The Common Vulnerability Scoring System (CVSS) is one of the most widely used frameworks for scoring security vulnerabilities. The CVSS is a generic scoring system that can be applied to a broad spectrum of software and hardware products. These definitions are intentionally product or industry-agnostic, making CVSS a versatile tool that can be used for scoring a vulnerability in, say a mobile application, just as well as in a pacemaker device. This versatility brings with it certain limitations. CVSS scoring can often be very subjective. 

Use of the “default” CVSS may lead to ambiguities and inconsistencies when used for vulnerabilities affecting Internet of Things (IoT). Taking particularly the healthcare and medical devices sector as an example, the CVSS framework does not take into account clinical environment conditions, patient safety and other typical healthcare conditions. To address these challenges, produce accurate severity ratings for vulnerabilities, and to make the CVSS framework more applicable to medical devices, the United States Food & Drug Administration (US FDA) has qualified a cybersecurity Medical Device Development Tool (MDDT) in partnership with the MITRE organization. This MDDT introduces a rubric for CVSS, and defines a series of structured questions and metric definitions for each vector in the CVSS by considering the effect on the patient safety and other medical conditions.

In this presentation, we break down the guidance document from MITRE. We also demonstrate applying the rubric to actual security vulnerabilities in market products, and compare the outcome with regular CVSS 3.1 scores and vectors. We talk about the purpose of the rubric and how it adds value to the medical device cybersecurity community. We also introduce the attendees to the only web-version (at the time of writing) of a calculator for this MDDT. This calculator has been developed by Deep Armor and is available for public use.