Summary: Claroty research revealed that 13% of mission-critical operational technology (OT) assets have insecure internet connections, with 36% containing at least one Known Exploited Vulnerability (KEV). This exposes them to remote attacks. Claroty launched its enhanced xDome Secure Access to mitigate these risks and improve secure control over interactions.

Key Takeaways:

  • Insecure Connections: 13% of critical OT assets are insecurely connected to the internet, increasing vulnerability to attacks.
  • High Exploitability: 36% of these insecure connections contain at least one KEV, making them prime targets for attackers.

Claroty announced new proprietary data revealing that 13% of the most mission-critical operational technology (OT) assets have an insecure internet connection, and 36% of those contain at least one Known Exploited Vulnerability (KEV). This makes them both remotely accessible and readily exploitable entry points for threat actors to disrupt operations. 

To address these risks fueled by the growing adoption of remote access technologies in CPS environments, Claroty launched its newly enhanced Claroty xDome Secure Access (formerly Claroty Secure Remote Access). The solution balances frictionless access and secure control over interactions to CPS to improve productivity, reduce complexities and risk, and ensure compliance across first- and third-party users.

Key Findings from Claroty’s Research

To shed light on the security implications of this increased connectivity, Claroty’s research group Team82 analyzed a sample of over 125,000 OT assets, their internet connection, and exploitability. Key findings include:

  • 3.7% of all OT assets have an insecure internet connection, meaning they communicate with the internet generally, excluding unidirectional, manufacturer, and endpoint security communications, allowing attackers to easily scan the IP address space to find and attempt to access them remotely.
  • 13% of engineering workstations (EWS) and human-machine interfaces (HMIs) have an insecure internet connection. These linchpin assets are used to monitor, control, and update production systems, and because they can connect up and down the Purdue Model architecture for ICS and in some cases to the enterprise IT network, attackers can use them as an initial foothold for lateral movement.
  • 36% of insecurely internet-connected EWS and HMIs contain at least one KEV. The combination of high criticality, high exposure, and high exploitability makes these assets prime targets for threat actors seeking to maximize operational disruption.

Mitigating Security Risks

“Our research supports the notion that increased remote access translates to an expanding attack surface and greater risk of disruption to critical infrastructure, which can ultimately impact public safety and the availability of vital services,” said Amir Preminger, vice president of research for Claroty’s Team82. “As remote access to mission-critical OT assets such as EWS and HMIs is now the standard operating approach, organizations must ensure they are equipped to grant access to specific assets intentionally and on a least-privileged basis.”