Content, Vertical markets

Operational Technology (OT) Vulnerabilities: Security Research Findings

The silhouette of the high voltage power lines during sunset.

New cryptojacking programs targeting known vulnerabilities increased by 75 percent year-over-year, along with a 42 percent rise in ransomware in 2021, according to new data compiled by enterprise security provider Skybox.

The San Jose, California-based vendor’s 2022 Vulnerability and Threat Trends Report examines how quickly cyber criminals capitalize on new security weaknesses. With the number of published vulnerabilities reaching nearly 21,000 in 2021 along with the 167,000 published over the past decade amount to an “enormous aggregate risk” that has left organizations with a mountain of cybersecurity-associated debt, Skybox said.

Here’s how some of the numbers breakdown:

OT vulnerabilities nearly double year-over-year. Operational technology (OT) vulnerabilities jumped 88%, which often serve as gateways into the critical infrastructure facility’s IT network. OT systems support energy, water, transportation, environmental control systems, and other essential equipment and when compromised can deliver malicious payloads, exfiltrate data, launch ransomware attacks, and other exploits to the network.

24% jump in new vulnerabilities exploited in the wild. The roughly 170 vulnerabilities in the wild in 2021 were exploited within 12 months. Threat actors are getting better at weaponizing newer vulnerabilities. The faster that hackers exploit and target newly found vulnerabilities the more pressure security teams face.

75% increase in new cryptojacking malware programs.  New cryptojacking programs targeting known vulnerabilities increased by 75% year over year, along with the 42% rise in ransomware. Both figures show how the malware industry is getting better at leveraging emerging business opportunities, providing a range of tools and services used by all manner of cyber criminals.

“The sheer volume of accumulated risks — hundreds of thousands or even millions of vulnerability instances within organizations — means they can’t possibly patch all of them,” said Ran Abramson, Skybox threat intelligence analyst. “To prevent cybersecurity incidents, it is critical to prioritize exposed vulnerabilities that could cause the most significant disruption. Then, apply appropriate remediation options including configuration changes or network segmentation to eliminate risk, even before patches are applied or in cases where patches aren’t available.”

Skybox pointed to a Forrester research report that stressed CIO’s reliance on “qualitative approaches,” such as gathering data from a large number of sites or organizations, to score risk. Skybox, however, has another way--a common risk language that can be applied to an objective framework to gauge risk. Calculating scores to determine risk, and therefore safety, would come from these four variables;

  • Measured CVSS severity.
  • Likelihood of exploitation.
  • Exposure level based on security controls and configurations.
  • Importance of the asset.

“Exposure analysis is paramount, yet it’s missing from conventional risk scoring approaches,” said Abramson. “Exposure analysis identifies exploitable vulnerabilities and correlates this data with an enterprise’s unique network configurations and security controls to determine if the system is potentially open to a cyber attack.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.