State of XIoT Security: 2H 2022

For more than three years, and now six of these reports, Claroty Team82 has provided biannual analyses of publicly disclosed vulnerabilities affecting operational technology (OT), internet of things (IoT) devices, and most recently, the internet of medical things (IoMT).

We have not only found and privately disclosed more than 400 vulnerabilities since our inception, but we’ve worked closely with many of the affected vendors in conveying the urgency of securing their products—and equally importantly, improving the maturity of product security teams and processes.

While vendors such as Rockwell Automation, Siemens, Schneider Electric and others in the automation space have the resources to formalize the intake of vulnerability disclosures, rapidly triage these reports, and improve the safety of customer environments, many other companies lag behind. It’s not uncommon for researchers to run into vendors that have yet to establish a product security page on their websites that includes a secure contact email address and a public PGP key to ensure the secure transfer of vulnerability information.

Happily, we can say today, however, that things are beginning to trend in the right direction. In this edition of the State of XIoT Security Report, 2H 2022, you’ll see evidence that vendors are embracing the need to secure cyber-physical systems, and dedicating time, people, and money to not only patching software and firmware vulnerabilities, but also product security teams overall.

For the second consecutive report, the number of vulnerabilities affecting the Extended Internet of Things (XIoT) has dropped. After hitting a peak during the second half of 2021, we’re seeing published vulnerabilities dipping while in parallel, the number of disclosures attributed to internal research and product security teams continue to climb.

In fact, for the first time, the number of published vulnerabilities attributed to vendor self-disclosures topped the numbers attributed to third-party companies…