IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ICS and OT vulnerabilities more than doubled in 2021

One in four flaws found in industrial systems had no patch, Dragos report finds

The number of published ulnerabilities in operational technology (OT) and industrial control systems doubled last year, and a quarter of them had no patches available.

The 2021 Year in Review report from cybersecurity company Dragos looked exclusively at security issues in ICS/OT systems, which manage physical processes for organizations ranging from manufacturing to energy and water management, often in industries considered part of the critical infrastructure.

It found 1,703 documented vulnerabilities in these systems during 2021, over twice the amount in 2020, and these flaws were often significant, as more than a third could cause both a loss of visibility and control in ICS/OT systems.

The report found several common weaknesses in ICS infrastructures, including the fact that customers tend to monitor the boundaries of their ICS/OT environments without clarity over what's happening inside. 

The report reveals that 86% of those surveyed had limited visibility over their environment or none at all, yet over three quarters of the published vulnerabilities laid deep within the ICS network, in engineering workstations, PLCs, sensors, and industrial controllers.

Over three quarters of customers also failed to properly segment their networks, creating more opportunities for compromise and lateral movement.

Ransomware featured heavily in ICS/OT hacks, with 65% of attacks on these systems hitting manufacturers. Metal product manufacturers were the hardest hit, followed by companies in the automotive sector.

Two threat actors were responsible for half of all ransomware attacks in 2021: Conti and Lockbit 2.0. Conti appeared in 2020, while Lockbit 2.0 appeared last summer with an updated set of compromise and ransomware tools.

The report documented several attacks, including a February 2021 compromise at the Oldsmar water treatment facility in Florida, which stemmed from unauthorized remote access via the TeamViewer tool.

Dragos found 90% of ICS/OT infrastructures including some facet of remote access into their systems, either facilitated directly by vendors or deployed by customers.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022