Nearly two-thirds of XIoT vulnerabilities remotely exploitable

[German]From a security perspective, I think we're in for a disaster – I've had Claroty's State of XIoT Security Report: 2H 2022 for a few days now. It does show the positive impact of increased vulnerability research and increased vendor investment in XIoT security. But the message is also that number of vulnerabilities discovered has increased by 80% this readiness. Many XIoT vulnerabilities are also remotely exploitable.

The sixth semi-annual State of XIoT Security Report was compiled by Team82 (led by Bar Ofner, security researcher at Claroty), and provides an in-depth examination and analysis of vulnerabilities impacting the XIoT, including operational technology and industrial control systems (OT/ICS), the Internet of Medical Things (IoMT), building management systems, and enterprise IoT.

The report covers vulnerabilities published in the second half of 2022 by Team82 and from trusted open sources such as the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE and industrial automation manufacturers Schneider Electric and Siemens.

"Cyber-physical systems rule our lives: The water we drink, the energy that heats our homes, the medical care we receive – all of these are based on computer code and have a direct impact on the real world," explains Amir Preminger, VP Research at Claroty. "The purpose of Team82's research and the creation of this report is to provide decision makers in these critical sectors with the information they need to properly assess, prioritize and address risks to their networked environments. That's why it's very encouraging to see the fruits of vendors' and researchers' labor in the ever-growing number of disclosures coming from internal teams. This shows that vendors are becoming more aware of the need to protect cyber-physical systems. They are not only investing time, personnel and money in fixing software and firmware vulnerabilities, but also in overall product security teams."

Key findings

• Affected devices: 62 percent of the published OT vulnerabilities affect level 3 devices of the Purdue model for industrial control systems. These devices control production processes and represent important interfaces between IT and OT networks and are therefore very attractive to attackers.
• Severity: 71 percent of vulnerabilities were assigned a CVSS v3 score of "critical" (9.0-10) or "high" (7.0-8.9). This reflects the tendency of security researchers to focus on identifying vulnerabilities with the greatest potential impact to maximize mitigation. In addition, four of the five most significant vulnerabilities in the report are also in the top five of MITRE's 25 Most Dangerous Software Vulnerabilities 2022, which are relatively easy to exploit and allow attackers to disrupt system availability and service delivery.
• Attack vector: 63 percent of vulnerabilities can be exploited remotely, meaning an attacker does not need local, adjacent or physical access to the affected device to exploit the vulnerability.
• Impact: The biggest potential impact is unauthorized remote code or command execution (for 54 percent of vulnerabilities), followed by denial of service (crash, quit or reboot) at 43 percent.
• Remediation: The top remediation measure is network segmentation (recommended in 29% of vulnerability reports), followed by secure remote access (26%) and protection against ransomware, phishing and spam (22%).
• Team82: Reported 65 vulnerabilities in the second half of 2022, 30 of which were rated with a CVSS v3 score of 9.5 or higher. To date, over 400 vulnerabilities have been reported by Claroty's research department.

Full results, in-depth analysis, and additional measures to protect against unauthorized access and risk can be found in Claroty's semi-annual State of XIoT Security Report: 2H 2022.