OMICRON 
OT Vulnerability 
Report 2024

The operational technology (OT) landscape has evolved dramatically in recent years. Historically, OT systems—encompassing industrial control systems (ICS), SCADA, and distributed control systems (DCS)—were secured by physical separation, or "air gaps," from IT networks. These systems prioritized reliability and physical security over network defenses and operated in isolated, specialized environments with minimal need for updates or connectivity.

Today, increasing demands for efficiency, remote monitoring, and IT-OT integration have reshaped this landscape. Modern OT systems are now deeply interconnected with corporate IT networks, enabling centralized management and data sharing but also broadening the attack surface. This convergence introduces vulnerabilities once confined to IT systems into the OT environment.

The complexity and connectivity of OT systems expose them to diverse cyber threats, including ransomware and advanced nation-state attacks. Compounding this risk is the reliance on legacy hardware and software in critical sectors like energy and manufacturing. These legacy systems lack built-in cybersecurity measures and often cannot be updated without disrupting operations, making patching a significant challenge.

OT vulnerabilities differ markedly from IT vulnerabilities, often stemming from insecure-by-design protocols and devices. These weaknesses can compromise physical processes, leading to safety risks, operational disruptions, and potentially catastrophic damage to critical infrastructure.

Through daily collection and analysis of OT-related vulnerabilities, we have established an extensive OT Vulnerability Database encompassing thousands of advisories and ten-thousands of vulnerabilities from all relevant vendors. This comprehensive dataset enables us to uncover critical trends and track the evolving threat landscape from 2009 to 2024, offering valuable insights into the vulnerabilities affecting OT environments.

A year-by-year analysis of published security advisories and vulnerabilities reveals a consistent upward trend across all vendors.  From 2009 to 2024, the number of advisories steadily increased, with a significant surge observed post-2017. This growth underscores the growing importance of addressing security issues in OT systems as their interconnectivity increases.

The most dramatic increases occurred in 2021 and 2022, when advisories nearly doubled compared to previous years. Two primary drivers contributed to this spike:   

Since 2021, heightened security awareness has contributed to a sustained increase in the identification and disclosure of vulnerabilities. 

Security advisories aim to equip developers with the information necessary to identify and resolve issues while withholding critical details that could aid attackers in exploiting vulnerabilities. A key resource in understanding these weaknesses is the Common Weakness Enumeration (CWE), which categorizes vulnerabilities and helps map the attack surface.

Our analysis highlights two prevalent weaknesses that have remained significant over time:  

Addressing Development Gaps

The root cause of these vulnerabilities often lies in insufficient attention to security during the development process. Practices such as proper input validation, rigorous data sanitization, and enforcing memory limits can help mitigate these issues. Integrating secure programming principles into product development is essential for reducing vulnerabilities.
 

Relevance to Broader Threat Landscapes

A comparison between these weaknesses and the OWASP Top 10 security risks highlights their continued relevance:

– CWE-20 aligns with OWASP risks like Injection (A03) and Insecure Deserialization, where improper input handling can lead to significant security breaches.

– CWE-787 correlates with issues such as Security Misconfiguration (A05) and other memory-related exploits, highlighting the importance of addressing these weaknesses across IT and OT systems.
 

These overlaps emphasize that vulnerabilities in OT environments are not isolated but rather part of a broader cybersecurity challenge that requires coordinated attention and secure development practices.

Our analysis reveals that network-based vulnerabilities account for over 75% of attack vectors in OT environments. These vulnerabilities allow attackers to exploit systems remotely, needing only network or internet access. This underscores the prominence of remote exploitation as the principal threat vector for OT systems. In contrast, vulnerabilities requiring physical access are minimal (<1%), reflecting how IT/OT integration and the reliance on network-connected devices have increased exposure to network-based attacks.

The severity of vulnerabilities, measured using CVSS scores, is closely linked to the associated attack vector. Network-based vulnerabilities typically have higher CVSS scores due to their widespread exploitability and significant impact potential. These vulnerabilities can bypass traditional perimeter defenses, posing a critical threat to OT systems that depend on continuous operation. Our data reveals that nearly all CVEs with a CVSS score of 10 are network-exploitable. Fittingly, only a small fraction of network-based vulnerabilities have low CVSS scores, showing the heightened risk they represent.

The usability and effectiveness of security advisories vary significantly among vendors, complicating vulnerability management. While some vendors adhere to the Common Security Advisory Framework (CSAF) standard, others provide inconsistent formats or incomplete information, forcing substantial manual intervention. This disparity increases the complexity of aligning advisories with specific devices.
 

Two critical factors affect advisory quality:

1. Adherence to standards like CSAF ensures advisories are structured, machine-readable, and interoperable, reducing manual workload. 

2. Accurate product and version identification enables quick matching of advisories to devices in an organization’s inventory, streamlining remediation efforts.
 

To bridge these gaps, we made significant efforts to improve advisory quality. This included:

– Adapting 10% of advisories to meet CSAF standards.

– Manually creating 22% of advisories, where vendors provided no machine-readable files.
 

These actions demonstrate the pressing need for industry-wide standardization in security advisories. Standardization not only reduces the burden on security teams but also improves the efficiency and effectiveness of vulnerability management.

For detailed guidance on using security advisories effectively, visit our resource: Advisories and How to Use Them.
 
 

The data reveals a steady increase in security advisories and vulnerabilities, particularly over the past decade. This rise reflects heightened security awareness, the influence of global events, and the discovery of critical flaws that prompt industry-wide attention. Additionally, the growing IT/OT integration has introduced new attack surfaces, accelerating the identification of vulnerabilities.

A concerning trend is the persistence of well-documented weaknesses in many products. Despite the availability of advanced solutions, these vulnerabilities remain widespread, indicating that they are actively exploited and will likely persist as threats.

Encouragingly, the adoption of the CSAF standard for writing and publishing security advisories has grown. This trend facilitates more efficient identification and management of vulnerabilities, streamlining processes for organizations and enhancing security outcomes.

 

Given the challenging nature of implementing these recommendations, we advise prioritizing the following areas at the outset:

An accurate asset inventory is indispensable for effective vulnerability management. This database should include unique identifiers, manufacturers, models, firmware versions, IP/MAC addresses, and physical locations of each device. In particular, the product model and version should be written in the same format as described in the security advisory. This makes the matching process much easier and saves a significant amount of time.

To manage vulnerabilities effectively:

These tools are essential for automating and optimizing vulnerability workflows. Key benefits include:

The fast-changing OT threat landscape calls for a proactive, structured, and collaborative approach to vulnerability management. As vulnerabilities grow in number and complexity, so do the risks to critical infrastructure. Advanced solutions like StationGuard GridOps empower organizations to manage vulnerabilities effectively by combining automation, accuracy, and actionable insights.

This report emphasizes the importance of unified efforts—across industries, teams, and systems—to secure OT environments. Only by prioritizing risk mitigation strategies and fostering collaboration, organizations can protect the essential systems that power modern society.

 

To verify their correctness of vulnerabilities and security advisories, we validate the CSAF files and PDFs provided by vendors, ensuring that corrupt or incomplete files are properly adjusted:

StationGuard GridOps, OMICRON’s specialized vulnerability management tool, is designed to meet the unique challenges of OT environments. It integrates directly with vendor and third-party advisory repositories, automating the collection and categorization of vulnerabilities. GridOps offers customizable dashboards that present real-time insights into vulnerability trends, remediation progress, and compliance with standards like the CSAF.

By leveraging GridOps, organizations can minimize the operational burden associated with vulnerability management. The tool ensures that critical vulnerabilities are identified and addressed promptly, enabling security teams to focus on maintaining the resilience and safety of their OT environments.

 

Read up on the most relevant terms in OT security: