Connected device vendors devote more effort to security and safety

More and more connected systems are being used to deliver the essentials of our everyday lives. From the water and power that comes into our homes to the medical treatment we receive, the 'Extended Internet of Things' (XIoT) is involved.

A new report on the state of XIoT security from Claroty's Team82 researchers shows vulnerabilities in these cyber-physical systems disclosed in the second half of 2022 declined by 14 percent since hitting a peak in 2021. At the same time vulnerabilities found by internal research and product security teams have increased by 80 percent over the same period, indicating that vendors are taking the risk seriously.

"A vast majority of the vendors now have a formal process for disclosing vulnerabilities," says Nadav Erez, VP of data at Claroty. "It's really exciting to see a company that has no disclosure process go through this and understand the importance of it and build and formalize it as well."

The research shows 62 percent of published OT vulnerabilities affect devices at Level 3 of the Purdue Model for ICS. These devices manage production workflows and can be key crossover points between IT and OT networks, thus very attractive to threat actors aiming to disrupt industrial operations.

According to the report 71 percent of vulnerabilities were assessed a CVSS v3 score of 'critical' or 'high', and 63 percent of vulnerabilities are remotely exploitable over the network, meaning a threat actor doesn't need local, adjacent, or physical access to the affected device in order to exploit the vulnerability.

When it comes to what's at risk, the leading potential impact is unauthorized remote code or command execution (prevalent in 54 percent of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43 percent.

"We see more regulation by governments in healthcare and in critical infrastructures," adds Erez. "This push from regulation drives down all the way to the vendors. We also see customers start to treat security as a consideration when they choose which vendor to use. This is obviously a commercial motive that has a big effect eventually, if you lose a deal because you are not able to supply a software bill of materials then this is a great incentive to do that for the next one."

The full State of XIoT Security report is available from the Claroty site.

Image credit: jamesteohart / Depositphotos.com