Security Experts:

Over 600 ICS Vulnerabilities Disclosed in First Half of 2021: Report

More than 600 vulnerabilities affecting industrial control system (ICS) products were disclosed in the first half of 2021, according to industrial cybersecurity firm Claroty.

The existence of 637 ICS flaws affecting the products of 76 vendors was brought to light in the first six months of 2021, and more than 70% of them have been assigned critical or high severity ratings. In comparison, only 449 vulnerabilities were disclosed in the second half of 2020.

An analysis conducted by Claroty showed that a vast majority of the security holes disclosed in H1 2021 do not require special conditions for exploitation, three-quarters do not require any privileges, and two-thirds can be exploited without user interaction.

The company said 61% of the flaws can be exploited remotely and 65% of them can be leveraged for denial-of-service (DoS) attacks, which can have a more significant impact in the case of ICS compared to IT systems.

More than 80% of the vulnerabilities were reported to vendors by external researchers. Of the researchers who reported flaws disclosed in the first half of 2021, 42 were new researchers.

ICS vulnerability disclosure sources

The top affected vendors are Siemens (146 vulnerabilities), Schneider Electric (65), Rockwell Automation (35), WAGO (23) and Advantech (22). It’s worth noting that the list of impacted vendors also includes 20 companies whose products were not affected by any of the flaws disclosed last year.

A majority of the security holes impact products on the operations management level (historians, OPC servers), followed by the basic control (PLC, RTU), and supervisory control (HMI, SCADA) levels.

“As more enterprises are modernizing their industrial processes by connecting them to the cloud, they are also giving threat actors more ways to compromise industrial operations through ransomware and extortion attacks,” said Amir Preminger, vice president of research at Claroty.

"The recent cyber attacks on Colonial Pipeline, JBS Foods, and the Oldmsar, Florida water treatment facility have not only shown the fragility of critical infrastructure and manufacturing environments that are exposed to the internet, but have also inspired more security researchers to focus their efforts on ICS specifically,” Preminger added.

More details, as well as information on mitigations and remediations, are available in Claroty’s ICS Risk & Vulnerability Report for H1 2021. In its ICS Risk & Vulnerability Report for 2020, the company revealed that 893 vulnerabilities were disclosed in 2020, which represented a significant increase compared to the previous year. Considering that over 600 vulnerabilities have already been disclosed in 2021, the number could exceed 1,000 by the end of the year.

Related: Analysis of ICS Exploits Can Help Defenders Prioritize Vulnerability Remediation

Related: Many ICS Vulnerability Advisories Contain Errors

Related: Industrial Firms Warned of Risk Posed by Cloud-Based ICS Management Systems

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.