ICS and OT vulnerabilities more than doubled in 2021

Graphic showing a red unlocked padlock surrounded by blue locked padlocks

(Image credit: Shutterstock)

The number of published ulnerabilities in operational technology (OT) and industrial control systems doubled last year, and a quarter of them had no patches available.

The 2021 Year in Review report from cybersecurity company Dragos looked exclusively at security issues in ICS/OT systems, which manage physical processes for organizations ranging from manufacturing to energy and water management, often in industries considered part of the critical infrastructure.

US gov issues fresh warning over Russian threat to critical infrastructure 83% of critical infrastructure companies have experienced breaches in the last three years Critical infrastructure at risk again from Stuxnet-like attack

It found 1,703 documented vulnerabilities in these systems during 2021, over twice the amount in 2020, and these flaws were often significant, as more than a third could cause both a loss of visibility and control in ICS/OT systems.

The report found several common weaknesses in ICS infrastructures, including the fact that customers tend to monitor the boundaries of their ICS/OT environments without clarity over what's happening inside.

The report reveals that 86% of those surveyed had limited visibility over their environment or none at all, yet over three quarters of the published vulnerabilities laid deep within the ICS network, in engineering workstations, PLCs, sensors, and industrial controllers.

Over three quarters of customers also failed to properly segment their networks, creating more opportunities for compromise and lateral movement.

Ransomware featured heavily in ICS/OT hacks, with 65% of attacks on these systems hitting manufacturers. Metal product manufacturers were the hardest hit, followed by companies in the automotive sector.

Two threat actors were responsible for half of all ransomware attacks in 2021: Conti and Lockbit 2.0. Conti appeared in 2020, while Lockbit 2.0 appeared last summer with an updated set of compromise and ransomware tools.

The report documented several attacks, including a February 2021 compromise at the Oldsmar water treatment facility in Florida, which stemmed from unauthorized remote access via the TeamViewer tool.

Dragos found 90% of ICS/OT infrastructures including some facet of remote access into their systems, either facilitated directly by vendors or deployed by customers.

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing.

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.