A vulnerability rated 9.8 on an HMI controlling a validated production line is not the same as a 9.8 on a development workstation. The CVSS score is identical. The operational risk is not.
48% of vulnerabilities found in OT/IoT environments in H2 2025 were rated Critical or High severity1. When so many vulnerabilities carry top-tier severity labels, security teams have no practical way to decide what to fix first. Yet only about 4% of ICS vulnerabilities are actively exploited at the time of disclosure, with a median of 24 days to weaponization2. Most high-severity scores do not translate into immediate operational risk.
The problem is not a lack of data. It is a lack of context.
CVSS-only scoring gives the same 9.8 to every asset, regardless of operational context
What CVSS Gets Wrong in OT
CVSS was designed for IT environments where patching is routine and downtime is measured in minutes. In OT, patching requires maintenance windows, production scheduling, validation testing, and operational sign-off. A CVSS 9.8 vulnerability that takes five minutes to patch in IT might take six weeks to address in OT, if it gets addressed at all.w
CVSS also treats every instance of a vulnerability the same. It does not account for whether the affected asset is on an air-gapped network or connected to the internet. It does not factor in whether an exploit exists in the wild or remains theoretical. It does not consider whether existing protections already mitigate the exposure.
For an IT security analyst extending coverage into OT, this creates a specific problem. The prioritization framework you rely on in IT does not translate. You end up presenting operations teams with a list of 200 critical vulnerabilities and no way to explain which ones actually matter to their production environment. Operations pushes back. Remediation stalls.
What VSAR Does Differently
TXOne’s Vulnerability Situational Awareness Rating (VSAR) is a proprietary scoring methodology built to solve this problem. It combines multiple inputs into a single risk indicator that reflects operational reality rather than theoretical severity.
CVSS base score establishes the starting severity. This is the same foundation every vulnerability management program uses. VSAR builds on it.
EPSS (Exploit Prediction Scoring System) adds exploitation probability. EPSS is a public metric maintained by FIRST that predicts the likelihood a vulnerability will be exploited in the wild within the next 30 days. A CVSS 9.8 with an EPSS score of 0.02% is a different conversation than a CVSS 7.5 with an EPSS score of 85%.
Real-world attack telemetry from TXOne’s global sensor deployments and honeypot infrastructure. The TXOne Threat Research Team monitors active exploitation campaigns, lateral movement patterns, and threat actor behavior targeting industrial environments in real time. If a vulnerability is being actively exploited against OT systems, VSAR reflects that immediately.
Ongoing threat intelligence from the TXOne research team, including the age of the vulnerability, known exploits in the wild, and publicly available proof-of-concept code.
VSAR is continuously updated as new exploitation activity is detected. A vulnerability that was low-priority last week can escalate once active attack campaigns emerge. Static scoring misses these shifts. VSAR captures them.
What It Produces
VSAR separates the 4% that matter now from the 96% that can wait
The output is not another vulnerability list sorted by a different number. VSAR scores feed directly into SenninOne’s improvement planning workflow, where vulnerabilities are tied to specific assets, mapped against production constraints, and organized into a prioritized remediation plan.
When a vulnerability scores VSAR Critical, the associated ticket identifies the affected asset, the production process it supports, and the recommended remediation path. Operations teams review a concrete plan with operational context attached, not an abstract severity number.
This is the difference between a report that says, “patch this because it’s critical” and a plan that says, “this asset on production line 3 has an actively exploited vulnerability; here is the remediation path that accounts for your next maintenance window”.
Roughly 4% of ICS vulnerabilities are actively exploited at the time of disclosure. 26% of ICS vulnerability advisories carry no available patch2. VSAR separates the urgent from what can be deferred. For the 26% with no available patch, VSAR flags alternative mitigation paths like virtual patching.
Why It Matters
65% of organizations cite fear of operational disruption as a major barrier to security rollouts3. That fear is rational when the only prioritization tool available is a severity number that ignores production reality. VSAR gives security teams a defensible basis for recommending action, and gives operations teams enough context to approve it.
For IT security analysts responsible for OT coverage, VSAR replaces the argument about severity with a shared view of operational risk. That is what moves findings from a spreadsheet into production.
See VSAR in your environment. Request a SenninRecon assessment. Passive deployment. No production impact. Results in days. SenninRecon maps your OT assets and delivers a risk-prioritized improvement plan that both security and operations can act on.
Sources:
- Nozomi Networks OT/IoT Security Report, 2H 2025
- Dragos 9th Annual OT/ICS Cybersecurity Year in Review, 2026
- TXOne Networks / Omdia OT Security Survey, 2025
