Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to the US government’s CISA and private security researchers.
Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries.
The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.
That’s not to say all or any of these scenarios are realistically possible – just that these are the kinds of machines and processes involved.
Forescout’s Vedere Labs discovered the bugs in devices built by ten vendors in use across the security company’s customer base, and collectively named them OT:ICEFALL. According to the researchers, the vulnerabilities affect at least 324 organizations globally – and in reality this number is probably much larger since Forescout only has visibility into its own customers’ OT devices.
In addition to the previously named manufacturers, the researchers found flaws in products from Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa.
OT devices insecure by design
Most of the flaws occur in level 1 and level 2 OT devices. Level 1 devices – such as programmable logic controllers (PLCs) and remote terminal units (RTUs) – control physical processes, while level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems.
In addition to the 56 detailed today in a Vedere report, the threat-hunting team discovered four others that are still under wraps due to responsible disclosure. One of the four allows credentials to be compromised, two allow an attacker to manipulate OT systems’ firmware, and the final one is an RCE via memory write flaw.
Many of these holes are a result of OT products’ so-called “insecure-by-design” construction, Forescout’s head of security research Daniel dos Santos told The Register. Several OT devices don’t include basic security controls, which makes them easier for attackers to exploit, he explained.
Forescout’s analysis comes ten years after Digital Bond’s Project Basecamp that also looked at OT devices and protocols, and deemed them “insecure by design.”
Since that earlier analysis, “there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in the Ukraine in 2016, or Triton in the Middle East in 2017,” dos Santos said.
In fact, some of the vulnerabilities detailed by Forescout have already been targeted to compromise industrial control systems. This includes CVE-2022-31206 – an RCE affecting Omron NJ/ NX controllers, targeted by Incontroller, a suspected state-sponsored malware tool.
“One instance of insecure-by-design is unauthenticated protocols,” dos Santos said. “So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password.”
The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. Most of these can be exploited to download and run firmware and logic on someone else’s equipment, thus leading to RCEs, or shutdowns and reboots, which can cause denial of service conditions. Ideally, machines using these protocols are not connected to computers and other systems in a way that would allow a network intruder to exploit them.
Credential compromise is the most common
Vedere Labs counted five of the flaws more than once because they have multiple potential impacts.
More than a third of the 56 flaws (38 percent) can be abused to compromise user login credentials, while 21 percent, if exploited, could allow a miscreant to manipulate the firmware, and 14 percent are RCEs. In terms of the other vulnerability types, denial of service and configuration manipulation account for eight percent, authentication bypass vulns make up six percent, file manipulation comes in at three percent, and logic manipulation at two percent.
The researchers noted that patching these security issues won’t be easy – either because they are the result of OT products being insecure by design, or because they require changes in device firmware and supported protocols. “Realistically, that process will take a very long time,” they wrote.
Because of this, they did not disclose all of the technical details for the buggy OT devices – hence the lack of depth here. They did, however, suggest that customers follow each vendor’s security advisories – due out today or soon – for more details. Additionally, the security shop recommends isolating OT and industrial control systems’ networks from corporate networks and the internet when possible.