Forescout today disclosed nearly 60 operational technology (OT) vulnerabilities from 10 different vendors. They were presented under the OT:ICEFALL banner, and were originally reported by Forescout’s threat intelligence team, Vedere Labs. These vulnerabilities vary in severity, but a number of them allow for credential theft, remote execution of arbitrary code, and even manipulation of microcode.
The suppliers affected are Emerson, Honeywell, Motorola, Omron, Yokogawa, JTEKT, Bently Nevada, Phoenix Contact, Siemens and a tenth supplier, whose name has not yet been revealed. These vulnerabilities affect many popular products, such as Emerson ControlWave (a programmable logic controller) and Honeywell Safety Manager (a system used to process safety-related data in industrial environments such as oil and gas plants), among others.
A full list of vulnerabilities – except for the four affecting the unnamed vendor – with technical details is available in Forescout’s report. The latter includes a series of attack scenarios showing how malicious actors could disrupt natural gas transmission, wind power generation and component manufacturing.
The vulnerabilities are divided into four categories: insecure protocols, insecure firmware updates, remote code execution via native features, and weak cryptography or failed authentication schemes.
The theme of OT:ICEFALL is “insecure-by-design” vulnerabilities, a category commonly seen in the field of operational technologies. These types of vulnerabilities affect deliberate manufacturer functionality and are not always given a CVE reference.
According to the Forescout report, the problem is not so much the existence of these flaws as the fact that much of the affected technology lacks sufficient security controls and a consistent approach to managing vulnerabilities.
Thus, the authors of the report explain that “the objective is to illustrate how the opaque and proprietary nature of these systems, the suboptimal management of the vulnerabilities that surround them and the often erroneous sense of security offered by the certifications considerably complicate the operational technology risk management efforts”.
Flaws in operational technology and industrial control systems (ICS) can be particularly problematic, potentially far more so than those in information systems. ICS/OT are commonly seen in critical infrastructure, manufacturing, healthcare, and other industrial settings. If malicious actors hijack systems that control electricity or drinking water, for example, the consequences can prove more perilous than most computer ransomware attacks.
Additionally, industrial control systems are designed to last for years or even decades, and taking systems offline to mitigate vulnerabilities or apply patches can be extremely difficult and complicated. A simple reset can lead to production delays or, worse, the potential shutdown of a critical service.
Daniel dos Santos, head of security research at Forescout, told our colleagues at SearchSecurity (TechTarget Group), in an email, that the bugs were first disclosed to vendors in March.
However, while “some have been discovered recently, others have long been known but not previously disclosed because historically insecurity-by-design issues have not been given a CVE.” But Daniel dos Santos says he “noted a recent shift in the community towards accepting these issues as CVE.” From then on, Forescout “consolidated the 56 issues and started the disclosure process.”
However, “each supplier was treated in a separate case instead of grouping them all in a single case (to avoid information leaks)”. Some vendors “provided responses very late in the process, which made it difficult to coordinate notices, affected products/versions, mitigations, etc. “. But Forescout teams have “
received responses from almost all suppliers. Progress, for Daniel dos Santos.