The third Biannual ICS Risk & Vulnerability Report found a rapid acceleration in the number of disclosures being reported since the start of 2021.
In the last half of 2020, 449 vulnerabilities were disclosed. During the first half of 2021, more than 600 ICS vulnerabilities were disclosed, impacting 76 vendors.
Claroty researchers described the rise in the number of disclosures as “particularly significant given that in all of 2020 they increased by 25% from 2019 and 33% from 2018.”
Most of the vulnerabilities disclosed represented a serious risk to industrial control systems, with 71% being classified as high or critical.
Researchers found that 81% of vulnerabilities were discovered by sources other than the affected vendor, including independent researchers, academics, third-party companies, and other research groups.
Worryingly, 90% of the vulnerabilities were identified as not requiring any special conditions to be exploited. Therefore, an attacker who exploited these “low attack complexity” vulnerabilities could expect to enjoy repeatable success every time.
Nearly two-thirds of disclosures (61%) were remotely exploitable, and 66% did not require any user interaction to be exploited.
Almost three-quarters of vulnerabilities (74%) did not require privileges, so they could be exploited by an attacker who was unauthorized and who did not have access to settings or files.
Amir Preminger, vice president of research at Claroty, said that modernization was raising risks for companies.
“As more enterprises are modernizing their industrial processes by connecting them to the cloud, they are also giving threat actors more ways to compromise industrial operations through ransomware and extortion attacks,” said Preminger.
They went on to describe the latest cyber-attacks on critical infrastructure in the Unites States as a wake-up call.
“The recent cyber-attacks on Colonial Pipeline, JBS Foods, and the Oldmsar, Florida, water treatment facility have not only shown the fragility of critical infrastructure and manufacturing environments that are exposed to the internet but have also inspired more security researchers to focus their efforts on ICS specifically,” said Preminger.