Issue-date: 30th December, 2019.
ISA Member Number:
Severity Categorization for Cyber Security Issues
The advent of new technologies and open architecture in Industrial Automation systems have increased the exposure to cyber security attacks. Such attacks that were towards Information systems two decades back have now also affected Industrial Automation systems. In the last decade there has been a rising trend of cyber-attacks on automation systems. These cyber-attacks have exploited vulnerabilities and exposures in automation systems.
To counter these attacks, there has now been an increasing awareness towards aligning to security standards like IEC 62443 and performing security assessments for products and devices before release. Cyber security tests are key to assess the robustness of products and devices as per the cyber security requirements as defined in the IEC 62443 standards. The vulnerabilities in the systems thus found from these tests are published as Common Vulnerabilities and Exposures (CVE) in the National Vulnerability Database (NVD).
Software, hardware and firmware vulnerabilities pose a critical risk to any organization operating a computer network and can be difficult to categorize and mitigate. Severity categorization for these issues are important to decide on the impact of these vulnerabilities, how they could be exploited and under what environment.
This article explains the method in which the severity score is calculated for vulnerabilities that would give the readers an insight into the scoring system.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities and produce a numerical score reflecting its severity, as well as a textual representation of that score. CVSS has three important benefits:
CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization. CVSS 3.0 is the latest version of the scoring system released. References for this article have been taken from the CVSS 3.0 Specification and User guide as released by FIRST.Org as well as the National Vulnerability Database (NVD). Readers of this article can refer these artifacts for details.
- It provides standardized vulnerability scores.
- It provides an open framework to derive at a severity score that is transparent.
- It helps prioritize risk.
CVSS is composed of three metric groups, Base, Temporal, and Environmental, each consisting of a set of metrics.
- Base metric group: Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.
Exploitability metric sub group: Reflects the ease and technical means by which the vulnerability can be exploited.
Attack vector (AV): This metric value will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. Metric values: Network (N), Adjacent (A), Local (L), Physical (P).
Attack Complexity (AC): This metric describes the conditions beyond the attacker’s control and may require collection of more information about the target, the presence of certain system configuration settings, or computational exceptions, in order to exploit the vulnerability. Metric values: Low (L), High (H).
Privileges Required (PR): This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric if greatest if no privileges are required. Metric values: None (N), Low (L), High (H).
User Interaction (UI): This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user must participate in some manner. This metric value is greatest when no user interaction is required. Metric values: None (N), Required (R).
Scope (S): This refers to the collection of privileges defined by a computing authority when granting access to computing resources (e.g. files, CPU, memory, etc.). Metric values: Unchanged (U), Changed (C).
Impact metrics sub group: Reflects the direct consequence of the exploit to the device that suffers the impact.
Confidentiality (C): Refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. Metric values: High (H), Low (L), None (N).
Integrity Impact (I): This metric measures the impact to integrity such as trustworthiness and veracity of information, of a successfully exploited vulnerability. Metric values: High (H), Low (L), None (N).
Availability Impact (A): This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. Metric values: High (H), Low (L), None (N).
Temporal metric group: Reflects the characteristics of a vulnerability that may change over time but not across user environments.
Exploit Code Maturity (E): This metric measures the likelihood of the vulnerability being attacked and is typically based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. Metric values: Not Defined (X), High (H), Functional (F), Proof of Concept (P), Unproven (U).
Remediation Level (RL): This refers to the solution provided for the vulnerability. The solution could be a workarounds or hotfixes that offer interim remediation until an official patch or upgrade is issued. Metric values: Not Defined (X), Unavailable (U), Workaround (W), Temporary Fix (T), Official Fix (O).
Report Confidence (RC): This metric measures the knowledge on the root cause of the vulnerability thought existence of the vulnerability may be known. Metric values: Not Defined (X), Confirmed (C), Reasonable (R), Unknown (U).
Environmental metric group represents the characteristics of a vulnerability that are relevant and unique to a user’s environment.
Security Requirements (CR, IR, AR): These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability. Metric values: Not Defined (X), High (H), Medium (M), Low (L).
The Base, Temporal and Environmental scores are calculated based on the above metrics. Generally, the Base and Temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors because they typically possess the most accurate information about the characteristics of a vulnerability. On the other hand, the Environmental metrics are specified by end-user organizations because they are best able to assess the potential impact of a vulnerability within their own computing environment. The Base score can be further refined by scoring the Temporal and Environmental metrics in order to more accurately reflect the risk posed by a vulnerability to a user’s environment. However, scoring the Temporal and Environmental metrics is not mandatory.
The CVSS Severity score for vulnerabilities can be represented as a quantitative rating scale or as a vector string.
- The quantitative severity rating scale is represented as None (CVSS score: 0.0), Low (CVSS score: 0.1-3.9), Medium (CVSS score: 4.0 - 6.9), High (CVSS score: 7.0 - 8.9), Critical (CVSS score: 9.0 - 10.0) based on the numerical score.
As an example, a CVSS Base score of 7.2 has an associated severity rating of High.
- Vector string severity score is a textual representation based on the metrics mentioned above.
For example, a vulnerability with Base metric values of, “Attack Vector: Network, Attack Complexity: High, Privileges Required: High, User Interaction: Required, Scope: Unchanged, Confidentiality: Low, Integrity: High, Availability: None” and no specified Temporal or Environmental metrics would produce the following vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:N
CVE-2008-2121: This is an example of a vulnerability that is published in the National Vulnerability Database (NVD). This vulnerability is exploited on the device under test by a TCP SYN attack that causes a denial of service. The severity score for the vulnerability from CVSS tool version 2.0 is represented as:
Base Score: 7.8 (High) Vector: (CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C)