Eric Goldstein of CISA promotes in an article: machine readable security advisories using CSAF, VEX to "communicate whether a product is affected by a vulnerability and enable prioritized vulnerability response", and the SSVC decision tree to approach on what to patch when. Three worthwhile efforts. I'd quibble with his description of VEX, and more importantly that SSVC decision tree is terrible for OT. I recommend the ICS-Patch decision tree, which uses Exposure, whether the patch will change security posture, safety impact and process impact.
|