Are vendors taking the initiative in vulnerability disclosure?
Vulnerability disclosure is an important process for improving security and is especially crucial when it comes to the Extended Internet of Things (XIoT). Today’s cyber-physical systems have a direct connection to the real world and hence a vulnerability in these systems can immediately impact the lives of humans.
XIoT is an umbrella term that consists of all cyber-physical devices that are connected to the internet. The XIoT of an enterprise can include cyber-physical systems like operational technology (OT) and Industrial Control Systems (ICS), building management systems and Internet of Medical Things (IoMT) devices.
Claroty’s research team, Team82, carried out an extensive analysis of vulnerabilities impacting the XIoT. The report highlighted the growing inclination of vendors towards self-disclosures, which nearly doubled in the first half of 2022 compared to the second half of 2021. So, why this sudden rise in disclosures?
Key trends of vulnerability disclosures
The IoT industry has often been reluctant to disclose vulnerabilities, but the State of XIoT Security Report: 1H 2022 found vendors are now actively participating in self-disclosures. This was confirmed by the rate of vendor self-disclosures rising by 69 percent compared to the last six months. The vendors accounted for 214 published common vulnerability exposures (CVE) in the first half of 2022, almost double what they accounted for in the second half of 2021.
For the first time, vendor self-disclosures overtook independent research outfits, and was only surpassed by third-party security companies. This means that vendors are putting in more effort to flag product vulnerabilities. Vendors are now establishing more OT, IoT, IoMT vulnerability disclosure programs and increasing resources to support security teams.
There is also the fact that vendors’ vulnerability disclosure programs have matured significantly in recent times. More vendors have now established dedicated product emergency response teams, who are solely dedicated to identifying and reporting vulnerabilities. They are also simplifying and streamlining the process of disclosing vulnerabilities and creating more scope for public reporting.
For instance, some vendors have dedicated web pages on their sites, where any consumer can directly report any observed vulnerabilities of their products. They are also providing public encryption keys for securely communicating any information about security flaws.
However, what’s causing this shift in vendor disclosures?
The increasing threat against the critical infrastructure industry
Increased vigilance from vendors is likely caused by the sudden rise in the number of cyberattacks facing the Critical National Infrastructure (CNI) industry. Critical infrastructure organizations are connecting more and more XIoT devices to their networks, which has exposed businesses to a variety of new vulnerabilities. Furthermore, threat actors know that XIoT-based attacks on the critical infrastructure industry cannot only have an impact on business operations and cost, but a direct impact on human life.
For instance, the criminal gang Predatory Sparrow orchestrated a serious attack on a steel mill in Iran, in July this year. The criminal gang initiated an attack on the plant that resulted in a machine spewing molten steel and fire. Despite the gang stating that the attack was intentionally carried out carefully enough to not hurt human life, it is evident that the hackers knew that they were potentially putting lives in danger by targeting a fully functioning mill.
Additionally, earlier this year, Microsoft revealed that adversaries compromised organizations in the energy sector and gained access to internal networks via internet-exposed cameras. They further revealed that attackers exploited a vulnerability in a web server that was discontinued in 2005, which was still used by IoT devices.
Despite, the practice and process of vulnerability disclosure maturing, these incidents highlight the human cost of exploiting vulnerabilities, and if these continue to ramp up then vendors will struggle to keep up.
Therefore, organizations must have procedures and measures in place which can reduce the likelihood of any major security incidents, as well as implement proactive practices to mitigate the risks even if they are exploited.
Effectively dealing with vulnerabilities
The most recommended vulnerability mitigation is network segmentation, which is recommended 45 percent of the time. Breaking the network into smaller groups ensures threat actors do not gain complete access to sensitive data. Using segmentation, OT network operators limit internal and external access to critical systems and resources. Separated networks have become an effective solution to keep field devices and management systems away from external connections.
Another effective solution is remote secure access, which streamlines entry to third-party professionals and internal employees. It goes concurrently with segmentation and creates separate critical zones from the rest of the IT and OT networks. However, it also adds authentication, encryption and authorization capabilities, which provide secure remote sessions.
It is also essential to understand that without full visibility into the industrial environment an organization has no baseline against which they can measure and understand threats, vulnerabilities and risks that they might cause. It is, therefore, essential for organizations to ensure full visibility into industrial environments. It is crucial to ensure that all the devices and systems connected to the network can then be monitored for vulnerabilities.
Even though, XIoT vulnerability disclosures have significantly increased in recent years, there is still plenty of dangerous vulnerabilities that remain undetected, and more importantly unpatched. Therefore, it is crucial that organizations implement proactive security measures which help stop these vulnerabilities and increase cyber resilience.
Image credit: Den Rise / Shutterstock
Chen Fradkin is Data Scientist, Claroty.