Claroty finds fall in published vulnerabilities in cyber-physical systems, as disclosures by internal teams rise 80%

New data from Claroty disclosed a second straight decline in the number of published vulnerabilities in cyber-physical systems, since hitting a peak during the second half of 2021. Vulnerabilities found by internal research and product security teams have increased by 80 percent over the same time period, indicating that vendors are increasing their investments in cyber-physical systems security, and improving the posture of their products and product-security programs. 

In its latest report titled ‘State of XIoT Security Report: 2H 2022,’ Claroty’s Team82 said that for the first time, the number of vendor self-disclosures of XIoT vulnerabilities has surpassed those of third-party security companies’ research teams and independent researchers. “Of the 688 published vulnerabilities in the 2H of 2022, 74% of those affect OT devices; OT vulnerabilities continue to dominate our dataset. 62% of published OT vulnerabilities affect devices at Level 3 of the Purdue Model for ICS, while one quarter of published vulnerabilities impact Level 1, or Basic Control devices, including PLCs and other controllers and sensors,” it added.

Out of the 688 published vulnerabilities, 72 impacted industrial, healthcare, and commercial technology vendors. These overall numbers also dropped from the first half of last year, which were 747 and 86, respectively but in the meantime, the number of OT (operational technology) flaws grew in the second half of 2022. “On average, there were 115 vulnerability disclosures per month during the 2H 2022. While we’re seeing overall numbers trend downward, there are still a significant number of vulnerabilities being found by vendors, professional research teams, and independent researchers. 

Claroty said that out of the published vulnerabilities in the second half of 2022, 487 were either assessed as critical or high-severity CVSS v3 score. There were 110 critical vulnerabilities in the second half of 2022.

“Cyber-physical systems power our way of life. The water we drink, the energy that heats our homes, the medical care we receive – all of these rely on computer code and have a direct link to real-world outcomes,” Amir Preminger, vice president for research at Claroty, said in a media statement. “The purpose of Team82’s research and compiling this report is to give decision-makers in these critical sectors the information they need to properly assess, prioritize, and address risks to their connected environments, so it is very heartening that we are beginning to see the fruits of vendors’ and researchers’ labor in the steadily growing number of disclosures sourced by internal teams. This shows that vendors are embracing the need to secure cyber-physical systems by dedicating time, people, and money to not only patching software and firmware vulnerabilities but also to product security teams overall.”

The New York-based company also identified that software-based vulnerabilities have traditionally dominated the dataset and this continues to be the case. Given the maturity of tools and awareness in the software security space, vendors are quicker to update software vulnerabilities than those found in the firmware. The dataset comprises vulnerabilities publicly disclosed by Team82 and from trusted open sources, including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.

“Published IoT and IoMT vulnerabilities in our dataset accounted for 6% of disclosures, while flaws in OT and IT-related ICS equipment accounted for 94% of published vulnerabilities in 2H 2022,” the report said. “After a slight spike in published IoT vulnerabilities reported during the first half of 2022, that number has dropped back down closer to previous levels. Published vulnerabilities affecting OT continue to dominate over IoT and IoMT,” it added.

“The number of published IoT vulnerabilities dropped sharply after a noteworthy increase during the 1H of 2022,” the report said. “487 published vulnerabilities in the 2H of 2022 were either assessed a critical or high-severity CVSS v3 score. There were 110 critical vulnerabilities in the second half of 2022, only 10 behind the peak number uncovered during the 2H of 2021,” it added.

Team82 reported 65 vulnerabilities during the second half of 2022 and 117 throughout last year. Of these, 30 of the 65 vulnerabilities were assessed with a CVSS v3 score of 9.5 or higher. Additionally, 63 percent of published vulnerabilities in Team82’s data set are exploitable over the network. 

The report disclosed that the top impacts of published vulnerabilities in the second half of 2022 are remote code execution, denial-of-service attacks, and bypasses of security mechanisms such as authentication. Four of the top five CWEs in the dataset are also prominent in the top five of MITRE’s top 25 CWE list. 

Team82 coordinated disclosures in 2022 resulting in the publication of details and remediation of 117 vulnerabilities, most of which were either assessed as critical or high-severity CVSS v3 score. “While automation dominates Team82’s 2H 2022 dataset of affected vendors, there are a growing number of IT and IoT vendors that entered into coordinated disclosures with Team82, and mitigated serious vulnerabilities as a result of that engagement,” it added.

The research arm emphasized through a number of research endeavors in 2022 the importance of programmable logic controllers to industrial automation, and how vulnerabilities in the way they’re programmed or implemented can impact processes and put safety and reliability in jeopardy. 

It disclosed in April vulnerabilities in Rockwell Automation Logix PLCs and Studio 5000 engineering workstation applications could allow attackers to download modified code to a controller, and at the same time hide the attack from an engineering workstation. Team82 found two vulnerabilities that allowed it to decouple textual code from binary code and transfer it to the PLC (programmable logic controllers) while modifying one and not the other. The end result of exploiting both vulnerabilities is the same – the engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC. Rockwell Automation released a tool to its users that detects this type of modification. 

In August, Team82 developed a novel technique called the Evil PLC Attack in which PLCs are weaponized and used to compromise engineering workstations. An attacker with a foothold on an engineering workstation can have access to anything else on the OT network to which an engineer connects that machine, including other PLCs. Products from seven automation vendors were vulnerable to the Evil PLC attack. 

Team82 developed in October a method by which it could extract heavily guarded and hardcoded encryption keys embedded in Siemens SIMATIC PLCs and TIA Portal. An attacker in possession of these secret keys could execute a number of advanced attacks against any SIMATIC 1200/1500 PLC since they all shared the same key. Team82’s private disclosure with Siemens resulted in a new TLS management system in TIA Portal ensuring the confidentiality of communications between Siemens PLCs and the engineering workstations. 

The report revealed that in the second half of 2022, they had a record number of 485 published OT vulnerabilities in their dataset, topping the previous high of 455 in the second half of 2021 and in the first half of 2022. The number of published IoT and IoMT vulnerabilities, however, dropped significantly from a combined 136 in the first half of 2022 compared to 45 in the second half of 2022. 

Claroty identified healthcare cybersecurity as patient safety and bringing XIoT to the cloud as trends to watch in 2023. “Resource-strapped healthcare delivery organizations should be encouraged to see concrete incentives as proposed options for addressing legacy systems, for example, with a “Cash-for-Clunkers” type of buy-back program in order to upgrade to current, supported software and firmware at the heart of connected medical devices. This could be used to nudge manufacturers toward modular equipment design that supports minimum cybersecurity hygiene requirements,” it added. 

Cloud-based analysis of OT and IoT data brings a wealth of pros and cons, starting with an improved understanding of process efficiency, for example, counterweighted by a significantly enhanced attack surface, according to the report. The data collected by OT and IoT device sensors and sent to a cloud-based architecture of servers, storage, and processing capabilities can turn the plant into a well-oiled machine, but it can also exacerbate the loss of air-gapped networks and expose sensitive information to anyone with access to cloud-based storage, for example. Security analysts responsible for the cybersecurity of cyber-physical systems must understand these inherent risks and mitigate them. 

Some of the key mitigations recommended for published vulnerabilities in the second half of 2022 include network segmentation, secure remote access, and ransomware protection. Within OT, other mitigation strategies were traffic restriction, user and role policy implementation, and workstation hardening.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.