Nearly five dozen security vulnerabilities have been revealed in devices from 10 operational technology (OT) vendors as a result of what researchers call “unsafe practices.”
collectively dubbed OT:ICEFALL by Forescout, the 56 numbers cover a whopping 26 device models from Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens and Yokogawa.
By exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, modify the logic, files, or firmware of OT devices, bypass authentication, compromise credentials, cause denial of service, or a variety of operational consequences. have,” the company said. said in a technical report.
These vulnerabilities could have disastrous consequences as the affected products are widely used in critical infrastructure sectors such as oil and gas, chemicals, nuclear power, power generation and distribution, manufacturing, water treatment and distribution, mining and building automation.
Of the 56 vulnerabilities discovered, 38% allow credentials compromise, 21% allow firmware manipulation, 14% allow remote code execution, and 8% of the flaws allow configuration information to be tampered with.
In addition to allowing an attacker to deliver arbitrary code and make unauthorized changes to the firmware, the vulnerabilities can also be used to take a device completely offline and bypass existing authentication features to apply functionality to the targets. call.
More importantly, broken authentication schemes — including bypass, use of risky cryptographic protocols, and hard-coded and unencrypted credentials — were responsible for 22 out of 56 errors, indicating “substandard security controls” during implementation.
In a hypothetically realistic scenario, these flaws could be deployed against natural gas pipelines, wind turbines or discrete production assembly lines to disrupt fuel transportation, override safety settings, stop the ability to control compressor stations, and alter the operation of programmable logic controllers (PLCs). .
But the threats aren’t just theoretical. A remote code execution flaw affecting Omron’s NJ/NX controllers (CVE-2022-31206) was in fact exploited by a state-tuned actor called CHERNOVITE to develop a piece of advanced malware using the name PIPEDREAM (aka INCONTROLLER).
Risk management is complicated by the increasing interdependence between IT and OT networks, coupled with the opaque and proprietary nature of many OT systems, not to mention the absence of CVEs, making the lingering issues invisible and the like. unsafe-by-design features for a long time.
To reduce OT:ICEFALL, it is recommended to discover and inventory vulnerable devices, enforce segmentation of OT assets, monitor network traffic for anomalous activities, and purchase secure products to strengthen the supply chain.
“The development of recent malware targeting critical infrastructure, such as Industroyer2, Triton and INCONTROLLER, has demonstrated that threat actors are aware of the insecure nature of operational technology and ready to misuse it to cause harm,” the statement said. researchers.
“Despite the important role standards-based hardening efforts play in OT security, products with insecure design features and trivially broken security controls were still certified.”