There was a 57% increase in reported vulnerabilities affecting extended Internet of things (XIoT) devices in the first half of 2022, compared to the last half of 2021, according to the recently published State of XIoT Security: 1H, 2022 report from cybersecurity firm Claroty. XIoT is an umbrella term that covers connected cyber-physical devices within industrial, healthcare, and commercial enterprise IoT environments.
Data collected by Claroty’s Team82 researchers shows a 69% increase in self-disclosures by vendors of XIoT devices, which is atypical since most vulnerabilities in XIoT devices are usually discovered and reported by independent security researchers. This suggests that manufacturers of XIoT devices are establishing/investing more resources into their own vulnerability disclosure programs. In 2H 2021, software vulnerabilities outnumbered firmware vulnerabilities by also 2-1, but there was almost parity in 1H 2022, with only 2 percentage points separating the two.
Claroty reports that there has been a 79% increase in vulnerabilities that have been either fully or partially remediated compared to 2H, 2021. In 1H, 2022, 40% of the vulnerabilities were fully or partially remediated, compared to 21% in 2H, 2021. This is a marked improvement, especially considering the challenges associated with updating firmware. Data for 1H 2022, indicates there has been full or partial remediation of 91% of all published vulnerabilities, with 71% of published vulnerabilities fully remediated
When vulnerabilities are not fully remediated or patches have yet to be released, steps should be taken to reduce the potential for exploitation. The top mitigation steps are segmentation, secure remote access, ransomware/phishing, and spam protection, traffic restriction, user and role policies, and threat detection techniques.
In addition to the 44 vulnerabilities discovered by the Team82 researchers in 1H, 2022, Claroty included data from the National Vulnerability Database (NVD), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), MITRE, and vendors Schneider Electric and Siemens, both of which are major industrial automation vendors. The majority of the published XIoT vulnerabilities were rated either critical (18.61%) or high severity (46.05%), allowing remote code execution and denial-of-service attacks. 400 vulnerabilities allow code or commands to be executed, 321 allow denial-of-service, 272 bypassed protection mechanisms, 270 allowed application data to be read, 235 allowed memory modification, and 214 allowed resource consumption.
Claroty notes that operational technology (OT) vulnerabilities account for 65.33% of the dataset for 1H, 2022, with IoT-only vulnerabilities only accounting for 15.13% of the vulnerabilities, but since the last biannual report was published, the number of IoT-only vulnerabilities has doubled. IoT vulnerabilities affecting connected smart devices, routers and other networking equipment, and cameras saw the biggest increases. These IoT vulnerabilities are commonly used by enterprises. If the vulnerabilities are exploited, they could potentially allow malicious actors to gain access to enterprise networks.
“After decades of connecting things to the internet, cyber-physical systems are having a direct impact on our experiences in the real world, including the food we eat, the water we drink, the elevators we ride, and the medical care we receive,” said Amir Preminger, VP of Research at Claroty. “We conducted this research to give decision makers within these critical sectors a complete snapshot of the XIoT vulnerability landscape, empowering them to properly assess, prioritize, and address risks to the mission-critical systems underpinning public safety, patient health, smart grids and utilities, and more.”