Vulnerabilities across industrial control systems (ICS) rose by 25 percent in the second half of 2021 and overall by 110 percent over the last four years, according to a new report.
Claroty’s fourth Biannual ICS Risk & Vulnerability Report also found that ICS vulnerabilities are expanding beyond operational technology (OT) to the Extended Internet of Things (XIoT), with 34 percent affecting IoT, industrial healthcare (IoMT), and enterprise IT assets in 2H 2021, the security provider said.
As industrial control systems are increasingly connected to the internet, hackers can infiltrate the systems with potentially devastating consequences. Managed security service providers focused on ICS security should take note of the skyrocketing number of ICS vulnerabilities to stay abreast of essential patch management.
Eight key findings from the study:
- 797 vulnerabilities were published in 2H 2021, representing a 25% increase from 637 in 1H 2021.
- 34% of vulnerabilities disclosed affect IoT, IoMT, and IT assets, showing that organizations will merge OT, IT, and IoT under converged security management.
- Asset owners and operators must have a thorough snapshot of their environments in order to manage vulnerabilities and reduce their exposure.
- 50% of the vulnerabilities were disclosed by third-party companies, a majority of which were found by in-house researchers. Vulnerabilities disclosed by internal vendor research grew 76% over the last four years.
- 87% of vulnerabilities are low complexity in that they don’t require special conditions and an attacker can expect repeatable success every time. 70% don’t require special privileges before successfully exploiting a vulnerability, and 64% of vulnerabilities require no user interaction.
- 63% of the vulnerabilities disclosed may be exploited remotely through a network attack vector.
- The leading potential impact is remote code execution (prevalent in 53% of vulnerabilities), followed by denial-of-service conditions (42%), bypassing protection mechanisms (37%), and allowing the adversary to read application data (33%).
- The top mitigation step is network segmentation (recommended in 21% of vulnerability disclosures), followed by ransomware, phishing and spam protection (15%) and traffic restriction (13%).
“High-profile cyber incidents in 2H 2021 such as the Tardigrade malware, the Log4j vulnerability and the ransomware attack on NEW Cooperative show the fragility of these networks, stressing the need for security research community collaboration to discover and disclose new vulnerabilities,” said Amir Preminger, vice president of research at Claroty.
Meanwhile, the Department of Homeland Security’s cyber wing would have more responsibility to protect industrial controls systems (ICS) from cyber attacks, should a bill that has made it through the House but not yet the Senate be signed into law. The bipartisan DHS Industrial Control Systems Enhancement Act would give the Cybersecurity and Infrastructure Security Agency (CISA) the responsibility to maintain capabilities to identify threats to industrial control systems.
Here’s what the bill calls on CISA to do:
- Lead federal government efforts to identify and mitigate cybersecurity threats made to ICS.
- Maintain threat hunting and incident response capabilities to respond to ICS cybersecurity risks and incidents.
- Provide cybersecurity technical assistance to industry end users, product manufacturers, other federal agencies, and other ICS stakeholders.
- Collect, coordinate, and provide vulnerability information to the ICS community.
- Brief Congress on its ICS capabilities starting six months after the bill is enacted and then every six months for four years.