Claroty analyzes vulnerability disclosures, remediations impacting cyber-physical systems across XIoT environments

Industrial cybersecurity firm Claroty revealed on Wednesday rise in IoT vulnerabilities, vendor self-disclosures, and fully or partially remediated firmware vulnerabilities. The firm has analyzed vulnerability disclosures and remediations affecting the Extended Internet of Things (XIoT) environments during the first six months of this year. It identifies that to assess risk within these critical sectors, decision-makers must have a complete snapshot of the vulnerability landscape, to prioritize and mitigate (or remediate) mission-critical systems before they impact public safety, patient health, smart grids, and utilities. 

In its ‘State of XIoT Security Report: 1H 2022,’ Claroty reported that the percentage of vulnerabilities disclosed in connected, embedded internet of things (IoT) devices stood at 15 percent, a sharp increase from Team82’s last report which covered the second half of last year when IoT accounted for nine percent of all vulnerabilities. However, the number of published vulnerabilities in Team82’s XIoT current dataset is relatively flat from its previous report, while the number of affected vendors rose slightly to 86. Team82 is Claroty’s research arm.

“After decades of connecting things to the internet, cyber-physical systems are having a direct impact on our experiences in the real world, including the food we eat, the water we drink, the elevators we ride, and the medical care we receive,” Amir Preminger, vice president of research at Claroty, said in a media statement. “We conducted this research to give decision makers within these critical sectors a complete snapshot of the XIoT vulnerability landscape, empowering them to properly assess, prioritize, and address risks to the mission-critical systems underpinning public safety, patient health, smart grids and utilities, and more.”

The New York-based company expanded the scope of its biannual report to embrace an understanding of the vulnerabilities being disclosed and fixed within the XIoT, the umbrella term for connected cyber-physical devices within industrial (industrial control systems and operational technology), healthcare (connected medical devices), and commercial environments (building management systems and enterprise IoT). The report serves as the company’s contextual analysis of cyber-physical security, covering vulnerability data and necessary context around these critical issues to assess risk and prioritize remediation.

“Commercial systems, including building automation systems, surveillance systems including security cameras, alarms, and door locks are increasingly being connected and managed online,” Claroty said in the report. “It’s crucial to understand that every enterprise, regardless of industry or core competence, has some measure of OT and IoT connected to its network. It’s here where cyber-physical systems that sustain our ability to innovate, have a direct impact on our way of life. Vulnerability management of connected systems is paramount because any disruption may impact physical safety and security as well as our economic prosperity,” it added. 

The report said that vulnerabilities in IoT devices have climbed since Team82’s previous report, trailing only operations management and basic control OT devices. “About 25% of disclosed vulnerabilities affect the Basic Control (Level 1) and Supervisory Control (Level 2) levels of the Purdue Model. Exploits at this level are often firmware-based and can allow an attacker to reach lower levels and affect the process itself, making them an attractive target.”

With the inability to patch over time, especially in Level 1 device firmware, it is recommended to invest in segmentation, remote access protection, and protection of the supervisory control level because of its links to the basic control level, the report said. “Vulnerabilities in connected medical devices, known as the internet of medical things (IoMT), meanwhile, have surfaced in Team82’s dataset, primarily among imaging systems and the protocols that support them, such as the DICOM communication standard,” it added.

Claroty also reported multiple flaws in clinical IoT devices, such as medical carts, dispensing systems, and patient engagement applications, which also were published during the period, apart from the security issues found in patient devices and clinical lab tools. 

Security researchers, whether independent or vendor-based such as Team82 and vendors themselves, are deeply examining the security of connected devices, Claroty said. “IoT devices – including surveillance cameras, routers, smart-home equipment – generally cannot support strong security technology such as encryption, or still contain factory-default credentials that can be abused to draft these devices into botnets or gain deeper network access. These numbers are significant, and indicate that companies are leaning toward patching these vulnerabilities and an interest in staying ahead of publicly available exploits,” it added. 

Claroty reported that 747 XIoT vulnerabilities were published during the period affecting 86 vendors across industrial, healthcare, and commercial technology. The vast majority of XIoT vulnerabilities have CVSS scores, either critical at 19 percent or high severity at 46 percent. The XIoT vulnerabilities can be further broken down into the OT sector at 65.33 percent, IT at 16.47 percent, only IoT stood at 15.13 percent, and IoMT accounted for 3.08 percent.  

Team82 disclosed more than 40 OT, enterprise IoT, and medical device/protocol vulnerabilities affecting 16 technology vendors in the first six months of the year. “While automation vendors still dominate the vulnerability disclosures in Team82’s dataset, more enterprise IoT and vendors in the healthcare space emerged,” according to the report.

The vulnerability disclosures largely affect either software or firmware, with some cases in which a vulnerability affects several components that may impact both software and firmware. In the past, disclosures of software vulnerabilities have dwarfed firmware, indicating a prevalence of researchers examining software for bugs and the relative challenges in researching and patching firmware. Software updates, for example, are often prioritized over firmware, given the comparative ease of testing and distributing software patches. 

Team82 highlighted that Russia’s invasion of Ukraine on Feb. 24 ignited fears of cyberattacks accompanying the kinetic fighting in the streets and skies of Ukraine. Electric grids within Ukraine were perceived as targets, as were other critical cyber-physical systems integral to the way of life inside the war-torn country. Furthermore, in April, security vendor ESET reported that a variant of the 2016 Industroyer malware used by the Sandworm APT against portions of Ukraine’s power grid was deployed inside a Ukrainian electricity provider. The malware was contained before it was triggered, officials said. 

“The variant, named Industroyer2, was purpose-built to target industrial equipment communicating over IEC-104 (IEC 60870-5-104), in this case, power-system automation applications used in high voltage electrical substations,” the Claroty report said. “ESET and CERT-UA said the variant was built using the same source code as the original Industroyer, also known as CrashOverride. Industroyer2 is capable of communicating with multiple ICS devices simultaneously, an analysis exposed several configuration values including the ASDU address, IOA, timeouts, and more. The malware terminates legitimate processes and renames applications in order to prevent automatic restarts of the targeted processes. Its purpose was to disconnect power to people in the country served by this plant,” it added. 

Claroty said that during the current period, researchers identified a bit of a reversal of that trend where published firmware vulnerabilities are almost on par with software vulnerabilities, unlike in the previous six months, when there was almost a 2-to-1 disparity between software vulnerabilities and firmware bugs. “Even better news may be found in the total number of fully remediated firmware vulnerabilities in the 1H 2022 dataset. We see significant growth from the last report with 233 firmware flaws fully remediated by vendors, and another 69 where partial remediation was provided,” they added.

For the first time, vendor self-disclosures have surpassed independent research outfits as the second most prolific vulnerability reporters, Claroty disclosed. Vendors accounted for 214 published CVEs in the first six months of 2022, trailing only third-party security companies, which reported 337. The 214 published CVEs are almost double the total in Team82’s report of 127 in the last six months of last year. Furthermore, 19 XIoT vendors experienced first-time published disclosures in the initial six months of this year. The list comprises a mix of medical device makers, building automation vendors, IT, OT, and ICS companies.

“For years, Team82 has been vigilant not only about finding vulnerabilities in industrial and IoT software and firmware but also about ensuring a safer ecosystem,” the report said. “That vigilance includes improving coordinated disclosures with vendors, and helping smaller, less-resourced organizations with establishing the basics for a vulnerability disclosure program.” 

Claroty disclosed that the number of affected vendors grew by four from the second half of 2021, and is on track to surpass 2021’s total of affected vendors. Team82 attributes several factors to this. It’s important to understand that XIoT vulnerability research continues to grow and mature as vendors handle vulnerabilities in products never designed to be connected to the internet, the report said. 

“Market-leading vendors such as Siemens and ABB are in the top five of the most affected vendors,” the report said. “These automation companies build products across the XIoT spectrum, and in tandem, have established product security teams that work closely with external researchers to find and fix every vulnerability.” 

Claroty also said that 40 vulnerabilities affecting end-of-life products are no longer supported by the vendor, with 78 percent of published vulnerabilities affecting such products exploitable using network attack vectors. 

In June, Forescout’s Vedere Labs discovered 56 vulnerabilities caused by insecure-by-design practices affecting devices from ten OT vendors. Collectively called OT:ICEFALL, these security loopholes are divided into four main categories – insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution via native functionality. The insecure by design problems have been found across ten manufacturers, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

Claroty said mitigations are often the only remediation option open to defenders, given the software and firmware patching challenges. Yet despite defenders’ dependence on mitigations, vendor advisories or alerts from industry groups such as ICS-CERT sometimes come up short with defense-in-depth recommendations.

Actionable recommendations such as blocking specific ports or updating outdated protocols are important, but it should be noted that foundational practices must be in place before those recommendations are effective. Network segmentation is the top step and should be a top consideration for defenders ahead of other options, apart from basic security hygiene such as ransomware awareness, phishing mitigations, traffic restriction, user- and role-based policies, and the principle of least privilege.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.