIC it’s very important that the company specifies what would be of high impact for them. Research must evolve around some questions. ‘We want to know how well these and these documents are secured’. ‘We want to know if an attacker in position x can do y’.”
“The scoring system doesn’t really matter,” Mellema added. “It all really depends on communication with the customer. For example, a crackable Wifi password can mean the end of the world for one company with poor network segregation from IT to OT. For other companies that has a thousand layers between their Wifi and their OT infrastructure it would be a minor inconvenience.”