TL;DR
- Most OT pen test findings are legitimate. The recommendations that follow them are often not.
- CVSS base scores are meaningless in OT without environmental context. They do not account for physical isolation, network architecture, or scale. A vulnerability on one device in a locked room is not the same as the same vulnerability on 400 devices spread across a county, but CVSS will score th...
