Understanding CVSS Scores
CVSS (Common Vulnerability Scoring System) version 3.1 is the industry standard for rating the severity of software vulnerabilities. Every CVE in BreachSpider includes a CVSS score. This guide explains the scoring system in plain language for OT operators who need to understand what the numbers mean without being vulnerability researchers.
The Score
CVSS produces a number from 0.0 to 10.0. The score is calculated from a formula based on eight characteristics of the vulnerability. It is not a subjective opinion -- it is a deterministic calculation that anyone can reproduce from the same inputs.
| Score Range | Severity | Color in BreachSpider |
|---|---|---|
| 9.0 - 10.0 | Critical | Red |
| 7.0 - 8.9 | High | Orange |
| 4.0 - 6.9 | Medium | Yellow |
| 0.1 - 3.9 | Low | Blue |
A CVSS 10.0 means: the vulnerability can be exploited remotely, requires no authentication, requires no user interaction, and results in complete compromise of confidentiality, integrity, and availability.
The Eight Components
1. Attack Vector (AV)
How does the attacker reach the vulnerable component?
- NETWORK (N): The attacker can reach the target over the internet or any network. This is the most dangerous vector.
- ADJACENT (A): The attacker must be on the same network segment (same VLAN, same WiFi network, same broadcast domain).
- LOCAL (L): The attacker must already have access to the machine (logged in as a user, or malware already running on the system).
- PHYSICAL (P): The attacker must have physical access to the device (USB port, serial console, physical manipulation).
For ICS environments, ADJACENT is particularly relevant because many OT networks are flat -- if an attacker reaches the OT VLAN, they can reach every device on it.
2. Attack Complexity (AC)
How difficult is the attack to execute?
- LOW (L): The attack is reliable and repeatable. An attacker can exploit it consistently without specialized conditions.
- HIGH (H): The attack requires specific conditions, timing, or configuration that the attacker cannot control. It may not work every time.
3. Privileges Required (PR)
What level of access does the attacker need before exploiting the vulnerability?
- NONE (N): No account or credentials required. The attacker does not need to authenticate.
- LOW (L): A regular user account is required.
- HIGH (H): An administrative or privileged account is required.
4. User Interaction (UI)
Does the attack require a human to do something?
- NONE (N): The attack is fully automated. No human action required.
- REQUIRED (R): A user must click a link, open a file, visit a page, or take some other action.
5. Scope (S)
Can the vulnerability affect systems beyond the vulnerable component itself?
- CHANGED (C): The vulnerability can impact other systems. Example: a vulnerability in a web server's sandbox that lets the attacker escape to the host OS.
- UNCHANGED (U): The impact is contained to the vulnerable component only.
6. Confidentiality Impact (C)
What happens to data confidentiality if exploited?
- HIGH (H): All data in the affected component can be read by the attacker.
- LOW (L): Some data can be read, but the attacker does not have full access.
- NONE (N): No confidentiality impact.
7. Integrity Impact (I)
What happens to data integrity if exploited?
- HIGH (H): The attacker can modify any data in the affected component.
- LOW (L): Some data can be modified, but not all.
- NONE (N): No integrity impact.
8. Availability Impact (A)
What happens to system availability if exploited?
- HIGH (H): The attacker can take the system completely offline or make it unusable.
- LOW (L): System performance is degraded but not completely disrupted.
- NONE (N): No availability impact.
For ICS operators, availability is often the most critical impact. A PLC that is taken offline can stop a production line, shut down a water treatment process, or trip a power distribution system. When evaluating CVEs for your OT environment, pay special attention to the Availability Impact.
CVSS Limitations for ICS/OT
CVSS was designed for IT systems. It does not account for:
- The difficulty of patching OT devices in production.
- The physical safety impact of a compromised control system.
- The operational cost of taking a process offline to apply a patch.
- The isolation (or lack thereof) of OT networks.
This is why BreachSpider uses BCS alongside CVSS. BCS incorporates exploitation intelligence (EPSS, KEV, exploit availability) and ICS relevance to produce a priority-weighted score that is more actionable for OT operators.
CVSS vs BCS
| CVSS | BCS | |
|---|---|---|
| Measures | Severity (how bad) | Urgency (how soon to act) |
| Inputs | 8 technical characteristics | CVSS + EPSS + KEV + exploits + ICS relevance |
| Updates | Set once at publication | Updates as new intelligence arrives |
| Use case | Understanding the vulnerability | Prioritizing your remediation queue |
A CVSS 7.5 with a public exploit, KEV flag, and ICS relevance may deserve a higher BCS (9.8) than a CVSS 9.8 with no known exploitation (BCS 6.2). Always check BCS before CVSS when deciding what to fix first.