The Claroty 2H20 ICS Risk & Vulnerability Report details publicly disclosed ICS vulnerabilities found in this increasingly critical risk area. Key findings include:
- The number of ICS vulnerabilities disclosed in 2020 increased by 24.7% vs 2019
- During 2H20, 449 ICS vulnerabilities were disclosed, over 70% of which were rated ‘critical’ or ‘high’
- While vulnerabilities were disclosed from 59 vendors, a large majority of the affected products were from just 3 vendors: Schneider Electric, Mitsubishi and Siemens
- 72% of disclosed ICS vulnerabilities are remotely exploitable
- 76% of disclosed ICS vulnerabilities do not require authentication for exploitation, allowing easier access to attackers
- The sectors most affected by ICS vulnerability disclosures in 2H20 were critical manufacturing, energy, water and wastewater, and commercial facility
- 60.8% of vulnerabilities were discovered by 3rd party companies
- 65.7% of the vulnerabilities can cause total loss of system availability
Coming in the wake of the breach of the Oldsmar, Fla water treatment plant discussed yesterday, this timely report serves as a warning to companies, regulators and lawmakers about the rapidly emerging threats to Industrial Control Systems (ICS) and Operational Technology (OT) as they are integrated into IT systems and no longer air gapped from the internet.
It is also important to note that the statistics in the Claroty report were limited to known and patched vulnerabilities. As there is very often a lengthy period between the time of an exploit and its discovery, the true number of vulnerabilities is much higher than the numbers in Claroty’s report. The most dangerous vulnerabilities are of course the ones that have been discovered and exploited by attackers, but not yet identified and patched by the vendor. SolarWinds—a breach that went up to one year undetected—provides a glaring example of how an initial breach can metastasize into a much more systemic and catastrophic event impacting thousands of companies.