By Chen Fradkin, security researcher at Claroty
Today’s cyber-physical systems are directly linked to outcomes in the physical world, and despite the advances in technology that enable new efficiencies to these services, cybersecurity continues to lag.
Embracing an understanding of vulnerabilities being discovered and fixing them within industrial, healthcare, and commercial environments continues to be crucial, as IoT-vulnerability disclosures rose by 57% in the first half of 2022 compared to the previous six months. That’s according to Claroty’s recent State of XIoT Security Report, which highlights vulnerabilities, sheds light on the key trends, and recommends courses of action.
The percentage of vulnerabilities disclosed in connected, embedded IoT devices grew 15%, per our study. This is a significant increase from the previous report, in which IoT was behind 9% of all vulnerabilities. These numbers are significant, indicating that end-user organizations are leaning toward patching these vulnerabilities with an interest in staying ahead of publicly available exploits.
During 1H 2022, 747 XIoT vulnerabilities were published, affecting 86 vendors across industrial, healthcare and commercial technology vendors. On average, there are 125 vulnerabilities a month that are being published and addressed across sectors making up the XIoT. Within the report, 44 vulnerabilities affecting 11 vendors were uncovered, bringing its total number of disclosed vulnerabilities to 335, with the vast majority of XIoT vulnerabilities having CVSS scores that are either critical (19%) or of high severity (46%).
This is significant growth from earlier this year, where 233 firmware flaws were fully remediated by vendors, and another 69 where partial remediation was provided.
XIoT vulnerabilities are growing, and the need for secure critical infrastructure systems has never been greater. Securing these vulnerabilities requires decision-makers to have a complete snapshot of the XIoT landscape and prioritize mission-critical systems to mitigate threats before they impact public safety.