The global vulnerability scoring system is getting a new version after eight years. CVSS 4.0 includes a focus on the cybersecurity of OT, ICS and IoT.
CVSS 4.0 has been officially released by the Forum of Incident Response and Security Teams (FIRST). The scoring system is mostly known under the abbreviation, as the full name of Common Vulnerability Scoring System, is quite long. The system should indicate how urgently a vulnerability needs attention. For this purpose, the scale rises to a maximum score of 10.
Security experts cannot always install patches immediately due to time constraints or loss of production. The CVSS score for a vulnerability can serve as a guide for them to determine the order patches will be installed or prioritize certain patches.
That’s not the only use case for the scoring system, but perhaps the most commonly used option. The CVSS can also estimate a real-time threat and the potential impact if the threat grows into a hack.
Expansion of domains covered
The main improvement to the system is the expansion of the areas for which the CVSS proves itself helpful. The fourth version expands this to cover OT, ICS and IoT.
Overall, the revisions provide several benefits, according to FIRST: “The revised standard provides finer granularity in basic consumer statistics, removes ambiguity from downstream scores, simplifies threat statistics and improves the effectiveness of assessing environment-specific security requirements and compensating controls.”
The organization briefly mentions they modified the way the risk of a vulnerability is estimated. Specifically, this involves a revamped risk estimation regarding the ability to automate the exploitation of the risk. This would allow hackers to thoroughly exploit the vulnerability in a simple and quick manner, which will undoubtedly increase the urgency of patching. Furthermore, the fourth version incorporates the following risks into its assessment: remediation capability, value density, the effort required to patch the vulnerability and the urgency imposed by the patch’s provider for software remediation.
The system made its appearance in 2005. Eighteen years later, FIRST is issuing the fourth version. The previous updates were eight years ago. “As a membership organization, our goal is to empower our members and the industry, provide leadership and ensure that we are continually working to improve the way we work together to protect people around the world from cyber attacks,” concludes Chris Gibson, CEO of FIRST.
Cybersecurity is evolving rapidly
It seems only natural to us that after eight years, an expansion in the number of domains covered by the CVSS is in order. After all, in terms of cybersecurity, eight years already seems like a century ago. A company’s digital components have already expanded dramatically in the past five years, for example, as a result of the pandemic. In the threat landscape, then, the rise of artificial intelligence has given companies and security providers a new trend to wrap their heads around. So there we are even talking about significant changes in the past year alone.
As of now, the globally used scoring system CVSS takes into account OT, ICS and IoT. Areas that underwent significant changes in the past eight years in which the system did not receive updates. In addition, there are new areas that help determine the level of the final score, although we do note that AI threats do not yet count for any of these areas.