Claroty finds fall in published vulnerabilities in cyber-physical systems, as disclosures by internal teams rise 80%

Cyber-physical system vulnerabilities disclosed in the second half (2H) of 2022 have declined by 14% since hitting a peak during 2H 2021, while vulnerabilities found by internal research and product security teams have increased by 80% over the same time period, according to the State of XIoT Security Report: 2H 2022 released today by Claroty, a cyber-physical systems protection company. These findings indicate that security researchers are having a positive impact on strengthening the security of the Extended Internet of Things (XIoT), a vast network of cyber-physical systems across industrial, healthcare, and commercial environments, and that XIoT vendors are dedicating more resources to examining the security and safety of their products than ever before.

Compiled by Team82, Claroty’s research team, the sixth biannual State of XIoT Security Report is a deep examination and analysis of vulnerabilities impacting the XIoT, including operational technology and industrial control systems (OT/ICS), Internet of Medical Things (IoMT), building management systems, and enterprise IoT. The data set comprises vulnerabilities publicly disclosed in 2H 2022 by Team82 and from trusted open sources including an National Vulnerability Database (NVD), an Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.

“Cyber-physical systems power our way of life. The water we drink, the energy that heats our homes, the medical care we receive all of these rely on computer code and have a direct link to real-world outcomes,” says Amir Preminger, VP research at Claroty. “The purpose of Team82’s research and compiling this report is to give decision makers in these critical sectors the information they need to properly assess, prioritise, and address risks to their connected environments, so it is very heartening that we are beginning to see the fruits of vendors’ and researchers’ labor in the steadily growing number of disclosures sourced by internal teams. This shows that vendors are embracing the need to secure cyber-physical systems by dedicating time, people, and money to not only patching software and firmware vulnerabilities, but also to product security teams overall.”

Key findings

  • Affected devices: 62% of published OT vulnerabilities affect devices at Level 3 of the Purdue Model for ICS. These devices manage production workflows and can be key crossover points between IT and OT networks, thus very attractive to threat actors aiming to disrupt industrial operations.
  • Severity: 71% of vulnerabilities were assessed a CVSS v3 score of “critical” (9.0-10) or “high” (7.0-8.9), reflecting security researchers’ tendency to focus on identifying vulnerabilities with the greatest potential impact in order to maximise harm reduction. Additionally, four of the top five Common Weakness Enumerations (CWEs) in the dataset are also in the top five of MITRE’s 2022 CWE Top 25 Most Dangerous Software Weaknesses, which can be relatively simple to exploit and enable adversaries to disrupt system availability and service delivery.
  • Attack vector: 63% of vulnerabilities are remotely exploitable over the network, meaning a threat actor does not require local, adjacent, or physical access to the affected device in order to exploit the vulnerability.
  • Impacts: The potential impact is unauthorised remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%.
  • Mitigations: The top mitigation step is network segmentation (recommended in 29% of vulnerability disclosures), followed by secure remote access (26%) and ransomware, phishing, and spam protection (22%).
  • Team82 contributions: Team82 has maintained a prolific, years-long leadership position in OT vulnerability research with 65 vulnerability disclosures in 2H 2022, 30 of which were assessed a CVSS v3 score of 9.5 or higher, and over 400 vulnerabilities to date.

To access Team82’s complete set of findings, in-depth analysis, and recommended security measures in response to vulnerability trends, download the full State of XIoT Security Report: 2H 2022 report.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES
woman holding her finger balance with coins

Quantinuum raises US$300m in equity funding

Posted on: April 18, 2024

Honeywell has announced the closing of a US$300 million equity fundraise for Quantinuum at a pre-money valuation of US$5bn. The round is anchored by Quantinuum’s partner JPMorgan Chase, with additional participation from Mitsui, Amgen and Honeywell, which remains the company’s majority shareholder. This investment brings the total capital raised by Quantinuum since inception to approximately

Read more
close up man using smart touch screen server

ITRI and Arm launch new SystemReady Lab in Taipei to boost AIoT industry

Posted on: April 18, 2024

ITRI has established the ITRI・Arm SystemReady Lab in Taipei, in partnership with Arm. This certification centre is the fourth of its kind globally, following the ones in the United States, Europe and India. The lab combines ITRI’s R&D strengths with the Arm SystemReady compliance programme to deliver comprehensive certification services for the AIoT industry. This

Read more
FEATURED IoT STORIES
What is IoT answer

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more
iot adoption

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more
IoT Now Enterprise Buyers’ Guide Which IoT Platform 2021

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more
CAT-M1 vs NB-IoT

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more
internet of things isometric illustration of connected things

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
iot challenges and issues

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more