The US Cybersecurity and Infrastructure Agency (CISA) has warned organizations to check recently disclosed vulnerabilities affecting operational technology (OT) devices that should be – but aren't always – isolated from the internet.
Forescout this week released its report "OT:ICEFALL", which covers a set of common security issues in software for operational technology (OT) devices. The bugs they disclosed affect devices from Honeywell, Motorola, Siemens, and others.
OT is a subset of the Internet of Things (IoT). OT covers industrial control systems (ICS) that may be connected to the internet while the broader IoT category includes consumer items like TVs, doorbells, and routers.
CISA has released five corresponding Industrial Controls Systems Advisories (ICSAs) which it said provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
The advisories include details of critical flaws affecting software from Japan's JTEKT, three flaws affecting devices from US vendor Phoenix Contact, and one affecting products from German firm Siemens.
The ICSA-22-172-02 advisory for JTEKT TOYOPUC details missing authentication and privilege escalation flaws. These have a severity rating of 7.2 out of 10.
The 56 vulnerabilities identified by Forescount fell into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution via native functionality.
The firm published the vulnerabilities (CVEs) as a collection to illustrate that flaws in the supply of critical infrastructure hardware are a common problem.
"With OT:ICEFALL, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault," Forescout said.
"The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts," it said.
Insecure-by-design vulnerabilities abound: More than a third of the vulnerabilities it found (38%) allow for compromise of credentials, with firmware manipulation coming in second (21%) and remote code execution coming third (14%).
Vulnerable products are often certified: 74% of the product families affected have some form of security certification and most issues it warns of should be discovered relatively quickly during in-depth vulnerability discovery. Factors contributing to this problem included limited scope for evaluations, opaque security definitions and a focus on functional testing.
Risk management is complicated by the lack of CVEs: It is not enough to know that a device or protocol is insecure. To make informed risk management decisions, asset owners need to know how these components are insecure. Issues that are the result of insecurity by design have not always been assigned CVEs, so they often remain less visible and actionable than they ought to be.
There are insecure-by-design supply chain components: Vulnerabilities in OT supply chain components tend to not be reported by every affected manufacturer, which contributes to the difficulties of risk management.
Not all insecure designs are created equal: None of the systems analyzed support logic signing and most (52%) compile their logic to native machine code. 62% of those systems accept firmware downloads via Ethernet, while only 51% have authentication for this functionality.
Offensive capabilities are more feasible to develop than often imagined: Reverse engineering a single proprietary protocol took between one day and two weeks, while achieving the same for complex, multi-protocol systems took five to six months.