One biannual study estimates an 80% increase in reported vulnerabilities in the last half of 2022 in certain sectors.
Using an automated collection and analysis tool that ingests vulnerability data from trusted open sources, including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens, one cybersecurity firm has released its analyses of connected cyber-physical system risks disclosed during H2 2022 in industrial, healthcare and commercial products. The conclusion is that disclosed vulnerabilities in H2 declined by 14% since hitting a peak during similar 2H 2021 vulnerability disclosure analyses. In that same period, vulnerabilities found by internal research and product security teams increased by 80%.
Other key findings include the following aspects:
- 62% of published OT vulnerabilities affected devices at Level 3 of the Purdue Model for ICS. These devices manage production workflows and can be key crossover points between IT and OT networks, and could attract threat actors aiming to disrupt industrial operations.
- 71% of vulnerabilities disclosed were assessed as a CVSS v3 score of “critical” (9.0–10) or “high” (7.0–8.9), reflecting security researchers’ tendency to focus on identifying vulnerabilities with the greatest potential impact in order to maximize harm reduction. Additionally, four of the top five Common Weakness Enumerations (CWE) in the dataset were also in the top five of MITRE’s CWE 2022 Top 25 Most Dangerous Software Weaknesses.
- 63% of vulnerabilities disclosed were remotely exploitable over the network, meaning a threat actor did not require local, adjacent, or physical access to the affected device in order to exploit the vulnerability.
- 54% of disclosed vulnerabilities were unauthorized remote code or command execution; 43% were denial-of-service conditions (crash, exit, or restart).
- 29% of vulnerability disclosures involved network segmentation as mitigation recommendations, followed by secure remote access (26%) and ransomware, phishing, and spam protection (22%).
According to Amir Preminger, VP of Research, Claroty, which produced the biannual report: “Cyber-physical systems power our way of life. The water we drink, the energy that heats our homes, the medical care we receive — all of these rely on computer code and have a direct link to real-world outcomes,” adding that he was heartened at the steady increase in vulnerability disclosures in IoT systems included in the analyses.