56 security vulnerabilities have been discovered in OT products that open the door to various types of hacking.
The vulnerabilities described today, dubbed “Icefall” by security researchers at Forescout Technolgoies Labs, are said to be caused by unsafe practices by design in the OT. The affected products are spread across industries such as oil and gas, chemical and nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building automation. Many products were sold as “safe by design” or certified as safe.
Icefall vulnerabilities fall into four main categories: insecure engineering protocols, weak encryption or broken authentication systems, insecure firmware updates, and remote code execution via native functions.
Among the vulnerabilities, 38% allow credential hacking, 21% allow firmware manipulation and 14% allow remote code execution. Using the vulnerabilities, hackers with network access to a target device can remotely execute code, change the logic, files, or firmware of OT devices, bypass authentication, compromise credentials, cause denial of service or have operational effects. different.
Affected vendors include Honeywell International Inc. and Motorola Solutions Inc. and Omron Corp. and Siemens AG and Emerson Electric Co. and JTEKT Corp. TYO, Bentley Nevada, Phoenix Contract sro, ProConOS, Yokogawa Electric Corp. Weaknesses before publishing details.
Common vulnerabilities and vulnerabilities for security issues are usually assigned numbers with software and technology, but this is not usually the case with OT. “Problems that are perceived as a result of insecurity have not always been set by design to counter violent extremism, so they often remain less visible and actionable than they should be,” the researchers wrote.
The Forescout report also details the various scenarios that can be used against OT vulnerabilities, including causing shutdowns and physical damage to infrastructure.
“While the breadth and depth of the vulnerabilities identified in Icefall seems like a doomsday scenario, Forescout has just identified what many of us in the industry already know — protocols not secure, unauthenticated, and other “unsecure by design” engineering options that have never been Ron Fabella, co-founder and chief technology officer of SynSaber Inc., industrial cybersecurity and asset monitoring, told SiliconANGLE, “They’re really supposed to be CVEs.” Again, these aren’t security vulnerabilities because information security will identify them, but really, ‘This isn’t a bug. , it is a feature of “industry.”
Fabella explained that the protocols were designed not to use authentication, and while there were secure options for industrial protocols, there was slow adoption. “A ‘protocol does not use authentication’ can create thousands of VEs across many vendors and lines of business because authentication was never intended to be,” he said.
Chris Clements, Vice President of Solutions Engineering at Cerberus Cyber Sentinel Corp. for IT Service Management, noted that “one might incorrectly assume that industrial controllers and operating technology that perform some of the most vital and sensitive tasks in critical infrastructure environments will be Among the safest systems in the world, however, the reality is often just the opposite.”
Clements added that many devices in these roles have security controls that are easy for attackers to defeat or bypass to gain complete control of the devices. “I think this is an industry that is seeing a long-awaited reckoning with cybersecurity,” he said.