🔍 Vulnerability Management for Engineers: CVE, CVSS, and Patch Lifecycle

CVE, NVD, and the Vulnerability Intelligence Ecosystem

A Common Vulnerability and Exposure (CVE) identifier is the universal language of vulnerability management. Assigned by CVE Numbering Authorities (CNAs) — MITRE, major vendors like Microsoft and Cisco, and coordinating bodies like CISA — a CVE ID (e.g., CVE-2021-44228, the Log4Shell vulnerability) uniquely identifies a specific flaw in a specific product version. The National Vulnerability Database (NVD), maintained by NIST, enriches CVE entries with CVSS scores, CWE classifications, CPE applicability statements (what product versions are affected), and reference links to vendor advisories, exploit databases, and patches.

Supplement NVD with ICS-specific sources: CISA publishes ICS-CERT advisories at cisa.gov/ics-advisories that cover vulnerabilities in Siemens, Rockwell, Schneider Electric, GE, and other OT vendors. These advisories include CVSS scores and often include detection guidance and mitigations specific to operational environments where patching is constrained. Vendors like Siemens publish their own Product CERT (ProductCERT) advisories with firmware versions and workarounds.

CVSS Scoring: Base, Temporal, and Environmental

CVSS v3.1 (and the newer CVSS v4.0) scores vulnerabilities on a 0–10 scale across multiple metric groups. The Base Score is vendor-published and reflects the inherent characteristics of the vulnerability: Attack Vector (Network/Adjacent/Local/Physical), Attack Complexity (Low/High), Privileges Required, User Interaction, Scope (changed/unchanged), and the CIA impact (None/Low/High for each). A Network-exploitable, no-privileges-required, no-user-interaction vulnerability with High impact on all three CIA components — like CVE-2021-44228 — scores a Base of 10.0.

The Temporal Score adjusts the Base for exploit maturity (is working exploit code publicly available?), remediation level (is a patch available?), and report confidence. A Base 10.0 with no public exploit and an official fix might score 8.5 temporally. The Environmental Score is calculated by the consuming organization to reflect their specific context: if Confidentiality is irrelevant to a process historian (it only serves as an integrity and availability source), the environmental modifier reduces the effective score. This matters because a CVE with a Base of 9.8 in a compensated, air-gapped environment with no internet reachability to the affected component may present much lower actual risk than its score implies.

Vulnerability Scanning: Nessus, OpenVAS, and Tenable OT

Tenable Nessus and its enterprise platform Tenable.io / Tenable.sc are the industry standard for authenticated network vulnerability scanning. An authenticated scan (using Windows credentials or SSH keys) discovers installed software, registry-based patch levels, and running services far more accurately than unauthenticated scanning. OpenVAS (now GVM — Greenbone Vulnerability Manager) is the open-source alternative. For OT environments, Tenable OT Security (formerly Indegy) performs passive discovery combined with targeted active queries against ICS devices using protocol-native queries (e.g., reading firmware version from a Modbus device identity register) rather than generic port scanning. Claroty Continuous Threat Detection and Dragos Platform similarly provide vulnerability context derived from passive traffic analysis, correlating detected device versions against known CVEs without active scanning.

Patch Management Lifecycle

A mature patch management process follows four phases: Assess — receive vendor advisories and NVD feeds, correlate against asset inventory, determine which assets are affected and their CVSS/environmental risk scores; Test — validate patches in a non-production replica environment before deployment, confirming no adverse impact on application functionality; Deploy — schedule maintenance windows, apply patches, use change management process to document the change; Verify — rescan after patching to confirm the vulnerability is remediated. Where patching is not feasible within a risk-acceptable timeframe, document compensating controls: network ACLs that prevent exploitation, application whitelisting that blocks exploit payloads, or enhanced monitoring that detects exploitation attempts. NERC CIP-007-6 R2 requires this documented compensating control approach for patches that cannot be applied within the 35-day window.

EPSS and the CISA KEV Catalog

CVSS tells you how bad a vulnerability is theoretically. It does not tell you how likely it is to be exploited. The Exploit Prediction Scoring System (EPSS), maintained by FIRST.org, uses machine learning trained on observed exploitation data to estimate the probability that a CVE will be exploited in the wild within 30 days. A CVE with CVSS 9.8 and EPSS 0.3% is much less urgent than a CVSS 7.5 vulnerability with EPSS 94%. Security teams should prioritize patching based on a combined signal: high CVSS AND high EPSS AND asset exposure.

The CISA Known Exploited Vulnerabilities (KEV) catalog is the authoritative signal that a vulnerability is being actively exploited in the wild. CISA's Binding Operational Directive (BOD) 22-01 requires US federal agencies to remediate KEV entries within strict deadlines (typically 2 weeks for high-severity entries). For non-federal organizations, the KEV catalog is an invaluable signal: if CISA confirms active exploitation, deprioritizing that CVE is extremely difficult to justify. OT-specific CVEs appear in the KEV catalog with increasing frequency — including vulnerabilities in Schneitzer Electric products and SCADA platforms.

Penetration Testing Types and OT Scoping

Black box testing simulates an external attacker with no prior knowledge — the tester starts with only a company name or IP range. Grey box provides partial information (network diagrams, credentials for one account) to simulate an insider threat or a phisher who has gained initial access. White box provides full system documentation and source code access, enabling the deepest vulnerability analysis. For OT environments, scope and rules of engagement must be defined explicitly: which systems can be scanned actively, which require passive-only, which are strictly out of scope (live safety systems), and what constitutes an unacceptable test condition (triggering a safety relay, causing a process upset). Most mature OT penetration testing programs follow a passive-first, controlled-active approach: passive network capture and analysis first, then targeted active queries against agreed-upon test assets, with a safety officer empowered to immediately terminate the engagement if any anomaly is observed in process telemetry.

OWASP Top 10 and CWE Top 25

The OWASP Top 10 catalogs the most critical web application security risks: Injection (SQL, command, LDAP), Broken Access Control, Cryptographic Failures, Security Misconfiguration, Vulnerable and Outdated Components, and others. Many OT environments include web-based SCADA interfaces or historian web portals that are subject to exactly these vulnerabilities — a web-based PI Vision interface exposed without MFA is an OWASP A07 (Identification and Authentication Failures) finding. The CWE Top 25 Most Dangerous Software Weaknesses, published by MITRE, categorizes root-cause weaknesses at the code level: CWE-787 (Out-of-bounds Write), CWE-79 (XSS), CWE-89 (SQL Injection), CWE-416 (Use After Free). These classifications drive secure code review checklists and static analysis tool configurations in secure SDLC programs, and appear in CVE entries to help developers understand the underlying weakness being exploited.