Security researchers have disclosed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products that they say demonstrate significant “insecure-by-design” practices.
Forescout issued the OT:Icefall report today, revealing the impacted manufacturers as Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens and Yokogawa.
It said the vulnerabilities themselves broadly fit into four categories:
- Insecure engineering protocols
- Weak cryptography or broken authentication schemes
- Insecure firmware updates
- Remote code execution (RCE) via native functionality
The most common vulnerability type enables attackers to compromise credentials (38%). Next comes firmware manipulation (21%), RCE (14%) and configuration manipulation (8%). A small number of DoS, authentication bypass, file manipulation and logic manipulation bugs are also listed.
“With OT:Icefall, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public real-world incidents that are often brushed off as a particular vendor or asset owner being at fault,” Forescout explained in a blog post.
“These issues range from persistent insecure-by-design practices in security-certified products to subpar attempts to move away from them. The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them, and the often-false sense of security offered by certifications significantly complicate OT risk management efforts.”
Forescout revealed that 74% of the product families affected by OT:Icefall have some form of security certification and argued that most of the issues it revealed should have been discovered relatively quickly and easily if manufacturers had conducted in-depth vulnerability discovery.
The security vendor added that opacity in the industry is harming efforts to improve the security of OT products. Many insecure-by-design problems aren’t assigned CVEs, so they often remain “less visible and actionable,” it argued.
“The rapid expansion of the threat landscape is well documented at this stage. By connecting OT to IoT and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors,” warned Daniel dos Santos, head of security research at Forescout Vedere Labs.