IoT vulnerabilities are growing significantly: Claroty

Source: Claroty executive summary, State of XIoT Security Report: 1H 2022. Chart mapping the outcomes of exploiting the 10 most common XIoT vulnerabilities.

Vulnerability disclosures impacting Internet of Things (IoT) devices increased by 57% in 1H22 compared to the previous six months, according to new research* by Claroty, the cyberphysical systems protection company.

The State of XIoT Security Report: 1H 2022 also found that over the same time period, vendor self-disclosures increased by 69%, becoming more prolific reporters than independent research outfits for the first time. Fully or partially-remediated firmware vulnerabilities increased by 79%, a notable improvement given the relative challenges in patching firmware versus software vulnerabilities.

Compiled by Team82, Claroty’s research team, the report is a deep examination and analysis of vulnerabilities impacting the extended IoT (XIoT), a network of cyberphysical systems including operational technology and industrial control systems (OT/ICS), the Internet of Medical Things (IoMT), building management systems, and enterprise IoT.

“After decades of connecting things to the internet, cyberphysical systems are having a direct impact on our experiences in the real world, including the food we eat, the water we drink, the elevators we ride, and the medical care we receive,” said Amir Preminger, VP, research at Claroty. 

“We conducted this research to give decision makers within these critical sectors a complete snapshot of the XIoT vulnerability landscape, empowering them to properly assess, prioritise, and address risks to the mission-critical systems underpinning public safety, patient health, smart grids and utilities, and more.”

Report highlights include:

● IoT device vulnerabilities: 15% of vulnerabilities were found in IoT devices, a significant increase from 9% in Team82’s last report covering 2H21. Additionally, for the first time, the combination of IoT and IoMT vulnerabilities (18.2%) exceeded IT vulnerabilities (16.5%). This indicates enhanced efforts on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration.

● Vendor self-disclosures: For the first time, vendor self-disclosures (29%) surpassed independent research outfits (19%) as the second-most prolific vulnerability reporters, after third-party security companies (45%). The 214 published CVEs - a way of describing and recording cybersecurity vulnerabilities - almost doubles the total in Team82’s 2H21 report of 127. According to Claroty, this shows that more OT, IoT, and IoMT vendors are establishing vulnerability disclosure programmes and dedicating more resources to examining the security and safety of their products than ever before.

● Firmware: Published firmware vulnerabilities were nearly on par with software vulnerabilities (46% and 48% respectively), higher than the 2H21 report when there was almost a 2:1 disparity between software (62%) and firmware (37%). 

The report also revealed a significant increase in fully or partially-remediated firmware vulnerabilities (40% in 1H22, up from 21% in 2H21), which is notable given the relative challenges in patching firmware due to longer update cycles and infrequent maintenance windows. This indicates researchers’ growing interest in safeguarding devices at lower levels of the Purdue Model, which are more directly connected to the process itself and thus a more attractive target for attackers. The Purdue Model is a reference model for the security of industrial control systems.

● Volume and criticality: On average, XIoT vulnerabilities are being published and addressed at a rate of 125 per month, reaching a total of 747 in 1H22. The vast majority have CVSS scores of either critical (19%) or high severity (46%). The Common Vulnerability Scoring System or CVSS is a framework that describes software vulnerabilities and ranks their severity.

● Impacts: Nearly three-quarters (71%) have a high impact on system and device availability, the impact metric most applicable to XIoT devices. The leading potential impact is unauthorised remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%.

● Mitigations: The top mitigation step is network segmentation (recommended in 45% of vulnerability disclosures), followed by secure remote access (38%), then ransomware, phishing, and spam protection (15%).

Explore

Download the State of XIoT Security Report: 1H 2022.

Visit the Team82 Slack channel for additional discussion and insight into the report.

*The data set comprises vulnerabilities discovered by Team82 and from trusted open sources including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.