IoT Vulnerability Disclosures Up 57% in Six Months, Claroty Reveals

  • The number of vulnerability disclosures impacting extended internet of things (XIoT) devices increased by 57% in the first half of 2022 compared to the previous six months, according to a new report by Team82, the research team of cyber-physical systems (CPS) security firm Claroty.

    The research also found that vendor self-disclosures increased by 69%. This would be a first for the industry, which usually relies more for disclosures on independent research teams. According to Team82, the trend indicates that more operational technology (OT), IoT, and internet of medical things (IoMT) vendors are establishing vulnerability disclosure programs and dedicating more resources to them.

    Additionally, fully or partially remediated firmware vulnerabilities increased by 79% over the same time period, a significant improvement considering the relative challenges in patching firmware versus software vulnerabilities.

    The Claroty report is based on a data set comprising vulnerabilities discovered by Team82 and from open source databases, including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.

    “After decades of connecting things to the internet, cyber-physical systems are having a direct impact on our experiences in the real world, including the food we eat, the water we drink, the elevators we ride, and the medical care we receive,” explained Amir Preminger, vice president of research at Claroty.

    “We conducted this research to give decision makers within these critical sectors a complete snapshot of the XIoT vulnerability landscape, empowering them to properly assess, prioritize, and address risks to the mission-critical systems underpinning public safety, patient health, smart grids and utilities, and more.”

    Of all vulnerabilities mentioned in the research, Team82 reportedly disclosed 44 in 1H 2022 and a total of 335 to date.

    The full text of the State of XIoT Security Report: 1H 2022 is available at this link here. Its publication comes months after Claroty announced the acquisition of healthcare IoT security business Medigate.