Fifty-six security vulnerabilities have been discovered in operational technology products that open the door to various types of hacking.
Dubbed “Icefall” by security researchers at Forescout Technolgoies Inc.’s Vedere Labs, the vulnerabilities described today are said to be caused by insecure-by-design practices in OT. The affected products are prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building automation. Many of the products affected as sold as being “secure by design” or have been certified as being secure.
The Icefall vulnerabilities fall under four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functions.
Of the vulnerabilities, 38% allow for compromise of credentials, 21% allow for firmware manipulation and 14% allow remote code execution. Using the vulnerabilities, hackers with network access to a targeted device could remotely execute code, change the logic, files or firmware of OT devices, bypass authentication, compromise credentials, cause denials of service or have various operational impacts.
Affected vendors include Honeywell International Inc., Motorola Solutions Inc., Omron Corp., Siemens AG, Emerson Electric Co., JTEKT Corp. TYO, Bentley Nevada, Phoenix Contract s.r.o, ProConOS and Yokogawa Electric Corp. The affected vendors were informed of the vulnerabilities before the details were published.
Typically security issues with software and technology are allocated Common Vulnerabilities and Exposures numbers, but this is not typically the case with OT. “Issues considered the result of insecurity by design have not always been assigned CVEs, so they often remain less visible and actionable than they ought to be,” the researchers wrote.
The Forescout report also details various scenarios that could be used against OT software with the vulnerabilities, including causing shutdowns and potentially real-world damage to infrastructure.
“While the breadth and depth of the vulnerabilities identified in Icefall seem like a doomsday scenario, Forescout has just outlined what many of us in the industry already know — protocols are not secure, unauthenticated and other ‘insecure by design’ engineering choices that were never really meant to be CVEs,” Ron Fabela, co-founder and chief technology officer of industrial cybersecurity and asset monitoring company SynSaber Inc., told SiliconANGLE. “Again, these are not vulnerabilities as information security would identify them, but truly ‘that’s not a bug, it’s a feature’ for industrial.”
Fabela explained that protocols were designed not to use authentication, and although there are secure options for industrial protocols, there has been slow adoption. “‘Protocol does not use authentication’ could generate thousands of CVEs across multiple vendors and business lines because there was never meant to be authentication,” he said.
Chris Clements, vice president of solutions architecture at information technology services management company Cerberus Cyber Sentinel Corp., noted that “one may incorrectly assume that the industrial control and operational technology devices that perform some of the most vital and sensitive tasks in critical infrastructure environments would be among the most heavily secured systems in the world, yet the reality is often the exact opposite.”
Way too many devices in these roles have security controls that are quite easy for attackers to defeat or bypass to take complete control of the devices, Clements added. “I believe this is an industry that is experiencing a long-overdue cybersecurity reckoning,” he said.