Claroty’s State of XIoT Security Report: 2H 2022 showed that cyber-physical vulnerabilities in the second half of last year dropped by 14%, while those discovered by internal research and product security teams have jumped by 80% in the same period.
The data suggest that security researchers are beneficial for the strengthening of security on XIoT, and XIoT vendors are pouring more resources into checking the security and safety of their products.
Some key findings of the report include the following:
- 62% of published OT vulnerabilities affect devices that manage production workflows and serve as key crossover points between IT and OT networks
- 71% of vulnerabilities were found to have a CVSS v3 score of “critical” (9.0-10) or “high” (7.0-8.9), which showed researchers’ tendency to focus on spotting vulnerabilities with the most potential impact, for maximum harm reduction
- 63% of vulnerabilities are remotely exploitable over the network: threat actors do not need local, adjacent or physical access to the affected device
- The top potential impacts are unauthorised remote code or command execution (seen in 54% of vulnerabilities); denial-of-service conditions (crash, exit or restart; 43%)
- The top mitigation steps are network segmentation (29%); secure remote access (26%); ransomware, phishing, and spam protection (22%)
- Claroty’s research team, Team82, found 65 vulnerability disclosures in 2H 2022, 30 of which were given a CVSS v3 score of 9.5 or higher
According to Clarity VP of research, Amir Preminger, said: “The purpose of Team82’s research and compiling this report is to give decision-makers in these critical sectors the information they need to properly assess, prioritise, and address risks to their connected environments, so it is very heartening that we are beginning to see the fruits of vendors’ and researchers’ labor in the steadily growing number of disclosures sourced by internal teams.”
“This shows that vendors are embracing the need to secure cyber-physical systems by dedicating time, people, and money to not only patching software and firmware vulnerabilities but also to product security teams overall,” he continued.
