Researchers Disclose 56 Vulnerabilities Impacting OT Devices from 10 Vendors

Nearly five dozen security vulnerabilities have been disclosed
in devices from 10 operational technology (OT) vendors due to what
researchers call are “insecure-by-design practices.”

Collectively dubbed OT:ICEFALL^[1] by Forescout, the 56
issues span as many as 26 device models from Bently Nevada,
Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact,
Siemens, and Yokogawa.

“Exploiting these vulnerabilities, attackers with network access
to a target device could remotely execute code, change the logic,
files or firmware of OT devices, bypass authentication, compromise
credentials, cause denials of service or have a variety of
operational impacts,” the company said in a technical report.

These vulnerabilities could have disastrous consequences
considering the impacted products are widely employed in critical
infrastructure industries such as oil and gas, chemical, nuclear,
power generation and distribution, manufacturing, water treatment
and distribution, mining, and building automation.

Of the 56 vulnerabilities discovered, 38% allow for compromise
of credentials, 21% allow for firmware manipulation, 14% allow
remote code execution, and 8% of flaws enable tampering with
configuration information.

Besides potentially permitting an attacker to supply arbitrary
code and make unauthorized modifications to the firmware, the
weaknesses could also be leveraged to take a device completely
offline and bypass existing authentication functions to invoke any
functionality on the targets.

More importantly, broken authentication schemes — including
bypass, use of risky cryptographic protocols, hardcoded and
plaintext credentials — accounted for 22 of the 56 flaws,
indicating “subpar security controls” during implementation.

In a hypothetical real-world scenario, these shortcomings could
be weaponized against natural gas pipelines, wind turbines, or
discrete manufacturing assembly lines to disrupt fuel transport,
override safety settings, halt the ability to control compressor
stations, and alter the functioning of programmable logic
controllers (PLCs).

But the threats are not just theoretical. A remote code
execution flaw affecting Omron NJ/NX controllers (CVE-2022-31206)
was, in fact, exploited by a state-aligned actor dubbed CHERNOVITE^[2]
to develop a piece of a sophisticated malware named PIPEDREAM (aka
INCONTROLLER).

Complicating risk management is the increasing
interconnectedness between IT and OT networks, coupled with the
opaque and proprietary nature of many OT systems, not to mention
the absence of CVEs, rendering the lingering issues invisible as
well as retaining such insecure-by-design features for a long
time.

To mitigate OT:ICEFALL, it’s recommended to discover and
inventory vulnerable devices, enforce segmentation of OT assets,
monitor network traffic for anomalous activity, and procure
secure-by-design products to beef up the supply chain.

“The development of recent malware targeting critical
infrastructure, such as Industroyer2^[3], Triton^[4], and INCONTROLLER^[5], has shown that threat
actors are aware of the insecure by design nature of operational
technology and are ready to exploit it to wreak havoc,” the
researchers said.

“Despite the important role that standards-driven hardening
efforts play in OT security, products with insecure-by-design
features and trivially broken security controls continued to be
certified.”