State of XIoT Security Report: 2H 2022 from Claroty’s Team82 reveals positive impact by researchers on strengthening XIoT security and increased investment among XIoT vendors in securing their products

NEW YORK, NY – February 14, 2023 – Cyber-physical system vulnerabilities disclosed in the second half (2H) of 2022 have declined by 14% since hitting a peak during 2H 2021, while vulnerabilities found by internal research and product security teams have increased by 80% over the same time period, according to the State of XIoT Security Report: 2H 2022 released today by Claroty, the cyber-physical systems protection company. These findings indicate that security researchers are having a positive impact on strengthening the security of the Extended Internet of Things (XIoT), a vast network of cyber-physical systems across industrial, healthcare, and commercial environments, and that XIoT vendors are dedicating more resources to examining the security and safety of their products than ever before.

Compiled by Team82, Claroty’s award-winning research team, the sixth biannual State of XIoT Security Report is a deep examination and analysis of vulnerabilities impacting the XIoT, including operational technology and industrial control systems (OT/ICS), Internet of Medical Things (IoMT), building management systems, and enterprise IoT. The data set comprises vulnerabilities publicly disclosed in 2H 2022 by Team82 and from trusted open sources including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.

“Cyber-physical systems power our way of life. The water we drink, the energy that heats our homes, the medical care we receive – all of these rely on computer code and have a direct link to real-world outcomes,” said Amir Preminger, VP research at Claroty. “The purpose of Team82’s research and compiling this report is to give decision makers in these critical sectors the information they need to  properly assess, prioritize, and address risks to their connected environments, so it is very heartening that we are beginning to see the fruits of vendors’ and researchers’ labor in the steadily growing number of disclosures sourced by internal teams. This shows that vendors are embracing the need to secure cyber-physical systems by dedicating time, people, and money to not only patching software and firmware vulnerabilities, but also to product security teams overall.”

Key Findings

• Affected Devices: 62% of published OT vulnerabilities affect devices at Level 3 of the Purdue Model for ICS. These devices manage production workflows and can be key crossover points between IT and OT networks, thus very attractive to threat actors aiming to disrupt industrial operations.

• Severity: 71% of vulnerabilities were assessed a CVSS v3 score of “critical” (9.0-10) or “high” (7.0-8.9), reflecting security researchers’ tendency to focus on identifying vulnerabilities with the greatest potential impact in order to maximize harm reduction. Additionally, four of the top five Common Weakness Enumerations (CWEs) in the dataset are also in the top five of MITRE’s 2022 CWE Top 25 Most Dangerous Software Weaknesses, which can be relatively simple to exploit and enable adversaries to disrupt system availability and service delivery.

• Attack Vector: 63% of vulnerabilities are remotely exploitable over the network, meaning a threat actor does not require local, adjacent, or physical access to the affected device in order to exploit the vulnerability.

• Impacts: The leading potential impact is unauthorized remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%.

• Mitigations: The top mitigation step is network segmentation (recommended in 29% of vulnerability disclosures), followed by secure remote access (26%) and ransomware, phishing, and spam protection (22%).

• Team82 Contributions: Team82 has maintained a prolific, years-long leadership position in OT vulnerability research with 65 vulnerability disclosures in 2H 2022, 30 of which were assessed a CVSS v3 score of 9.5 or higher, and over 400 vulnerabilities to date.

To access Team82’s complete set of findings, in-depth analysis, and recommended security measures in response to vulnerability trends, download the full State of XIoT Security Report: 2H 2022 report.

Join Team82 Slack channel for additional discussion and insight into the report.

Acknowledgements

The primary author of this report is Bar Ofner, security researcher at Claroty. Contributors include: Rotem Mesika, threat and risk group lead, Nadav Erez, vice president of data, Sharon Brizinov, director of research, Amir Preminger, vice president of research, Chen Fradkin, data scientist, and Moran Zaks and Yuval Halaban, security researchers. Special thanks to the entirety of Team82 for providing exceptional support to various aspects of this report and research efforts that fueled it.

About Claroty

Claroty empowers organizations to secure their Extended Internet of Things (XIoT), a vast network of cyber-physical systems across industrial, healthcare, and commercial environments. The company’s cyber-physical systems protection platform integrates with customers’ existing infrastructure to provide a full range of controls for visibility, risk and vulnerability management, network segmentation, threat detection, and secure remote access. Backed by the world’s largest investment firms and industrial automation vendors, Claroty is deployed by hundreds of organizations at thousands of sites globally. The company is headquartered in New York City and has a presence in Europe, Asia-Pacific, and Latin America.

To find out more about Claroty, visit claroty.com.

Herman Herman & Katz lawyers: Controversial Meta Pixel computer code was used by LCMC Health and Willis-Knighton Health websites

NEW ORLEANS – Two of the largest hospital networks in Louisiana have been using a tracking code embedded deep in their websites that shares sensitive patient data without the patients’ knowledge or consent, according to class-action lawsuits filed by Herman Herman & Katz trial lawyers.

Known as Meta Pixel, the computer code created by the company that owns Facebook and Instagram potentially analyzed, gathered and shared the sensitive medical data of hundreds of thousands of patients, the lawsuits allege. These victims were patients within the LCMC Health Systems network of hospitals in the New Orleans area and Willis-Knighton Health System facilities in northwest Louisiana, according to the lawsuits.

“We are learning more and more about this shocking breach of trust as our investigation continues,” said Herman Herman & Katz partner Stephen Herman. “This was a gross invasion of privacy that went on for years.”

Click here for video of Mr. Herman discussing the case.

The Meta Pixel code was created by Meta (NASDAQ: META) to narrowly target users with digital advertisements. When website visitors clicked the “schedule an appointment” button, the code captured sensitive health information like medical conditions, prescriptions, doctors’ names, and previous appointments and sent it to Facebook. In one case, for example, a woman received targeted ads about heart disease and joint pain shortly after entering her information into one of the hospital websites.

According to the lawsuits, use of the Meta Pixel in healthcare settings violates the Health Insurance Portability and Accountability Act (HIPAA), which prohibits the sharing of personal health information with a third party without explicit patient consent.

LCMC Health Systems is a network of New Orleans-area hospitals and medical facilities, including Children’s Hospital, East Jefferson General Hospital, New Orleans East Hospital, Touro, University Medical Center New Orleans, and West Jefferson Medical Center.

Willis-Knighton Health System is the largest healthcare provider in northwest Louisiana and includes Willis-Knighton Medical Center, Willis-Knighton South & the Center for Women’s Health, WK Bossier Health Center, WK Pierremont Health Center, and WK Rehabilitation Institute.

HHK is working with AZA Law in Houston and Kelly & Townsend LLC in Natchitoches, La., on the litigation.

Herman Herman & Katz is dedicated to achieving justice for our clients. We excel in a wide range of practice areas throughout Louisiana, and our personal attention, experience and commitment achieve the results our clients deserve. Our Louisiana personal injury lawyers are here to aggressively pursue justice on your behalf and help you get back on your feet. To learn more, visit: https://hhklawfirm.com/.

Media Contact:

Robert Tharp

214-420-6011

robert@androvett.com