One of the key findings in a new report by Claroty was the growth in vulnerabilities affecting connected IoT, IT and medical devices. Vulnerabilities impacting these products grew to 34% in 2H 2021, showing the need to secure beyond the OT environment to the Extended Internet of Things (XIoT). With highly connected cyber-physical systems now the norm, the lines are becoming blurred between IT, OT and IoT; asset owners and operators must therefore have a thorough snapshot of all environments in order to manage vulnerabilities and reduce their exposure.
Beyond this, ICS vulnerabilities grew 110% over the last four years, highlighting the increased involvement of security researchers to analyze today’s vulnerability landscape. 797 vulnerabilities were published in 2H 2021, representing a 25% increase from 637 in 1H 2021. The multiple high profile cyberattacks that hit key parts of U.S. critical infrastructure in 2021 — like Tardigrade malware, the Log4j vulnerability and the ransomware attack on NEW Cooperative — has led organizations to prioritize XIoT cybersecurity & secure these fragile networks.
Additionally, 50% of the vulnerabilities were disclosed by third-party companies and a majority of these were discovered by researchers at cybersecurity companies, shifting their focus to include ICS alongside IT and IoT security research. 55 new researchers reported vulnerabilities during 2H 2021, focusing largely on products from market-leading vendors, such as Siemens, Schneider Electric, and others.
The majority of vulnerabilities in 2H 2021 affected software components, and given the comparative ease in patching software over firmware, defenders have the ability to prioritize patching within their environments. In the event that patching isn’t an option, organizations must rely on mitigations such as network segmentation and ransomware, phishing, & spam protection.
The report presents a comprehensive analysis of ICS vulnerability data from Team82, Claroty’s award-winning research team, along with trusted open sources, including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.
Read the full report by Claroty.