The threat intelligence team from Forescout’s Vedere Labs yesterday revealed 56 security flaws affecting OT devices from 10 companies, including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.
Collectively called “OT:ICEFALL”, all 56 vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.
The 36-page report from Vedere Labs underscored the impact of “insecure by design” legacy of OT devices which leave them exposed to real-world OT malware such as Industroyer, TRITON, Industroyer2 and INCONTROLLER.
“The rapid expansion of the threat landscape is well documented at this stage. By connecting OT to IoT and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors.” said Daniel dos Santos, head of security research, Forescout Vedere Labs.
He added: “We a very long way to go to reach the summit of these OT design practices. These types of vulnerabilities, and the proven desire for attackers to exploit them, demonstrate the need for robust, OT-aware network monitoring and deep-packet-inspection (DPI) capabilities.”
The products affected by OT:ICEFALL are known to be prevalent in industries that are the backbone of critical infrastructure such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building automation. Many of these products are sold as ‘secure by design’ or have been certified with OT security standards
Shifting threat landscape
The report by Vedere Labs has identified a shift in the community toward recognising “insecure by design” vulnerabilities.
“Only a few years back, well-known vulnerabilities like some that can be found in OT:ICEFALL would not get assigned a CVE ID because there was the assumption that everyone knew OT protocols were insecure. On the contrary, we believe a CVE is a community recognised marker that aids in vulnerability visibility and actionability by helping push vendors to fix issues and asset owners to assess risks and apply patches,” the report said.
The vulnerabilities and associated issues disclosed in this report range from persistent insecure-by-design practices in security-certified products to inadequate attempts to fix them.
It is crucial for asset owners to understand how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them, and the often-false sense of security offered by certifications complicate OT risk management efforts.
Although the impact of each vulnerability is highly dependent on the functionality each device offers, they fall under the following categories:
- Remote code execution (RCE): Allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialised processors and different contexts within a processor, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code.
- Denial of service (DoS): Allows an attacker to either take a device completely offline or to prevent access to some function.
- File/firmware/configuration manipulation: Allows an attacker to change important aspects of a device such as files stored within it, the firmware running on it or its specific configurations. This is usually achieved via critical functions lacking the proper authentication/authorization or integrity checking that would prevent attackers from tampering with the device.
- Compromise of credentials: Allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely.
- Authentication bypass: Allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device.
A full list of devices affected by OT: ICEFALL is available here, while details of each vulnerability are discussed in Forescout’s technical report.
