Claroty biannual ICS risk & vulnerability report: 1H 2021

The first half of 2021 was the biggest test of industrial cybersecurity in history.

Many companies are enjoying the fruits of connecting devices to the internet and converging operational technology (OT) under IT systems management. Yet that momentum has also beaconed out to threat actors, particularly those whose trade is extortion and profit. Assets are exposed online in record numbers, and along with them, all their blemishes: unpatched vulnerabilities, unsecured credentials, weak configurations, and the use of outdated industrial protocols.

In the first six months of the year, all of this conspired to bring us attention-grabbing ransomware attacks against Colonial Pipeline and JBS Foods, an eye-opening intrusion at the water treatment facility in Oldsmar, Fla., and another in the Bay Area. These incidents elevated the security of industrial control systems and OT networks to mainstream conversations.

The U.S. government took notice too, calling out the criticality of securing these systems and networks for the first time in executive orders, a National Security Memorandum, and in sector-specific efforts to improve not only awareness among owners and operators, but to emphasize the overall threat to national security and public safety that attacks against industrial control systems (ICS) and OT can deliver.

Claroty, today, publishes its third Biannual ICS Risk & Vulnerability Report. The report is our research team’s (Team82’s) effort to define and analyze the vulnerability landscape relevant to leading automation products used across the ICS domain. Team82 delivers a comprehensive look at ICS vulnerabilities publicly disclosed during the first half of the year, including those found by Team82 and those found by affected vendors, independent security researchers, and experts inside other organizations.

The report is an important resource for OT security managers and operators, delivering not only data about vulnerabilities that are prevalent in industrial devices, but also the necessary context around them to assess risk within their respective environments.