Are vendors becoming more vigilant in IoT vulnerability disclosures?

Internet of Things (IoT) vulnerabilities have soared in recent times.

More threat actors are gaining access to critical networks by laterally moving through unpatched and often unprotected IoT gateways.

One sector which is particularly vulnerable to this, is the critical infrastructure industry. CNI (Critical National Infrastructure) organisations are connecting more smart devices and cloud-based IT systems to industrial operational technology (OT) systems to support remote access and drive better efficiency. However, this has created an opening for threat actors, by presenting a larger scope for them to exploit.

In order to combat this problem, the critical infrastructure industry must be able to quickly identify, disclose and patch all vulnerabilities hidden within the entire Extended Internet of Things (XIoT). XIoT refers to all cyber-physical systems, ranging from OT and Industrial Control Systems (ICS), to the Internet of Medical Things (IoMT).

However, it is near impossible for only organisations to monitor and disclose all vulnerabilities across such a wide range of systems. To a large extent, vendors and third parties have to play a critical role in identifying and reporting vulnerabilities – and as our recent findings suggest, they have started to live up to that role.

The state of IoT vulnerability disclosures

Our latest XIoT vulnerability assessment report found a 57% increase in vulnerability disclosures impacting IoT devices in the first half of 2022, compared to the previous six months. In the same period, vendor self-disclosures increased by 69%.

For the first time, vendor self-disclosures have surpassed independent research outfits as the second most prolific vulnerability reporters, after third-party security companies (45%). This indicates that more OT, IoT, and IoMT vendors are establishing vulnerability disclosure programmes and increasing their resources to examine the security and safety of their products than ever before.

We also observed that vendors’ vulnerability disclosure programs have matured significantly. More vendors have now established dedicated product emergency response teams, who are continuously working on identifying and reporting vulnerabilities. They are also simplifying and streamlining the process and creating more scope for public reporting.

For instance, some vendors have dedicated webpages on their sites, which include email addresses for vulnerability reporting. They are also providing public encryption key for securely communicating any information about security flaws.

But what’s leading to this increased vigilance from vendors? It’s likely caused by the significant increase in critical supply-chain attacks and threats facing CNI organisations. Previous attacks initiated from vendor systems or device compromise have caused vendors and third parties to be under significant scrutiny. There have also been instances where IoT-based attacks have threatened human life. Just two years ago, a ransomware attack targeting the digital infrastructure of a German Hospital affected the Doctor’s ability to operate and treat critical patients. The attack even resulted in the death of a patient.

XIoT vulnerabilities lead to the real possibility of cyber-physical crimes. That’s why organisations are also enforcing strict criteria for choosing vendors, requiring them to be more vigilant and robust in terms of cyber security practices. This growing proactive stance is likely to have contributed to the increased vigilance of vendors in terms of disclosing IoT vulnerabilities more efficiently.

On average, XIoT vulnerabilities are being published and addressed at a rate of 125 per month, reaching a total of 747 in the first half of 2022. The vast majority have CVSS scores of either critical (19%) or high severity (46%). This shows that the entire industry has improved in terms of security monitoring of IoT systems.

Although the practice and process of vulnerability disclosure has matured, organisations and vendors won’t likely be able to keep face if security flaws continue ramping up at an unprecedented rate. Moreover, even if a small fraction of vulnerabilities remain undiscovered, it can result in a critical security incident.

Therefore, every organisation must have defensive measures in place to reduce the likelihood of any major security flaws, and proactive practices to mitigate the risks even if a vulnerability is exploited.

Which proactive measures can help organisations protect against XIoT vulnerabilities?

Network segmentation is far and away the champion of XIoT vulnerability mitigation. It is the practice of dividing the entire network into multiple segments or subnets, thereby isolating IoT-connected devices and systems from the core network and internal resources.

As critical resources like OT systems, medical devices, and embedded systems with IoT devices are no longer air-gapped, segmentation can help to boost security resilience by limiting external and internal access to such critical resources. Even if a breach occurs, it stops attackers from laterally moving across the entire network and accessing critical control systems. This proactive approach can help organisations reserve the ability to inspect network traffic and OT, Medical and IoT-specific protocols to detect and defend against anomalous behaviours.

Furthermore, organisations must efficiently manage the security risks of the cloud. As discussed, many XIoT devices, especially those within OT, are no longer air-gapped and therefore have a much larger attack surface. Threat actors may see an opportunity to target vulnerabilities exposed by connectivity at scale. Organisations should implement proactive measures such as encryption and secure communication, MFA, and privileged access management across their cloud repositories to establish efficient risk management.

While XIoT vulnerability disclosures have significantly increased in recent times, it’s still evident that some vulnerabilities will remain undetected and unpatched, causing significant security concerns for organisations. Therefore, the discussed proactive security measures can help organisations to stay ahead of such undetected threats and boost their security resilience.

About the Author

Chen Fradkin is Data Scientist, Products at Claroty. Claroty empowers organizations to secure cyber-physical systems across industrial (OT), healthcare (IoMT), and enterprise (IoT) environments: the Extended Internet of Things (XIoT). The company’s unified platform integrates with customers’ existing infrastructure to provide a full range of controls for visibility, risk and vulnerability management, threat detection, and secure remote access.

Featured image: ©greenbutterfly