Researchers at Forescout’s Vedere Labs wanted to show how insecure many internet-connected operational technology (OT) systems can be. So on Monday they released 56 vulnerabilities discovered across products from nine manufacturers.
Dubbed Icefall, the holes are included in applications such as programmable logic controllers and distributed control systems from big names like Emerson, Honeywell, Motorola, and Siemens. Many of the affected products are used in oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation sectors, says the report.
“Many of these products are sold as ‘secure by design’ or have been certified with OT security standards,” says a detailed technical report. The reality, the report suggests, is many products are ‘insecure by design.’
An attacker able to leverage the vulnerabilities could bypass authentication and then manipulate setpoints and monitoring values relating to a natural gas distributor’s compressor stations to overwhelm operators with false alarms or change flow setpoints to disrupt transport, the report says in one possible attack scenario.
The reality, the report suggests is products are becoming ‘insecure by design.’
One problem, the researchers say, is that some OT manufacturers don’t acknowledge bugs by issuing CVEs, which would at least allow IT and OT leaders to know of and mitigate vulnerabilities.
Related content: Attack on Florida water treatment plant
The researchers group the vulnerabilities under five broad categories:- Remote code execution (RCE): Allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialized processors and different contexts within a processor, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code;
- Denial of service (DoS): Allows an attacker to either take a device completely offline or to prevent access to some function;
- File/firmware/configuration manipulation: Allows an attacker to change important aspects of a device such as files stored within it, the firmware running on it or its specific configurations. This is usually achieved via critical functions lacking the proper authentication/authorization or integrity checking that would prevent attackers from tampering with the device;
- Compromise of credentials: Allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely;
- Authentication bypass: Allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device.