The amount of Industrial Control System (ICS) vulnerabilities in critical infrastructure sectors have been found to have increased by 110% over the last four years, according to a new report by Claroty.
The fourth Biannual ICS Risk - Vulnerability Report report also found that ICS vulnerabilities are expanding beyond operational technology (OT), into the Extended Internet of Things (XIoT), with 34% affecting IoT, IoMT, and IT assets.
Analysis of ICS vulnerability data was collated and gathered by Claroty research sector Team82 and was sourced in conjunction with the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.
There was a significant increase in ICS vulnerabilities during the second half (2H) of 2021, with a 25% increase from the previous six months.
50% of vulnerabilities reported in the four year period were disclosed by third-party companies, and a majority of these were discovered by researchers at cybersecurity companies. This saw them shift their focus to include ICS alongside IT and IoT security research.
Internal vendor research also played a pivotal role in the reporting process. Vulnerabilities disclosed by internal vendor research grew 76% during the period, and this highlighted the fact that vendors are significantly bolstering security protocols.
However, 87% of vulnerabilities were found to be low complexity meaning it was easier for hackers to gain access. In addition, 70% didn't require special privileges before successfully being exploited, and 64% of vulnerabilities required no user interaction at all.
“As more cyber-physical systems become connected, accessibility to these networks from the internet and the cloud requires defenders to have timely, useful vulnerability information to inform risk decisions,” says Claroty vice president of research Amir Preminger.
“The increase in digital transformation, combined with converged ICS and IT infrastructure, enables researchers to expand their work beyond operational technology (OT), to the Extended IoT (XIoT).
Preminger sites that a variety of key breaches and vulnerabilities during the 2021 period were responsible for some of the big changes in the industry.
“High-profile cyber incidents in 2H 2021 such as the Tardigrade malware, the Log4j vulnerability and the ransomware attack on NEW Cooperative show the fragility of these networks, stressing the need for security research community collaboration to discover and disclose new vulnerabilities,” he says.
When looking to prevent vulnerabilities, the top mitigation step was network segmentation (recommended in 21% of vulnerability disclosures), followed by ransomware, phishing and spam protection (15%) and traffic restriction (13%).