1
Traditional risk assessment tools like NVD and CVSS offered limited contextual insight into the unique risks in their OT environment.
Subscribe to stay in the loop with the latest OT cyber security best practices.
Challenged by the limitations of traditional NVD and CVE rating systems in assessing their specific OT vulnerabilities, a leading food manufacturer sought Verve’s expertise. We developed the Calculated Risk Rating (CRR) framework, delivering actionable insights based on detailed data that reshaped their risk management—synchronizing it flawlessly with compliance regulations and strategic aspirations.
The client’s understanding of risk in their Operational Technology (OT) environment was based on broad-brush approaches that lacked nuance, leading to a range of interconnected challenges:
1
Traditional risk assessment tools like NVD and CVSS offered limited contextual insight into the unique risks in their OT environment.
2
Without nuanced data, prioritizing cybersecurity initiatives was challenging.
3
Traditional risk assessment approaches fell short in synchronizing with the client's strategic goals and compliance obligations.
Recognizing the gaps in traditional risk assessment methods for OT environments, Verve developed the Calculated Risk Rating (CRR) framework. This solution leverages two key metrics:
This rating quantifies the potential impact of each asset—be it site-specific, network-related, or hardware-focused—within the client’s OT landscape. Assets are categorized and then rated on a scale, which turns nebulous concepts of risk into actionable data points.
To assess the likelihood of vulnerabilities being exploited, CRR integrates EPSS. This system uses contextual information, such as real-world evidence, to refine the probability scores of a vulnerability being exploited in the next 30 days.
By combining CIR and EPSS, the CRR framework creates a nuanced risk heat map. This heat map pinpoints critical areas that demand immediate attention, offering a more targeted approach to allocating resources for risk mitigation.
With this tailored approach, we succeeded in providing the client with a level of clarity and actionable insight that was previously unattainable, allowing them to identify, quantify, and prioritize risks more efficiently.
Though CRR is still in early development, initial feedback from the client suggests it has already positively impacted the client’s approach to risk management, moving them from mere identification of vulnerabilities to a more dynamic, data-driven, and actionable form of risk management.
By incorporating asset-specific Calculated Impact Ratings (CIR), CRR has provided the client with a more contextual understanding of their cybersecurity landscape, thereby effectively overcoming the challenge of lack of context in their risk management practices.
Through the integration of the Exploit Prediction Scoring System (EPSS), our CRR framework has added predictive analytics into the risk assessment mix. This has empowered the client to prioritize their vulnerabilities based on actual likelihoods, mitigating the previous difficulty in prioritizing risk.
The precision of the CRR heat map isn’t just technical; it’s strategic. The client can make decisions that align perfectly with internal objectives and external compliance mandates by laying out a data-driven risk landscape. This adds another layer of efficiency, ensuring every move is both regulatory sound and strategically savvy.
Join Verve’s experts as they share key insights from 2024 and practical strategies to secure your OT environments in 2025. Don’t miss this exclusive webinar—reserve your spot now!