Claroty’s New Research Arm Publishes Report on ICS Cloud Vulnerabilities

July 30, 2021 by Alessandro Mascellino

Industrial cybersecurity firm Claroty has launched a new research arm named Team82.

The Team82 division will reportedly provide vulnerability and threat research to Claroty customers and other security companies online. Team82 released its first report, analyzing various critical vulnerabilities found in cloud-based management platforms for industrial control systems (ICS).


Team82: An Overview

Team82 was originally founded by Claroty as the company’s research team. The group has reportedly won multiple awards in the last few years, particularly for developing industrial threat signatures, proprietary protocol analysis, and discovering ICS vulnerabilities. 

So far, Team82 has discovered a total of 146 vulnerabilities. It was also the first institution to develop and release signatures for the Ripple20 and Wibu-Systems CodeMeter vulnerabilities and connected threat actors in 2020.

Claroty’s research division has access to one of the most extensive ICS testing labs in the industry and regularly collaborates with leading industrial automation vendors to evaluate the security of their products.


A typical ICS architecture managed via a cloud-based platform. Image used courtesy of Claroty


According to Claroty, Team82’s latest research was motivated by the increased use of cloud technology in industrial automation, particularly in OT and IIoT systems used to simplify management, provide better business continuity, and improve performance analytics.

The firm believes that organizations should implement stringent security measures to secure data in transit and at rest, as well as secure lockdown measures.


The Top-Down and Bottom-Up Report

Together with its rebranding operation, Claroty’s Team82 recently released the Top-Down and Bottom-Up report, focusing on the problems mentioned above. From a technical standpoint, the document focused on researching the exploitability of cloud-based management platforms responsible for monitoring and configuring ICS.

The report also recognized the adoption of cloud for industrial control systems as a growing trend, motivating Team82 to further examine the security of these platforms and architectures.


The CODESYS Automation Server Cloud dashboard. Image used courtesy of Claroty


To tackle these growing threats, Team82 developed techniques to exploit vulnerabilities in automation vendor CODESYS’s Automation Server via two unique attack vectors. The research also mentioned the discovery of WAGO PLC platform vulnerabilities, and a developing exploit chain designed to attack a single cloud-managed PLC to overtake the cloud-based host account to potentially execute arbitrary code.


The WAGO PFC200, which was open to vulnerabilities. Image used courtesy of Claroty


All of the vulnerabilities discovered due to this research have now reportedly been fixed or mitigated by CODESYS and WAGO. 


Vulnerability Dashboard and Research Hub

As mentioned above, Team82 researches industrial software, networks, and protocols for vulnerabilities through various collaborations with vendors aimed at addressing flaws before threat actors can exploit them.

To facilitate these collaborative efforts, Claroty has also set up a publicly accessible  Vulnerability Dashboard and Research Hub. The resource enables users to follow updates on the latest common vulnerabilities and exposures (CVEs) disclosed by Team82 affecting industrial devices and networks.

It also includes additional resources, including a coordinated disclosure policy for working with affected vendors, a public pretty good privacy (PGP) key for securely and safely exchanging vulnerability and research information, among others.