NEW
YORK, Feb.
14,
2023 /PRNewswire/
—
Cyber-physical
system
vulnerabilities
disclosed
in
the
second
half
(2H)
of
2022
have
declined
by
14%
since
hitting
a
peak
during
2H
2021,
while
vulnerabilities
found
by
internal
research
and
product
security
teams
have
increased
by
80%
over
the
same
time
period,
according
to
the State
of
XIoT
Security
Report:
2H
2022 released
today
by Claroty,
the
cyber-physical
systems
protection
company.
These
findings
indicate
that
security
researchers
are
having
a
positive
impact
on
strengthening
the
security
of
the
Extended
Internet
of
Things
(XIoT),
a
vast
network
of
cyber-physical
systems
across
industrial,
healthcare,
and
commercial
environments,
and
that
XIoT
vendors
are
dedicating
more
resources
to
examining
the
security
and
safety
of
their
products
than
ever
before.
Compiled
by Team82,
Claroty’s
award-winning
research
team,
the
sixth
biannual
State
of
XIoT
Security
Report
is
a
deep
examination
and
analysis
of
vulnerabilities
impacting
the
XIoT,
including
operational
technology
and
industrial
control
systems
(OT/ICS),
Internet
of
Medical
Things
(IoMT),
building
management
systems,
and
enterprise
IoT.
The
data
set
comprises
vulnerabilities
publicly
disclosed
in
2H
2022
by
Team82
and
from
trusted
open
sources
including
the
National
Vulnerability
Database
(NVD),
the
Industrial
Control
Systems
Cyber
Emergency
Response
Team
(ICS-CERT), [email protected],
MITRE,
and
industrial
automation
vendors
Schneider
Electric
and
Siemens.
“Cyber-physical
systems
power
our
way
of
life.
The
water
we
drink,
the
energy
that
heats
our
homes,
the
medical
care
we
receive
–
all
of
these
rely
on
computer
code
and
have
a
direct
link
to
real-world
outcomes,”
said Amir
Preminger,
VP
research
at
Claroty.
“The
purpose
of
Team82’s
research
and
compiling
this
report
is
to
give
decision
makers
in
these
critical
sectors
the
information
they
need
to
properly
assess,
prioritize,
and
address
risks
to
their
connected
environments,
so
it
is
very
heartening
that
we
are
beginning
to
see
the
fruits
of
vendors’
and
researchers’
labor
in
the
steadily
growing
number
of
disclosures
sourced
by
internal
teams.
This
shows
that
vendors
are
embracing
the
need
to
secure
cyber-physical
systems
by
dedicating
time,
people,
and
money
to
not
only
patching
software
and
firmware
vulnerabilities,
but
also
to
product
security
teams
overall.”
Key
Findings
-
Affected
Devices: 62%
of
published
OT
vulnerabilities
affect
devices
at
Level
3
of
the
Purdue
Model
for
ICS.
These
devices
manage
production
workflows
and
can
be
key
crossover
points
between
IT
and
OT
networks,
thus
very
attractive
to
threat
actors
aiming
to
disrupt
industrial
operations. -
Severity: 71%
of
vulnerabilities
were
assessed
a
CVSS
v3
score
of
“critical”
(9.0-10)
or
“high”
(7.0-8.9),
reflecting
security
researchers’
tendency
to
focus
on
identifying
vulnerabilities
with
the
greatest
potential
impact
in
order
to
maximize
harm
reduction.
Additionally,
four
of
the
top
five
Common
Weakness
Enumerations
(CWEs)
in
the
dataset
are
also
in
the
top
five
of
MITRE’s
2022
CWE
Top
25
Most
Dangerous
Software
Weaknesses,
which
can
be
relatively
simple
to
exploit
and
enable
adversaries
to
disrupt
system
availability
and
service
delivery. -
Attack
Vector: 63%
of
vulnerabilities
are
remotely
exploitable
over
the
network,
meaning
a
threat
actor
does
not
require
local,
adjacent,
or
physical
access
to
the
affected
device
in
order
to
exploit
the
vulnerability. -
Impacts: The
leading
potential
impact
is
unauthorized
remote
code
or
command
execution
(prevalent
in
54%
of
vulnerabilities),
followed
by
denial-of-service
conditions
(crash,
exit,
or
restart)
at
43%. -
Mitigations: The
top
mitigation
step
is
network
segmentation
(recommended
in
29%
of
vulnerability
disclosures),
followed
by
secure
remote
access
(26%)
and
ransomware,
phishing,
and
spam
protection
(22%). -
Team82
Contributions: Team82
has
maintained
a
prolific,
years-long
leadership
position
in
OT
vulnerability
research
with
65
vulnerability
disclosures
in
2H
2022,
30
of
which
were
assessed
a
CVSS
v3
score
of
9.5
or
higher,
and
over
400
vulnerabilities
to
date.
To
access
Team82’s
complete
set
of
findings,
in-depth
analysis,
and
recommended
security
measures
in
response
to
vulnerability
trends,
download
the
full State
of
XIoT
Security
Report:
2H
2022 report.