Report: ICS vulnerability disclosures grew 110% over last four years

March 2, 2022
34% of vulnerabilities affect IoT, IT, and medical devices, highlighting need to extend ICS security to the XIoT.

Industrial control system (ICS) vulnerability disclosures grew a staggering 110% over the last four years, with a 25% increase in the second half of 2021 compared to the previous six months, according to new research released today by Claroty. The fourth Biannual ICS Risk & Vulnerability Report also found that ICS vulnerabilities are expanding beyond operational technology (OT) to the Extended Internet of Things (XIoT), with 34% affecting IoT, IoMT, and IT assets in late 2021.

The report presents a comprehensive analysis of ICS vulnerability data from Team82, Claroty’s  research team, along with trusted open sources, including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.

“As more cyber-physical systems become connected, accessibility to these networks from the internet and the cloud requires defenders to have timely, useful vulnerability information to inform risk decisions,” said Amir Preminger, vice president of research at Claroty. “The increase in digital transformation, combined with converged ICS and IT infrastructure, enables researchers to expand their work beyond OT to the XIoT. High-profile cyber incidents in 2H 2021, such as the Tardigrade malware, the Log4j vulnerability and the ransomware attack on NEW Cooperative, show the fragility of these networks, stressing the need for security research community collaboration to discover and disclose new vulnerabilities.”

Key findings

  • ICS vulnerability disclosures grew 110% over the last four years, demonstrating heightened awareness of this issue and the growing involvement of security researchers shifting toward OT environments. 797 vulnerabilities were published in 2H 2021, representing a 25% increase from 637 in 1H 2021.
  • 34% of vulnerabilities disclosed affect IoT, IoMT, and IT assets, showing that organizations will merge OT, IT, and IoT under converged security management. Therefore, asset owners and operators must have a thorough snapshot of their environments in order to manage vulnerabilities and reduce their exposure.
  • 50% of the vulnerabilities were disclosed by third-party companies and a majority of these were discovered by researchers at cybersecurity companies, shifting their focus to include ICS alongside IT and IoT security research. In addition, 55 new researchers reported vulnerabilities during 2H 2021.
  • Vulnerabilities disclosed by internal vendor research grew 76% over the last four years. This demonstrates a maturing industry and discipline around vulnerability research, as vendors are allocating more resources to the security of their products. 
  • 87% of vulnerabilities are low complexity, meaning they don’t require special conditions and an attacker can expect repeatable success every time. 70% don’t require special privileges before successfully exploiting a vulnerability, and 64% of vulnerabilities require no user interaction.
  • 63% of the vulnerabilities disclosed may be exploited remotely through a network attack vector, indicating that the need for secure remote access solutions, which accelerated due to the COVID-19 pandemic, is here to stay. 
  • The leading potential impact is remote code execution (prevalent in 53% of vulnerabilities), followed by denial-of-service conditions (42%), bypassing protection mechanisms (37%), and allowing the adversary to read application data (33%).
  •  The top mitigation step is network segmentation (recommended in 21% of vulnerability disclosures), followed by ransomware, phishing and spam protection (15%) and traffic restriction (13%).