Jeju, South Korea ― On Thursday, a South Korean researcher proposed a novel method for assessing security vulnerabilities, aiming to actively bolster the country’s critical infrastructure against cyber threats.
At the 24th World Conference on Information Security Applications, Yoon Seong-su, a doctoral student from Chonnam National University’s System Security Research Center, shed light on the shortcomings of existing vulnerability assessment systems. His insights were based on his team’s ongoing research in the field.
According to their research paper, titled “Vulnerability Assessment Framework Based on In-the-Wild Exploitability for Prioritizing Patch Application in Control System,” the existing assessment methods fall short. Specifically, they are inadequate for accurately addressing security vulnerabilities in industrial control systems, which are widely used in manufacturing and critical infrastructure.
“In the event of a cyberattack on a nuclear power plant, the consequences could be catastrophic, such as widespread power outages,” the researcher told The Readable. “But given the critical nature of these systems, you can’t just shut everything down to address vulnerabilities. This is why it’s crucial to identify and prioritize the issues that need immediate attention.”
According to Yoon, the Common Vulnerability Scoring System (CVSS), a widely-accepted standard that security professionals use to rate the severity of vulnerabilities on a scale from 0 to 10, has its limitations. Specifically, it fails to account for how the impact of a security flaw might change over time. “Just because a vulnerability scored a 10 in 2016 doesn’t necessarily mean it poses the same level of risk in today’s environment,” the researcher elaborated.
Yoon also weighed in on the limitations of the Exploit Prediction Scoring System (EPSS), introduced to improve upon the shortcomings of the CVSS by predicting the likelihood of a vulnerability being exploited within 30 days. “EPSS bases its severity assessments on real-world data gathered within the information technology environment,” Yoon told The Readable. “This makes it difficult to seamlessly adapt this evaluation framework to the industrial control system environment.”
The researcher unveiled a fresh metric for evaluating security vulnerabilities, dubbed the “In-the-Wild Risk Score (WRS),” designed to address the inadequacies of existing scoring systems. In his view, this new framework would equip defenders with the insights needed to understand the unexpected impact of a vulnerability within an organization, thereby aiding in the formulation of a more effective protection strategy.
“We’ve introduced a new standard within the existing CVSS criteria that will help to gauge how readily a security flaw can be exploited,” Yoon shared with The Readable. However, he was quick to add that this system is still in the early stages of its development and will require further refinement to be fully effective.
