Forescout reveals top vulnerabilities impacting OT vendors
Forescout’s Vedere Labs, in collaboration with CISA’s vulnerability disclosure process, has disclosed OT: ICEFALL, naming 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors.
This is one of the single largest vulnerability disclosures that impact OT devices and directly addresses insecure-by-design vulnerabilities, the company states.
It’s been ten years since Project Basecamp, a research project conducted by Digital Bond, that investigated how critical OT devices and protocols were insecure by design.
Since then, real-world OT malware including Industroyer, TRITON, Industroyer2 and INCONTROLLER, has been hugely impactful in the abuse of insecure-by-design functionality, the company states.
Forescout Vedere Labs head of security research Daniel dos Santos comments, “The rapid expansion of the threat landscape is well documented at this stage. By connecting OT to IoT and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors."
Santos says, "10 years on from BASECAMP and now ICEFALL, we have a very long way to go to reach the summit of these OT design practices. These types of vulnerabilities, and the proven desire for attackers to exploit them, demonstrate the need for robust, OT-aware network monitoring and deep-packet-inspection (DPI) capabilities.”
The 56 vulnerabilities detailed in Forescout's technical report impact ten vendors, including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens and Yokogawa.
As highlighted by Forescout, although the impact of each vulnerability is highly dependent on the functionality each device offers, they fall under the following categories:
- Remote code execution (RCE): Allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialised processors and different contexts within a processor, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code.
- Denial of service (DoS): Allows an attacker to either take a device completely offline or to prevent access to some function.
- File/firmware/configuration manipulation: Allows an attacker to change important aspects of a device such as files stored within it, the firmware running on it or its specific configurations. This is usually achieved via critical functions lacking the proper authentication/authorisation or integrity checking that would prevent attackers from tampering with the device.
- Compromise of credentials: Allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely.
- Authentication bypass: Allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device.
A full list of devices affected by OT: ICEFALL is available via Forescout, while details of each vulnerability are discussed in Forescout’s technical report.