Does unknown risk mean no risk? Not at all. What you don’t know CAN hurt you.
OTORIO, a leading provider of OT cybersecurity solutions, has introduced the CSAV (Compensating Scoring for Asset Vulnerability) Framework, a groundbreaking methodology designed to quantify cybersecurity risks for operational technology (OT) assets that lack published CVEs. Yair Attar, Co-Founder and CTO of OTORIO, introduced the CSAV Framework at the S4*25 conference during his session, “Quantifying Risk for Devices Without Published Vulnerabilities.”
Cybersecurity teams often equate the absence of published vulnerabilities with secure operations, but that assumption is dangerously outdated.
- Many OT devices lack documented vulnerabilities yet remain highly exposed to cyber threats.
- Over the past eight years, 66% of vendors mentioned in CISA advisories appeared only once.
- Effectively evaluating the risk of devices that traditional vulnerability databases overlook is a longstanding challenge in OT security.
With the introduction of CSAV, OTORIO aims to help the industry find innovative ways to evaluate hidden risks in OT environments.
Beyond CVEs: Rethinking OT Risk Assessment
The cybersecurity industry has long relied on CVEs (Common Vulnerabilities and Exposures) as the primary measure of risk. However, many OT devices operate without reported CVEs, leaving organizations without a structured way to assess their security posture. The CSAV Framework offers an alternative approach, leveraging specific vendor and asset parameters to provide a clearer, more actionable risk evaluation beyond traditional CVE-based assessments.
Read More on CIO Influence Interviews : CIO Influence Interview with Stuart Strickland, Wireless Chief Technology Officer, HPE Aruba Networking
A Case Study: Stuxnet & Siemens WinCC
To illustrate the critical need for risk assessment beyond CVEs, OTORIO analyzed historical OT cyber incidents, including Stuxnet, and the impact on Siemens WinCC systems. The Stuxnet attack, one of the most sophisticated cyber threats to OT environments, exploited unknown vulnerabilities long before CVEs were officially published. WinCC version 6.2 was released in 2005, while PCS 7 version 6.0 was released in 2002. However, it wasn’t until June 2010 that the malicious computer worm “Stuxnet” was discovered. CSAV aims to bridge this gap by providing a proactive, structured approach to risk evaluation, preventing similar blind spots in today’s OT environments.
An Open Call for Industry Collaboration
Rather than solely promoting the CSAV calculator, OTORIO is driving a broader mission to advance OT risk modeling. The CSAV framework is an evolving initiative that invites industry experts, asset owners, and cybersecurity leaders to collaborate in refining and expanding its methodology.
“The CSAV Framework is not just a tool—it’s a mindset shift,” said Yair Attar, Co-Founder and CTO of OTORIO. “For too long, the industry has relied on CVEs as the primary risk indicator, leaving too many OT assets unaccounted for. Unknown risk does not equate to no risk. CSAV is our call to action to rethink how we assess and mitigate unknown cyber risks in OT environments.”
Get Involved
Organizations and industry professionals are encouraged to explore the CSAV Framework and contribute to its evolution.
Catch more CIO Insights: CIO Influence Interview with Chris Herd, Founder & CEO of Firstbase
[To share your insights with us, please write to psen@itechseries.com ]
