Maritime OT Risk Scoring Matrix
A complete reference guide to CVSS v3.1 and v4.0 scoring metrics β covering attack vectors, complexity, privileges, interaction, and impact categories. Designed to help ETOs, Technical Superintendents, and DPAs read and interpret standard vulnerability scores from the Threat Intelligence Feed without needing a security background. Use this alongside the feed to understand what a score means before deciding whether a CVE requires action on your vessel.
| Category | Option | Danger | Detailed Interpretation |
|---|---|---|---|
| Exploitability Metrics | |||
| Attack Vector (AV) | Network (N) | π΄ High | Remote: Exploitable via the Internet/Outside. |
| Adjacent (A) | π Med | Nearby: Limited to local Wi-Fi/Bluetooth range. | |
| Local (L) | π‘ Low | On-Site: Requires shell/local OS access. | |
| Physical (P) | π’ Low | Touch: Must have physical hardware access. | |
| Complexity (AC) | Low (L) | π΄ High | Easy: No specialized timing or conditions needed. |
| High (H) | π’ Low | Hard: Must bypass ASLR/DEP or win a race. | |
| Privileges (PR) | None (N) | π΄ High | Public: No account required to exploit. |
| Low (L) | π Med | Standard: Requires basic user login. | |
| High (H) | π’ Low | Admin: Requires root/admin credentials. | |
| Interaction (UI) | None (N) | π΄ High | Silent: No human action needed to trigger. |
| Required (R) | π‘ Low | Phish: Victim must click or execute a file. | |
| Impact Metrics | |||
| Scope (S) | Changed (C) | π΄ High | Viral: Can spread and impact other systems/OS. |
| Unchanged (U) | π’ Low | Contained: Damage limited to target application. | |
| Confidentiality (C) | High (H) | VAR | Full data breach; all information exposed. |
| Low (L) | VAR | Partial leak; some information exposed. | |
| None (N) | VAR | No data exposure. | |
| Integrity (I) | High (H) | VAR | Full control; attacker can modify any data. |
| Low (L) | VAR | Minor changes; limited modification. | |
| None (N) | VAR | No data modification possible. | |
| Availability (A) | High (H) | VAR | Total outage; system is unusable. |
| Low (L) | VAR | Degraded; system is slow or unstable. | |
| None (N) | VAR | No impact to system uptime. | |
| Category | Option | Danger | v4.0 Specification & Business Logic |
|---|---|---|---|
| Base: Exploitability & Requirements | |||
| Attack Vector (AV) | Network | π΄ High | Remote exploitation across the internet. |
| Adjacent | π Med | Local network/Bluetooth range. | |
| Local | π‘ Low | Local terminal or user session. | |
| Physical | π’ Low | Physical hardware tampering required. | |
| Complexity (AC) | Low | π΄ High | Reliable attack; no security bypass needed. |
| High | π’ Low | Requires bypassing advanced protections. | |
| Attack Req. (AT) | None | π΄ High | Works on standard/default configurations. |
| Present | π’ Low | Requires rare/specific system states. | |
| Interaction (UI) | None | π΄ High | Zero-click; fully automated. |
| Passive | π Med | User merely views content (visits a page). | |
| Active | π‘ Low | User must perform a specific action. | |
| Impact: Vulnerable System (The Target App / "Inner Circle") | |||
| V-Confid (VC) | H / L / N | VAR | Passwords: Can the attacker read the app's internal passwords/data? |
| V-Integ (VI) | H / L / N | VAR | Settings: Can the attacker change the app's internal settings? |
| V-Avail (VA) | H / L / N | VAR | Crash: Can the attacker make the app freeze or crash? |
| Impact: Subsequent Systems (Infrastructure / "Blast Radius") | |||
| S-Confid (SC) | H / L / N | VAR | Server Breach: Can they read files on the Windows/Cloud DB behind the app? |
| S-Integ (SI) | H / L / N | VAR | Wipe: Can they delete the server hard drive or modify the OS? |
| S-Avail (SA) | H / L / N | VAR | Outage: Can they shut down the entire network or host hardware? |
| Supplemental Metrics | |||
| Safety (S) | Present | π΄ High | Life-Safety: Potential for physical injury. |
| Negligible | π’ Low | No physical risk to humans. | |
| Automatable (AU) | Yes | π΄ High | Wormable: Can spread automatically like a virus. |
| No | π’ Low | Requires manual effort per target. | |
| Recovery (R) | Automatic | π’ Low | System self-heals or reboots. |
| User | π Med | Requires manual intervention to restore. | |
| Irrecoverable | π΄ High | Bricked: Hardware must be replaced. | |
What does "VAR" mean?
VAR (Variable) means the danger depends on your choice:
- π΄ High (H): Total loss of control/security.
- π Low (L): Partial exposure or damage.
- π’ None (N): No impact to this category.
Inner Circle vs. Blast Radius
Vulnerable System: Damage strictly inside the software containing the bug.
Subsequent System: The damage to everything else connected (OS, Network, Database).
Color Logic Context
π‘ Yellow: Technically "Low" but high risk because phishing (Interaction) and local access are common paths.
π’ Green: "Physical" is the safest because it requires a person to touch the device.