NLP-based automated scoring of OT misconfigurations via CWE and CVSS mapping

Misconfigurations within Operational Technology (OT) environments represent a significant source of cyber risk, often resulting in critical disruptions to industrial processes. However, the absence of standardized methodologies for quantifying their impact hinders effective risk assessment and prioritization. This study proposes a novel and fully automated framework that maps misconfigurations to the Common Weakness Enumeration (CWE) taxonomy through semantic similarity techniques, employing state-of-the-art sentence embedding models and cosine similarity metrics. The framework enables the computation of quantitative risk indicators by linking the identified CWEs to associated Common Vulnerabilities and Exposures (CVEs) and aggregating their Common Vulnerability Scoring System (CVSS) scores. A voting ensemble of pre-trained language models is introduced to enhance robustness and semantic accuracy. Experimental validation demonstrates improved precision over single-model baselines, confirming the efficacy of the proposed approach. The resulting system offers a scalable, data-driven tool for OT stakeholders to evaluate and prioritize misconfigurationrelated cybersecurity threats systematically.