ICS Vulnerability Disclosures Grew 110% Over Last Four Years

Biannual ICS Risk & Vulnerability Report from Claroty’s Team82 finds 34% of vulnerabilities affect IoT, IT, and medical devices, highlighting need to extend ICS security to the XIoT

NEW YORK – March 2, 2022 – Industrial control system (ICS) vulnerability disclosures grew a staggering 110% over the last four years, with a 25% increase in the second half (2H) of 2021 compared to the previous six months, according to new research released today by Claroty, the security company for cyber-physical systems across industrial, healthcare, and enterprise environments. The fourth Biannual ICS Risk & Vulnerability Report also found that ICS vulnerabilities are expanding beyond operational technology (OT) to the Extended Internet of Things (XIoT), with 34% affecting IoT, IoMT, and IT assets in 2H 2021.

The report presents a comprehensive analysis of ICS vulnerability data from Team82, Claroty’s award-winning research team, along with trusted open sources, including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.

“As more cyber-physical systems become connected, accessibility to these networks from the internet and the cloud requires defenders to have timely, useful vulnerability information to inform risk decisions,” said Amir Preminger, vice president of research at Claroty. “The increase in digital transformation, combined with converged ICS and IT infrastructure, enables researchers to expand their work beyond operational technology (OT), to the Extended IoT (XIoT). High-profile cyber incidents in 2H 2021 such as the Tardigrade malware, the Log4j vulnerability and the ransomware attack on NEW Cooperative show the fragility of these networks, stressing the need for security research community collaboration to discover and disclose new vulnerabilities.”

Key Findings

  • ICS vulnerability disclosures grew 110% over the last four years, demonstrating heightened awareness of this issue and the growing involvement of security researchers shifting toward OT environments. 797 vulnerabilities were published in 2H 2021, representing a 25% increase from 637 in 1H 2021.

  • 34% of vulnerabilities disclosed affect IoT, IoMT, and IT assets, showing that organizations will merge OT, IT, and IoT under converged security management. Therefore, asset owners and operators must have a thorough snapshot of their environments in order to manage vulnerabilities and reduce their exposure.

  • 50% of the vulnerabilities were disclosed by third-party companies and a majority of these were discovered by researchers at cybersecurity companies, shifting their focus to include ICS alongside IT and IoT security research. In addition, 55 new researchers reported vulnerabilities during 2H 2021.

  • Vulnerabilities disclosed by internal vendor research grew 76% over the last four years. This demonstrates a maturing industry and discipline around vulnerability research, as vendors are allocating more resources to the security of their products.

  • 87% of vulnerabilities are low complexity, meaning they don’t require special conditions and an attacker can expect repeatable success every time. 70% don’t require special privileges before successfully exploiting a vulnerability, and 64% of vulnerabilities require no user interaction.

  • 63% of the vulnerabilities disclosed may be exploited remotely through a network attack vector, indicating that the need for secure remote access solutions, which accelerated due to the COVID-19 pandemic, is here to stay.

  • Claroty’s Team82 continues to lead the way in ICS vulnerability research, having disclosed 110 vulnerabilities in 2H 2021 and more than 260 vulnerabilities to date.

  • The leading potential impact is remote code execution (prevalent in 53% of vulnerabilities), followed by denial-of-service conditions (42%), bypassing protection mechanisms (37%), and allowing the adversary to read application data (33%).

  • The top mitigation step is network segmentation (recommended in 21% of vulnerability disclosures), followed by ransomware, phishing and spam protection (15%) and traffic restriction (13%). 

To access the complete set of findings, in-depth analysis, and additional steps to defend against improper access and risks, download the Biannual ICS Risk & Vulnerability Report: 2H 2021.

Team82’s newly launched Slack channel is available as well for additional discussion and insight into the report. Join here.

Acknowledgements

The primary author of this report is Chen Fradkin, security researcher at Claroty’s Team82. Contributors include Rotem Mesika, security research team lead; Nadav Erez, director of innovation; Sharon Brizinov, vulnerability research team leader; and Amir Preminger, vice president of research at Claroty. Special thanks to the entire Team82 for providing exceptional support to various aspects of this report and the research efforts that fueled it.

About Claroty

Claroty empowers organizations to secure cyber-physical systems across industrial (OT), healthcare (IoMT), and enterprise (IoT) environments: the Extended Internet of Things (XIoT). The company’s unified platform integrates with customers’ existing infrastructure to provide a full range of controls for visibility, risk and vulnerability management, threat detection, and secure remote access. Backed by the world’s largest investment firms and industrial automation vendors, Claroty is deployed by hundreds of organizations at thousands of sites globally. The company is headquartered in New York City and has a presence in Europe, Asia-Pacific, and Latin America.

Enterprise Cyber Security – Data traveling into Enterprise through network entry points including devices, downloads and attachments are checked for threats and security breaches.

Industrial Cyber Security – Controlling attacks frequency and strength due to increased demands for connectivity on the Industrial Control Infrastructure. Transferring of files is an eminent factor that ensures unidirectional data transfers and safe media usage.

In the Industrial Cyber-attack, the clarity between information technology (IT), operational technology (OT) and Industrial Control System (ICS) networks becomes blurred due to increased demand for connectivity. This combination of these exposes OT and ICS assets to cyberattacks, which can circulate from the IT domain into operational environments.

In the Industrial Cyber-attack, the clarity between information technology (IT), operational technology (OT) and Industrial Control System (ICS) networks becomes blurred due to increased demand for connectivity. This combination of these exposes OT and ICS assets to cyberattacks, which can circulate from the IT domain into operational environments.

In the Industrial Cyber-attack, the clarity between information technology (IT), operational technology (OT) and Industrial Control System (ICS) networks becomes blurred due to increased demand for connectivity. This combination of these exposes OT and ICS assets to cyberattacks, which can circulate from the IT domain into operational environments.