Vulnerability modelling for hybrid IT systems

Attiq Ur-Rehman, Iqbal Gondal, Joarder Kamruzzuman, Alireza Jolfaei

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

18 Citations (Scopus)


Common vulnerability scoring system (CVSS) is an industry standard that can assess the vulnerability of nodes in traditional computer systems. The metrics computed by CVSS would determine critical nodes and attack paths. However, traditional IT security models would not fit IoT embedded networks due to the distinct nature and unique characteristics of IoT systems. This paper analyses the application of CVSS for IoT embedded systems and proposes an improved vulnerability scoring system based on CVSS v3 framework. The proposed framework, named CVSS IoT, is applied to a realistic IT supply chain system and the results are compared with the actual vulnerabilities from the national vulnerability database. The comparison result validates the proposed model. CVSS IoT is not only effective, simple and capable of vulnerability evaluation for traditional IT system but also exploits unique characteristics of IoT devices.
Original languageEnglish
Title of host publicationProceedings 2019 IEEE International Conference on Industrial Technology (ICIT)
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Number of pages6
ISBN (Electronic)9781538663769
Publication statusPublished - 2019
Externally publishedYes
Event20th IEEE International Conference on Industrial Technology, ICIT 2019 - Melbourne, Australia
Duration: 13 Feb 201915 Feb 2019

Publication series

NameIEEE International Conference on Industrial Technology
ISSN (Print)2643-2978


Conference20th IEEE International Conference on Industrial Technology, ICIT 2019


  • CVSS
  • IoT
  • vunerability
  • supply chain
  • security
  • Supply chain
  • Cvss
  • Vulnerability
  • Security
  • Iot


Dive into the research topics of 'Vulnerability modelling for hybrid IT systems'. Together they form a unique fingerprint.

Cite this