S4x19 included a session on replacing the CVSS for ICS vulnerabilities. It was agreed by all three panelists that it was fatally flawed. And the replacement system that received the most interest was Art Manion’s proposed Now, Next, Never decision tree.
Art and the team at CERT/CC have worked on this approach and are prepared to release something that is highly applicable to ICS. Yet any system that requires time consuming analysis of each vulnerability will likely have low adoption rates.
This session looks at how to take the new decision tree approach, and an ICS asset management system, to automate the process of determining what patches to apply when in your ICS.