What Would Make SSVC More Useful in OT Environments?

[ahouseholder]

We’ve had Issue #14 open for a while now about SSVC adoption in Industrial Control Systems (ICS) and Operational Technology (OT) environments, but progress has been slow—largely because we still don’t have a clear picture of what the OT community needs from a decision framework like SSVC.

So, we’re opening this thread to gather input directly from folks working in OT or adjacent spaces.

If you’ve evaluated SSVC for OT use cases—or thought about doing so—we’d love to hear:

• What barriers did you run into?
• What would SSVC need to do differently to be useful in your environment?
• Are there assumptions that don’t map well to OT realities?
• Are there parts of SSVC that do work well for OT?
• Have you tried combining CVSS (v3 or v4) and SSVC? Did that combination help—or fall short?

Note

We’re not positioning SSVC as a replacement for CVSS. Instead, we’re curious about how the two work (or don’t work) together for OT risk and response decisions. If there’s a gap, we’d like to understand what it is and how to close it.

Please feel free to share ideas, complaints, partial thoughts, or just questions.

[ahouseholder]

I wanted to note:

• Sightings #291 (comment)
• Review *OT-CRIT: Impact-based Criticality Ranking of Internet-facing Operational Technology* for decision points and tables #888

both reference Martino Tommasini's Master's Thesis which constructs an OT asset criticality ranking model based on SSVC. Curious for OT-knowledgeable folk to comment on whether that's a useful approach.

[pdhuff]

Good article on Internet-facing OT. For ICS behind the firewall, the deployer model prioritizes well, but remediation is often not possible in the time constraints. Consider adding an explicit decision point that routes findings to remediation or mitigation based on device-change risk (e.g., safety, availability impact, vendor support, validation and rollback complexity, etc.).