New research has found that more than 70% of industrial control system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely.
The discovery was unveiled in the inaugural "Biannual ICS Risk & Vulnerability Report," released today by Claroty, a global leader in operational technology (OT) security.
The report details the assessment of 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) during the first half of 2020, affecting a total of 53 vendors.
Claroty's research team found that ICS vulnerabilities published by the NVD in 2020 increased by 10.3% from the 331 published last year.
The number of ICS-CERT advisories published over the same period had increased much more significantly, with 32.4% more in 2020 than the 105 published in 2019.
Alarmingly, more than 75% of vulnerabilities published in the first half of 2020 were assigned high or critical Common Vulnerability Scoring System (CVSS) scores.
“There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible,” said Amir Preminger, vice president of research at Claroty.
“Our findings show how important it is for organizations to protect remote access connections and internet-facing ICS devices, and to protect against phishing, spam, and ransomware, in order to minimize and mitigate the potential impacts of these threats.”
Researchers found that more than 70% of the vulnerabilities published by the NVD can be exploited remotely, illustrating the rarity of fully air-gapped ICS networks that are isolated from cyber-threats.
The most common potential impact was remote code execution (RCE), found to be possible with 49% of vulnerabilities. This was followed by the ability to read application data (41%), cause denial of service (DoS) (39%), and bypass protection mechanisms (37%).
Of the 385 unique Common Vulnerabilities and Exposures (CVEs) included in the advisories, energy had 236, critical manufacturing had 197, and water and wastewater had 171.