Does unknown risk
mean no risk?
Not at all.
What you don’t know can hurt You. Hidden vulnerabilities can persist undetected for years, exposing operational environments and critical infrastructure to cyberattacks.
Introducing the CSAV Framework
For years, OT security has relied on CVEs (Common Vulnerabilities and Exposures) as the primary measure of risk. But what happens when no CVEs are published? Does that mean a device is secure?
OTORIO is challenging outdated risk models with CSAV (Compensating Scoring for Asset Vulnerability)—a new methodology that uses specific vendor and asset parameters to provide a clearer, more accurate evaluation of OT risks beyond reported vulnerabilities.
You can try this framework yourself using our open-source CSAV calculator.
An Industry-Wide Initiative
CSAV is more than just a framework—it’s an evolving industry initiative. We’ve conducted extensive research across multiple OT networks, identifying key risk factors and assigning precise weights to create an initial foundation for assessing hidden vulnerabilities. But this is just the beginning.
We invite industry leaders to collaborate, refine, and expand this approach. Together, we can develop a more effective way to identify and mitigate OT risks before they become threats.
Tried and Tested Methodology
The framework and calculator were evaluated through a real-world case study on Stuxnet and Siemens WinCC. OTORIO CTO and co-founder Yair Attar presented the findings at the recent S4*25 event in Tampa, Florida.
Act Before a CVE is Published
Don’t wait for a CVE to protect your OT assets. Whether assessing lifecycle risks, attack surfaces, or vendor practices, OTORIO ensures your focus stays where it matters most—reducing risk and strengthening your security posture.