Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Researchers Disclose 56 Vulnerabilities Impacting OT Devices from 10 Vendors

Nearly five dozen security vulnerabilities have been disclosed in devices from 10 operational technology (OT) vendors due to what researchers call are “insecure-by-design practices.”

Collectively dubbed OT:ICEFALL by Forescout, the 56 issues span as many as 26 device models from Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

“Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of OT devices, bypass authentication, compromise credentials, cause denials of service or have a variety of operational impacts,” the company said in a technical report.

These vulnerabilities could have disastrous consequences considering the impacted products are widely employed in critical infrastructure industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.

Of the 56 vulnerabilities discovered, 38% allow for compromise of credentials, 21% allow for firmware manipulation, 14% allow remote code execution, and 8% of flaws enable tampering with configuration information.

Besides potentially permitting an attacker to supply arbitrary code and make unauthorized modifications to the firmware, the weaknesses could also be leveraged to take a device completely offline and bypass existing authentication functions to invoke any functionality on the targets.

More importantly, broken authentication schemes — including bypass, use of risky cryptographic protocols, and hardcoded and plaintext credentials — accounted for 22 of the 56 flaws, indicating “subpar security controls” during implementation.

In a hypothetical real-world scenario, these shortcomings could be weaponized against natural gas pipelines, wind turbines, or discrete manufacturing assembly lines to disrupt fuel transport, override safety settings, halt the ability to control compressor stations, and alter the functioning of programmable logic controllers (PLCs).

But the threats are not just theoretical. A remote code execution flaw affecting Omron NJ/NX controllers (CVE-2022-31206) was, in fact, exploited by a state-aligned actor dubbed CHERNOVITE to develop a piece of a sophisticated malware named PIPEDREAM (aka INCONTROLLER).

Complicating risk management is the increasing interconnectedness between IT and OT networks, coupled with the opaque and proprietary nature of many OT systems, not to mention the absence of CVEs, rendering the lingering issues invisible as well as retaining such insecure-by-design features for a long time.

To mitigate OT:ICEFALL, it’s recommended to discover and inventory vulnerable devices, apply vendor-specific patches, enforce segmentation of OT assets, monitor network traffic for anomalous activity, and procure secure-by-design products to beef up the supply chain.

“The development of recent malware targeting critical infrastructure, such as Industroyer2, Triton, and INCONTROLLER, has shown that threat actors are aware of the insecure by design nature of operational technology and are ready to exploit it to wreak havoc,” the researchers said.

“Despite the important role that standards-driven hardening efforts play in OT security, products with insecure-by-design features and trivially broken security controls continued to be certified.”

Update: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released five Industrial Controls Systems Advisories (ICSAs) related to OT:ICEFALL, urging impacted users to identify baseline mitigations for reducing potential risks arising out of exploiting these flaws.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Mobile security company Zimperium’s zLabs has released a warning about a notorious Android trojan that has stolen around 300,000 credentials…
8 Reasons Why Enterprises Use Java

8 Reasons Why Enterprises Use Java

Java is one of the most well-known programming languages and software platforms that is used on countless devices such as…
360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

Previously we covered the news of a database containing 487 million up-to-date WhatsApp user records from 84 countries being sold…