OT cybersecurity solutions company OTORIO introduced on Thursday the CSAV (Compensating Scoring for Asset Vulnerability) framework, a methodology designed to quantify cybersecurity risks for operational technology (OT) assets that lack published CVEs. Yair Attar, co-founder and CTO of OTORIO, introduced the CSAV framework at the ongoing S4x25 conference during his session, ‘Quantifying Risk for Devices Without Published Vulnerabilities.’
Cybersecurity teams often equate the absence of published vulnerabilities with secure operations, but that assumption is dangerously outdated.
● Many OT devices lack documented vulnerabilities yet remain highly exposed to cyber threats.
● Over the past eight years, 66% of vendors mentioned in CISA advisories appeared only once.
● Effectively evaluating the risk of devices that traditional vulnerability databases overlook is a longstanding challenge in OT security.
With the introduction of CSAV framework, OTORIO aims to help the industry find innovative ways to evaluate hidden risks in OT environments.
Beyond CVEs: Rethinking OT Risk Assessment
The cybersecurity industry has long relied on CVEs (Common Vulnerabilities and Exposures) as the primary measure of risk. However, many OT devices operate without reported CVEs, leaving organizations without a structured way to assess their security posture. The CSAV framework offers an alternative approach, leveraging specific vendor and asset parameters to provide a clearer, more actionable risk evaluation beyond traditional CVE-based assessments.
A Case Study: Stuxnet and Siemens WinCC
To illustrate the critical need for risk assessment beyond CVEs, OTORIO analyzed historical OT cyber incidents, including Stuxnet, and the impact on Siemens WinCC systems. The Stuxnet attack, one of the most sophisticated cyber threats to OT environments, exploited unknown vulnerabilities long before CVEs were officially published. WinCC version 6.2 was released in 2005, while PCS 7 version 6.0 was released in 2002.
However, it wasn’t until June 2010 that the malicious computer worm ‘Stuxnet’ was discovered. CSAV aims to bridge this gap by providing a proactive, structured approach to risk evaluation, preventing similar blind spots in today’s OT environments.
An Open Call for Industry Collaboration
Rather than solely promoting the CSAV calculator, OTORIO is driving a broader mission to advance OT risk modeling. The CSAV framework is an evolving initiative that invites industry experts, asset owners, and cybersecurity leaders to collaborate in refining and expanding its methodology. “The CSAV Framework is not just a tool—it’s a mindset shift,” said Attar. “For too long, the industry has relied on CVEs as the primary risk indicator, leaving too many OT assets unaccounted for. Unknown risk does not equate to no risk. CSAV is our call to action to rethink how we assess and mitigate unknown cyber risks in OT environments.”
