Beyond CVSS: OT Security Looks for Its Risk Methodology

As operational technology (OT) environments outgrow IT-centric risk models, industry leaders are rethinking whether traditional tools like CVSS can meaningfully guide decision-making. In a recent article in OT.Today , TPO Group’s Allan Friedman highlights the core limitation: translating real-world operational context into vulnerability scoring is not just difficult—it’s often impractical. As he notes, the data required to reflect true risk “lives deep within operational environments” and is rarely accessible in a structured or scalable way, making precise, context-rich scoring elusive.

Munish Walther-Puri, Head of Critical Digital Infrastructure at TPO Group, points to a broader evolution in approach. Rather than focusing narrowly on individual vulnerabilities, he emphasizes the need for a holistic, system-level methodology—one that prioritizes infrastructure criticality and interdependencies. In his view, effective OT risk management must move beyond isolated scores and instead account for how disruptions cascade across sectors and systems.