Claroty Named a Strong Performer in The Forrester Wave™: Operational Technology Security Solutions, Q2 2024
Download the Report
Claroty Toggle Search


Biannual ICS Risk & Vulnerability Report: 2H 2021

The industry’s foremost snapshot of vulnerabilities disclosed in automation products and OT networks.

View the Report

This is Team82’s fourth Biannual ICS Risk & Vulnerability Report, and since 2020, we’ve made it clear that vulnerabilities in automation products are as prevalent as they are elsewhere in the tech stack.

The number of vulnerabilities being disclosed, and the growing population of researchers looking for exploitable flaws in ICS and OT products has been on an upward trajectory for some time. What’s important now is to reinforce the importance of patching and mitigating vulnerabilities, how the industry is maturing to blunt the impact of software and firmware issues, and what you as decision-makers need to do to address this risk within the industrial enterprise.

This report is a reflection of those trends, and brings important context to the unique discipline of ICS vulnerability research and managing that risk. We hope it’s a useful resource for you.

What’s Inside

Team82 shares some of the top highlights from this edition of the Biannual ICS Risk & Vulnerability Report: 2H 2021

Interested in learning about Claroty's Cybersecurity Solutions?

Remediation Matters

Finding vulnerabilities is one thing; fixing them is quite another. Flaws in software are far less challenging to patch than in firmware, and this is reflected in Team82’s dataset for the 2H 2021 which shows three-quarters of fully remediated vulnerabilities are software based.

Of fully remediated vulnerabilities

are software based. Emphasizing that given the comparative ease in patching software over firmware, defenders have the ability to prioritize patching within their environments

Of partially or not remediated vulnerabilities

when exploited, could result in remote code execution or in denial-of-service

When You Can’t Patch, Mitigate

Not every ICS vulnerability can be immediately patched, as you’ll read in our report. It’s important to have foundational strategies in place to mitigate the effects of software and firmware vulnerabilities until a patch is available from a vendor. These are the top mitigation suggestions to counter threats over the network and even those targeting human frailty via social engineering.

Internal Vendor Research for the Win

Automation vendors such as Siemens AG, Schneider Electric, and Rockwell Automation, have mature internal product security teams who are finding and disclosing vulnerabilities at a sparkling rate, contributing to a safer ecosystem. Smaller vendors, meanwhile, are following their lead and Team82 has partnered with many to help improve not only their research efforts, but disclosure processes, and most importantly, testing remediations for efficacy.


In number of vulnerabilities disclosed through internal vendor research


In vulnerabilities disclosed

A Legacy Problem

OT and ICS products have extended shelf lives. Products that weren’t built for internet connectivity are coming online, and many of those are no longer supported by vendors. This is something security analysts, asset owners, and operators must track: Here’s a sample of vulnerability data affecting end-of-life products.

Of vulnerabilities affecting end-of-life

Are exploitable remotely via a network attack vector

Of vulnerabilities affecting end-of-life

Are found in Level 1 – Basic Control devices such as: PLCs, RTUs ets.

Of vulnerabilities affecting end-of-life

When successfully exploited could lead to code execution or denial-of-service

Product Families at Risk

Mapping some of Team82’s 2H 2021 vulnerability data against the Purdue Model and networking layers on the OSI model, you’ll notice the extensive exposure at the Operations Management and Supervisory Control levels. Attackers have an array of vulnerabilities exploitable over the network, requiring extra vigilance to defend against remote attacks. As for locally exploitable vulnerabilities, a large majority require user interaction for exploitation.

Of Operations Management disclosures via a local attack vector

Require user interaction for exploitation showing the importance of awareness and protection against social engineering tactics among workers with access to critical assets.

Users Not Required

Unauthenticated attackers, once they have a network foothold, can often move laterally—and quietly—on a network in order to steal data, launch ransomware, or access systems with privileged access. You can see here that an overwhelming majority of vulnerabilities require no action on the user’s part for exploitation.

Of vulnerabilities require no user interaction

meaning the attacker does not depend on the participation of a separate user or user-initiated process in order to exploit the vulnerability

Vulnerability Scoring

There are more independent researchers and maturing internal vulnerability research teams emerging than ever before looking into industrial control systems. Those who are looking at control systems and OT protocols are looking for the highest impact flaws; defenders must take CVSS scoring into consideration, but it cannot be the only determining factor as to the risk to one’s environment.

Of vulnerabilities are classified as high or critical

reflecting the broader tendency among ICS security researchers to focus on identifying vulnerabilities with the greatest potential impact in order to maximize harm reduction

3 Trends to Watch

Cloudy Forecast: Securing XIoT

Converged Extended IoT environments are moving to the cloud. How will you secure those connections?

A Fragile Supply Chain, and How SBOMs Help

Secure development and visibility into software and firmware components are game-changers.

A New Ransomware Front

Beware ransomware attacks as a cover for deeper intrusions against critical infrastructure

At a Glance


The number of vulnerabilities disclosed by Team82


The number of ICS vulnerabilities disclosed industry-wide


Percentage increase of vulnerabilities disclosed

View the Report

Please complete the form to view the Report.

LinkedIn Twitter YouTube Facebook