Applying CVSS to Vulnerability Scoring in Cyber-Biological Systems

With the advent of synthetic biology, security concerns are rapidly emerging spanning both the biological and the digital realms. These concerns materialize into concrete weaknesses and vulnerabilities in biological and biomedical systems and in their supply chains. Cybersecurity risks and their biological impact on biosafety and health must be considered when developing new protocols, biological systems, and supporting machinery. It is very important to assess the risk and impact of exploiting cyberbiosecurity vulnerabilities in a systematic and methodological way. The common vulnerability scoring system (CVSS) quantifies the risk and impact of vulnerabilities in digital (software and hardware) systems. Although vulnerabilities in the machinery supporting synthetic biology can be reported in a standard way, their severity scoring does not encompass the biosafety and health impacts. Furthermore, no current scoring systems exist for vulnerability assessment in the biological systems themselves (i.e., synthetic genes, biosensors, DNA chips, etc.). In this chapter, we challenge the ability of CVSS to address biosecurity and cyberbiosecurity concerns in synthetic biology by showcasing three different cyberbiosecurity attacks. We conclude that CVSS v3.1 scale is general enough to accommodate biological systems after minor adjustments of its specification. Specifically, we generalize the environmental metrics of CVSS to consider the security requirements of biological processes the same way they are considered for digital software or hardware. We further discuss a potential issue with the scope change metric of CVSS and the definition of security authority when it comes to living organisms.