The Common Vulnerability Scoring System (CVSS) is defined by FIRST’s CVSS Special Interest Group. FIRST is the Forum of Incident Response and Security Teams; as indicated in their name, this group is comprised of responders to security incidents, primarily breaches of post-market products and deployed infrastructure. This perspective influences how FIRST views the CVSS scoring rubric.
In this post, we will illustrate FIRST’s general approach to scoring vulnerabilities and begin to highlight what does, and does not, apply clearly and cleanly to the medical devise design phase.
CVSS is segmented into three (3) major groupings of metrics. These are:
- Base Metrics
- Temporal Metrics
- Environmental Metrics
Figure 1: CVSS 3.1 Scoring Metrics. Source: FIRST CVSS SIG
This organization system is indicative of FIRST’s post-market viewpoint. In particular, the Temporal group and the Environmental group consist of metrics that have no relevance to scoring a vulnerability during the design phase of a medical product. By contrast, in the Base group, all of the metrics are relevant to vulnerabilities discovered during the design phase of medical device development.
Missing from this diagram is a metric that previously existed in the Environmental group of CVSS version 2, “Collateral Damage.” This metric is semantically equivalent to a more commonly used term in medical devices, “Severity.” Severity represents the potential harm to users, as well as the potential threat to the device manufacturer’s business model, which would result from a given vulnerability being exploited. It is the single most important metric when scoring a medical device design.
During the design phase, our purpose is to assess vulnerabilities and assign them metrics to create a meaningful overall score that includes Severity (“Collateral Damage” from CVSS v2) and Exploitability (Base Metric Group, column 1) and measures their impacts to Confidentiality, Integrity, and Availability (Base Metric Group, column 2). Our final score must be one that prioritizes which vulnerabilities to mitigate in the device design.
CVSS 2 Versus 3
FIRST released a revision to its CVSS rubric in June 2019, officially updating CVSS to version 3.1. (Version 3.0 was released in 2015; version 2.0 in 2007). Despite these updates, CVSS v2 remains widely used, especially for scoring vulnerabilities in medical device design.
In our next post, we’ll explain why by summarizing nine (9) key differences introduced by Version 3 and describe the relative advantages or disadvantages of each change for scoring vulnerabilities in proposed medical device designs.