Report
Team82’s Analysis of Vulnerability Disclosures and Remediations Affecting the Extended Internet of Things.
Team82 has revamped its biannual report to embrace an understanding of the vulnerabilities being disclosed and fixed within the Extended Internet of Things (XIoT). XIoT is the umbrella term for connected cyber-physical devices within industrial, healthcare, and commercial enterprise IoT environments.
This report is a reflection of the need to secure the cyber-physical systems that enable our ability to innovate and sustain our lives. We hope the State of XIoT Security report is a useful resource for you.
While published operational technology vulnerabilities dominate Team82’s dataset for the 1H 2022, it’s important to note that the percentage of IoT vulnerabilities has almost doubled since our last report, especially impacting connected smart devices, routers and other networking gear, and cameras—all of which if compromised may afford an attacker deeper access to the enterprise network.
The vast majority of published XIoT vulnerabilities in the 1H 2022 were either critical or high severity.
Of those critical and high-severity vulnerabilities, many affect the availability of XIoT devices and enable code execution or denial-of-service attacks.
Updating firmware presents challenges, yet with the rise in connected devices across industries, Team82’s dataset shows a spike in published firmware vulnerabilities, and marked improvement in remediations. More companies understand the need to secure connected OT, IoT, and IoMT devices, and firmware fixes are a big step forward.
Here you can see that for the 1H 2022, the number of published firmware vulnerabilities is almost on par with software vulnerabilities, a significant reversal from the 2H 2021 report when there was an almost 2-to-1 disparity between software and firmware vulnerabilities.
Vulnerabilities in connected IoT devices—largely firmware issues—trail only Operations Management and Basic Control devices. Vulnerabilities in these products, which include Historian and OPC servers, as well as field devices, for example, are predominantly software-based.
For the first time, vendor self-disclosures have surpassed independent research groups and are now the second most prolific vulnerability reporters, trailing only third-party companies. This indicates more maturity among vendors in developing product safety and security organizations and diligence in reporting and fixing vulnerabilities.
Team82’s 1H 2022 dataset indicates that vendors provided full or partial remediation for 91% of published vulnerabilities.
Breaking that down by software and firmware vulnerabilities, you can see the gains made in firmware fixes for the first half of the year compared to our last report.
When a software patch or firmware update isn’t immediately available, basic security practices should be adhered to in order to blunt the impact of vulnerabilities. Here are the top mitigation steps from Team82’s 1H 2022 dataset.
The number of XIoT vulnerabilities disclosed by Team82
The number of published XIoT vulnerabilities disclosed industry-wide
The number of affected XIoT vendors.
Please complete the form to view the Report.
