The current situation of OT products has revealed a tough spot, highlighting 56 vulnerabilities. With over ten vendors, including the likes of Siemens, Emerson, Honeywell, and more, the latest vulnerabilities in various popular protocols and products have certainly provided a new perspective.
The report “OT: ICEFALL” by Forescout’s Vedere Labs shares the legacy of products and services “insecure by design,” revealing flaws, vulnerabilities, downfalls, faulty authentication, firmware updates, and the possibility of remote code execution. The report serves as an eye opener for individuals and organizations alike.
Here are the key findings and summary of the Vedere Lab’s “OT: ICEFALL” report.
OT: ICEFALL 2022 – Summary of the Report
The latest report has discovered 56 vulnerabilities highlighting the shortcomings of their design strategies. The faulty products affecting 26 device models and 10 Operational Technology (OT) vendors are attributed to insecure engineering protocols, remote code execution, insecure firmware updates, and weak cryptographic techniques.
As per the report, various sectors such as oil, nuclear, chemical, power generation and distribution, manufacturing, mining, automation, water treatment, and gas are vulnerable because of critical infrastructure, vulnerable products, and contain a wide array of security blunders that opens them up to DoS (Denial of Service), credential theft, and file manipulation. Here are some key statistics highlighted in the report.
OT: ICEFALL – Key Statistics
Forescout’s report shares how various products are sold with certification of Operational Technology Security Standards and dubbed “Secure by Design.” However, the security behind many of these products is questionable, opening organizations up to various vulnerabilities.
(OT: ICEFALL Vulnerability Types, Source: Forescout.com)
- Threat actors can exploit 38% of these vulnerabilities to compromise and gain account credentials.
- Malicious artists can also exploit 21% and 14% of the vulnerabilities to manipulate firmware and execute code remotely.
- 74% of product families with vulnerable products had a security certification
- Other vulnerabilities include 8% each for manipulation of configurations and DoS, 6% for bypassed authentication mechanisms, 3% for manipulation of files, and 2% for manipulation of logic.
OT: ICEFALL – 9 OT Organizations with Sub-par Security in their Products
Here is a list of 9 OT organizations and the products which open them up to the discovered vulnerabilities.
- Bentley Nevada: Bently Nevada, situated in Baker Hughes, is open to remote code execution, file manipulation, and DoS. The maintenance interface of the Bently Nevada 3701 has hard-coded and undocumented credentials. Furthermore, all the products using the TDI (Transient Data Interface) protocol are vulnerable as they have no authentication.
- Emerson: Emerson has a long list of affected products, including its DeltaV, DeltaV controllers, Ovation, OpenBSI, ControlWave and Bristol Babcock 33xx, Fanuc, PACSystems, ROC, and FloBoss. The major vulnerability affecting most of Emerson’s products is the compromise of credentials, followed by firmware manipulation and remote code execution. The report shows how threat actors can exploit some Emerson products for configuration manipulation, DoS, and bypassing authentication.
- Honeywell: The TREND control products, Experion PKS Safety Manager, ControlEdge, SBC-PCD controllers, and Experion LX at Honeywell are not adequately secured. The IC protocol used by Honeywell transmits critical credentials in plaintext. In addition, the products expose the organizations to compromised credentials, RCE, and firmware manipulation.
- JTEKT: JTEKT’s TOYOPUC follows the CMPLink/TCP protocol without authentication measures and has unauthenticated logic downloaded to its PLC, opening the organization’s products to remote code execution, file manipulation, and DoS.
- Motorola: Motorola’s IPGW protocol lacks authentication features, and its MDLC protocols have reduced confidentiality. Motorola’s MOSCAD IP Gateway, MDLC, ACE1000, and STS Toolbox is open to compromise of credentials, firmware manipulation, and authentication bypass.
- Omran: Many of Omran’s SYSMAC series, including the CS1, CJ1, CP, NJ, and NX products, lack cryptographic methods and transmit critical data in plaintext. This makes it open to remote code execution, manipulation of system logic, and, most of all, credential theft.
- Phoenix Contact: Forescout’s report revealed that threat actors could exploit Phoenix Contact’s ProCon OS and execute arbitrary code as the logic downloaded to its PLC does not have cryptographic techniques for encrypted authentication.
- Siemens: Siemens is another popular name that is open to authentication bypass. Siemens’ WinCC OA desktop UI only authenticates the client side, ignoring the server side, allowing attackers to exploit the protocol and impersonate anyone.
- Yokogawa: Yokogawa’s STARDOM products are open to compromise of credentials and as its ResConf protocol does not have encryption and its maintenance interface has hardcoded credentials. Furthermore, these products can also open you up to firmware manipulation as the firmware images rely solely on checksums and are not signed.
Does Certification No Longer Matter?
One of the report’s most significant findings is that most of the vulnerabilities were found in products certified by one or more of the following.
- 12% by ISASecure (CSA) Component Security Assurance.
- 6% by ISASecure (SSA) System Security Assurance.
- 44% by GE (ACC) Achilles Communications Certification (26% by ACC L1 and 18% by ACC L2).
- 3% by ANSSI (CSPN) Certification de Sécurité de Premier Niveau.
The report also showed that 26% of the vulnerabilities had no certification standards. However, considering the scope of vulnerabilities discovered, the information has reflected a serious need for re-certification and a deeper look into security standards that use opaque definitions. While the insecure by design aspect of OT products was discovered before, various factors complicate risk management today.
Vendors should note the gap in their protocols and services to make better decisions around segmentation, safelisting, monitoring, and focus on addressing the issues to fix these vulnerabilities.
Attack Scenarios: How can Potential Sectors be Affected?
The report also shared scenarios for sectors to illustrate how these and other sectors are at risk due to the vulnerabilities found.
Natural Gas Transport: The transportation of natural gas through pipelines uses lube oil systems, compressor units, backup generators, gas cooling systems, etc. Using the WinCC, the attacker could bypass authentication to manipulate the control of compressor stations. Threat actors may also be able to cause a wide denial of authority by leveraging the vulnerability of the Emerson ControlWave RTU to issue remote commands or fully gain code execution to communicate with various interfaces without any restrictions, causing a total loss of control over the transport of natural gas.
The report also shared a look into manipulation and loss of control of wind turbines for generating power and disruption of a manufacturing plant, causing loss of revenue and productivity. The report also shares a detailed view of each type of vulnerability and the attack that can cause harm. You can read about it in detail here.
Risk Mitigation Advice for Vendors with Compromised Products
Vendors will need to emphasize the following to address the vulnerabilities found in the report.
- Identify and inventory vulnerable devices.
- Introducing proper segment controls and promoting adequate network hygiene.
- Monitor all patches released for affected devices and all network traffic.
- Practice a secure-by-design approach for the future.
- Benefit from native hardening capabilities.
- Follow Cyber-PHA AND CCE methodologies for consequence reduction.
Forescout’s OT: ICEFALL report serves as an eye opener and shows how vulnerable your devices are, even after passing certifications, present as a mark of their quality. With the findings, it is up to the vendors to introduce better and stricter guidelines so current shortcomings and vulnerabilities can be addressed and future products are introduced after thorough security lest they suffer from a significant attack that shatters their brand or, worse, poses a risk to the security of information assets of their own and their clientele.