Disclosures of vulnerabilities in industrial control systems have spiked 110 per cent over the past four years, according to new research from Claroty.
New findings from cyber security company Claroty’s Biannual ICS Risk & Vulnerability Report have revealed industrial control system (ICS) vulnerability reports more than doubled over the last four years, growing 25 per cent in the second half of 2021 alone when compared to the previous corresponding period.
The research also found that ICS vulnerabilities are expanding beyond operational technology (OT) to the Extended internet of things (XIoT), with 34 per cent of reports relating to IoT, IoMT and IT assets in 2H 2021.
Other key findings include:
- Fifty per cent of the vulnerabilities were disclosed by third-party companies, with majority of these discovered by researchers at cyber security companies.
- Vulnerabilities disclosed by internal vendor research grew 76 per cent over the last four years.
- Eighty-seven per cent of vulnerabilities are low complexity, not requiring special conditions.
- Sixty-three per cent of the vulnerabilities disclosed may be exploited remotely through a network attack vector.
The findings were drawn from data collected by Claroty’s Team82, as well as trusted open sources, including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.
“As more cyber-physical systems become connected, accessibility to these networks from the internet and the cloud requires defenders to have timely, useful vulnerability information to inform risk decisions,” Amir Preminger, vice-president of research at Claroty said.