IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ICS and OT vulnerabilities more than doubled in 2021

One in four flaws found in industrial systems had no patch, Dragos report finds

The number of published ulnerabilities in operational technology (OT) and industrial control systems doubled last year, and a quarter of them had no patches available.

The 2021 Year in Review report from cybersecurity company Dragos looked exclusively at security issues in ICS/OT systems, which manage physical processes for organizations ranging from manufacturing to energy and water management, often in industries considered part of the critical infrastructure.

It found 1,703 documented vulnerabilities in these systems during 2021, over twice the amount in 2020, and these flaws were often significant, as more than a third could cause both a loss of visibility and control in ICS/OT systems.

The report found several common weaknesses in ICS infrastructures, including the fact that customers tend to monitor the boundaries of their ICS/OT environments without clarity over what's happening inside. 

The report reveals that 86% of those surveyed had limited visibility over their environment or none at all, yet over three quarters of the published vulnerabilities laid deep within the ICS network, in engineering workstations, PLCs, sensors, and industrial controllers.

Over three quarters of customers also failed to properly segment their networks, creating more opportunities for compromise and lateral movement.

Ransomware featured heavily in ICS/OT hacks, with 65% of attacks on these systems hitting manufacturers. Metal product manufacturers were the hardest hit, followed by companies in the automotive sector.

Two threat actors were responsible for half of all ransomware attacks in 2021: Conti and Lockbit 2.0. Conti appeared in 2020, while Lockbit 2.0 appeared last summer with an updated set of compromise and ransomware tools.

The report documented several attacks, including a February 2021 compromise at the Oldsmar water treatment facility in Florida, which stemmed from unauthorized remote access via the TeamViewer tool.

Dragos found 90% of ICS/OT infrastructures including some facet of remote access into their systems, either facilitated directly by vendors or deployed by customers.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022