Disclosures of vulnerabilities affecting IoT devices increased 57% in the first half of 2022 compared to the previous six months, according to a new study by cyber-physical systems protection firm Claroty.
The State of XIoT Security Report: 1H 2022 also found that over the same period, vendor self-disclosures increased by 69%, becoming more prolific reporters than independent research organizations for the first time, and that fully or partially fixed firmware vulnerabilities increased by 79% , a notable improvement given the relative challenges of patching firmware versus software vulnerabilities.
Compiled by Team82, Claroty’s research team, the report is an in-depth investigation and analysis of vulnerabilities affecting the Enhanced Internet of Things (XIoT), a vast network of cyber-physical systems including operational technology and industrial control systems (OT/ICS ), Internet of Medical Things (IoMT), Building Management Systems and Enterprise IoT.
The dataset includes vulnerabilities discovered by Team82 and sourced from trusted open sources including the National Vulnerability Database (NVD), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITER, and the vendors from Industrial Automation Schneider Electric and Siemens.
“After decades of connecting things to the internet, cyber-physical systems are having a direct impact on our real-world experiences, including the food we eat, the water we drink, the elevators we ride, and the medical care we receive. says Amir Preminger, vice president of research at Claroty.
“We conducted this research to give decision makers in these critical sectors a complete snapshot of the XIoT vulnerability landscape and empower them to assess risks to the mission-critical systems underlying public safety, patient health, smart grids and utilities , to properly assess, prioritize and address , and more.”
IoT devices: 15% of vulnerabilities were found in IoT devices, a significant increase from 9% in Team82’s last report, covering the second half (2H) of 2021. Additionally, the combination of IoT and IoMT vulnerabilities (18.2%) surpassed IT vulnerabilities (16.5%) for the first time. This indicates an improved understanding on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration.
Self-disclosure of the provider: For the first time, vendor self-reports (29%) have overtaken independent research institutes (19%) as the second most prolific vulnerability reporters, after third-party security companies (45%). The 214 published CVEs almost double the total in Team82’s 2H 2021 report of 127. This indicates that more OT, IoT and IoMT vendors are establishing vulnerability disclosure programs and more resources than ever are dedicated to investigating the to ensure the safety of their products.
Firmware: Published firmware vulnerabilities were almost par with software vulnerabilities (46% and 48% respectively), a big jump from the 2H-2021 report when there was almost a 2:1 disparity between software (62%) and firmware (37 %) gave. The report also showed a significant increase in fully or partially fixed firmware vulnerabilities (40% in H1 2022 vs. 21% in H2 2021), which is notable given the relative challenges of patching firmware due to longer update cycles and infrequent maintenance windows. This indicates researchers’ growing interest in protecting devices at lower levels of the Purdue model, which are more directly related to the process itself and therefore a more attractive target for attackers.
Volume and criticality: On average, XIoT vulnerabilities are published and fixed at a rate of 125 per month, reaching 747 in total in H1 2022. The vast majority have CVSS scores of either critical (19%) or high severity (46%).
Effects: Nearly three quarters (71%) have a major impact on system and device availability, the impact metric that best applies to XIoT devices. The highest potential impact is unauthorized remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial of service conditions (crash, exit, or reboot) at 43%.
mitigations: The top line of defense is network segmentation (recommended in 45% of vulnerability disclosures), followed by secure remote access (38%) and protection against ransomware, phishing and spam (15%).