According to a new WhiteHat Security research, more than 66% of all utility programs had at least one exploitable vulnerability exposed on a yearly basis. Many of these vulnerabilities are “pedestrian,” meaning they require little effort or skill to discover.
The report, titled AppSec Stats Flash, shows that utility companies have the widest exposure in their applications vulnerabilities. This underscores an issue that made national headlines last week, namely that more than 50,000 water treatment plants in the United States lack adequate cybersecurity.
In addition to an attack on a Florida water treatment plant earlier this year, the study revealed that there had been lots of unreported attacks on utility companies.
According to Setu Kulkarni, vice president of WhiteHat Security, more than 66% of apps in the manufacturing business had a 365-day window of exposure. Information leakage, insufficient session expiration, cross-site scripting, insufficient transport layer protection, and content spoofing are the top five vulnerabilities identified by WhiteHat Security researchers in the last three months.
The scarcity of cybersecurity talent has an impact on all organizations across a wide range of industries
Kulkarni highlighted a lack of cybersecurity talent and resources available to most organizations to handle updates and patches for hundreds of programs. He went on to say that every application today is either directly or indirectly connected to the Internet. This means that vulnerabilities can potentially affect millions of end users.
Kulkarni recommended that organizations distribute security responsibilities more broadly among all stakeholders, not just security and IT departments, that often lack the means or resources to address security methodically. “Security is a team sport, and for the longest time, there has been a disproportionate share of responsibility placed on security and IT teams”.
The shortcomings translate into more time needed to address attacks, regardless how small. According to ZDNet, the time spent to remedy serious cybersecurity vulnerabilities has risen from 197 days in April 2021 to 205 days in May 2021,