Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
Biannual ICS Risk & Vulnerability Report Enforces Need for Prompt Remediation
By Chen Fradkin | Feb. 23, 2022
Four reports and two years have passed since the first Claroty Biannual ICS Risk & Vulnerability Report, and in that time, we have established two constants: the number of vulnerabilities being disclosed continues to increase, and the growing population of researchers and product CIRT teams looking for exploitable flaws in ICS and OT products remain on an upward trajectory.
With those two trends all but certain to continue for the time being, it’s time to readjust the industry’s focus toward remediation and mitigation efforts. Finding and counting vulnerabilities has its place, but it’s meaningless to users without reliable processes for addressing the risk these vulnerabilities pose to the industrial enterprise.
Today, Claroty’s research arm Team82 releases its latest Biannual ICS Risk & Vulnerability Report, which provides decision-makers with a clear picture and understanding of the ICS and OT vulnerability landscape for the second half of 2021. While we cannot gloss over the 110% increase in the number of vulnerabilities disclosed during the latter half of last year (797 disclosed industry-wide), we believe it’s important to highlight which vulnerabilities are being fully remediated by affected vendors, show you what are the best mitigations available when patches or updates are not immediately available, and how vendors are maturing their internal security practices to catch and fix bugs before attackers exploit them.
Move Over OT; It’s All About Cyber-Physical Systems
The Extended Internet of Things (XIoT) is an umbrella term for connected cyber-physical systems, encompassing not only operational technology, but also connected medical devices, and other IoT systems within the enterprise. Many of these were not designed to be securely connected online, yet that’s not stopping the momentum of digital transformation within heavy industry, healthcare, and elsewhere.
Our dataset for this report demonstrates increased attention from vulnerability researchers into these sectors as well. Decision-makers needing justification for the prioritization of XIoT cybersecurity need look no further than the chart below, which illustrates how 34% of vulnerabilities disclosed in just the last six months of 2021 were found in software and firmware running within systems not designated as purely OT.
As more things connect online, defenders will have to prioritize security of devices beyond ICS.
Secure Software Development—Don’t Forget Firmware
Team82 has found more than 260 vulnerabilities since its inception, doing so in a coordinated fashion with affected vendors to great success. Finding and counting vulnerabilities is important, but only if it leads to a mature, safe ecosystem that is able to patch bugs, distribute fixes to users, and those remediations are implemented in a timely manner.
Our dataset confirms that software remediations are relatively much simpler to develop for ICS products than firmware updates, which have much longer development and implementation cycles. That trend is reflected in our data as well, which reveals that 74% of fully remediated vulnerabilities are software-based.
Team82’s dataset shows the disparity between fixes for software- and firmware-based vulnerabilities.
Vulnerability disclosures aren’t always accompanied by a software patch or firmware update; many times, for example, products are no longer supported by vendors and instead they urge users to upgrade equipment to current levels rather than supply further security updates. Couple this with an overwhelming number of legacy products still humming along supporting industrial processes worldwide, and companies’ windows of exposure can be extensive. Have look at some data related to the 29 vulnerabilities disclosed in end-of-life products:
OT products have extended shelf lives, and decision-makers must understand how to mitigate vulnerabilities in end-of-life products.
In those cases where patches are not, or won’t be, available, affected vendors and industry groups such as ICS-CERT may recommend mitigations—many of which should be considered security best practices and fundamental security hygiene measures—to blunt the impact of software and firmware vulnerabilities until a fix is available. Here are the top mitigation options recommended by affected vendors and industry groups.
Network segmentation remains the top mitigation recommendation when patches or updates are unavailable.
Speaking of Affected Vendors
Here’s another sign of a maturing vulnerability research ecosystem: Team82 tracks parties disclosing vulnerabilities, and third-party research organizations and independent researchers continue to report the most vulnerabilities to affected vendors. But we’re also seeing a growing number of vulnerabilities being found and publicly disclosed by internal research teams, below.
Note the growing number of OT and ICS vendors contributing to the vulnerability research community.
Team82, meanwhile, has partnered with many vendors on research initiatives, including leading automation vendors such as SiemensAG, Schneider Electric, and Rockwell Automation, all of which have mature internal product security teams that are vigilant about finding and fixing vulnerabilities in their products. Many smaller vendors are following that lead, and realizing the importance of lessening their users’ exposure to exploit attempts.
We urge you to download the report, share it with your technical colleagues and internal decision-makers. This is the best snapshot you’ll find of the current XIoT vulnerability landscape, and an essential tool to help prioritize vulnerability remediation efforts, and risk mitigation within your company.