Team82 presents its sixth biannual State of XIoT Security Report, covering published vulnerabilities affecting cyber-physical systems in the 2H 2022. This report is an analysis of the XIoT vulnerability landscape for security leaders, analysts, and engineers looking to prioritize mitigation and response activities. We hope you find it useful. Download the report, share it with your peers.
In this edition of the State of XIoT Security Report, 2H 2022, you’ll see evidence that vendors are embracing the need to secure cyber-physical systems, and dedicating time, people, and money to not only patching software and firmware vulnerabilities, but also product security teams overall.
For the second consecutive report, the number of vulnerabilities affecting the Extended Internet of Things (XIoT) has dropped. After hitting a peak during the second half of 2021, we’re seeing published vulnerabilities dipping while in parallel, the number of disclosures attributed to internal research and product security teams continue to climb.
In the 2H 2022, a record number of 485 published operational technology (OT) vulnerabilities filled our dataset, while the number of published internet of things (IoT) and internet of medical things (IoMT) vulnerabilities dropped from previous reports.
487 published vulnerabilities in the 2H of 2022 were either assessed a critical or high-severity CVSS v3 score.
Exploitable vulnerabilities in our dataset could lead to a number of serious impacts, affecting the availability, reliability, and safety of connected cyber-physical systems. The top three impacts include: unauthorized code execution, denial of service, and bypasses of security mechanisms.
We see a continuing trend of a large majority of those security issues uncovered at Level 3 of the Purdue Model for ICS, the operations management level. At this level of the Purdue reference model we find devices that manage production workflows, including devices such as Historian servers and databases that collect and store process information and relay it to field devices at Levels 2 and 1, as well as the DMZ.
In the 2H of 2022, we’ve reverted back our previous trends to a significant number of software vulnerabilities dominating our dataset. In the past, researchers and vendors have cited challenges in researching and remediating firmware vulnerabilities; software updates are often prioritized over firmware updates given the comparative ease to test and distribute software patches.
The good news is that the number of published OT vulnerabilities with partial or no remediation is dwarfed in the 2H 2022 by the availability of full remediations via software patches or firmware updates.
The number of published XIoT vulnerabilities in 2H 2022
The percentage of published OT vulnerabilities in our dataset
Average number of monthly published vulnerabilities in 2H 2022
Please complete the form to view the report.