Dive Brief:
- A group of 56 operational technology security vulnerabilities are threatening devices across the world’s leading industrial manufacturers, including Honeywell, Emerson and Motorola, according to research from Forescout's Vedere Labs released Tuesday.
- The vulnerable devices include engineering workstations, remote terminal units, programmable logic controllers and other tools across industries from oil and gas and nuclear power to chemical plants and water treatment facilities. Attackers can exploit the vulnerabilities to steal credentials, manipulate firmware, take a device offline or gain remote code execution, according to researchers.
- Almost three-quarters of the device groups already have some form of security certification, but researchers say the vulnerabilities should have been found during the initial design process. Thousands of these devices are visible on the internet and easily detectable to threat actors.
Dive Insight:
Vedere Labs researchers say the vulnerabilities, which they call OT: Icefall, are the result of insecure design processes. Daniel dos Santos, head of security research at Forescout, said the OT space often assumes whoever is interactive with a device is trusted, and not a potential adversary.
“This is reflected in the fact that protocols lack authentication and encryption, or devices have hardcoded credentials or don’t verify the authenticity and integrity of firmware updates,” dos Santos said via email.
The disclosures come at a sensitive time for critical infrastructure providers. State-linked threat actors and sophisticated ransomware groups have targeted major industrial sites in recent years, including Colonial Pipeline and meat supplier JBS USA.
Just two months ago, researchers revealed a sophisticated, custom-made malware, called Incontroller or Pipedream, designed to destabilize industrial sites or undermine safety systems, which could result in the injury or potential death of anyone working at such a site.
Katell Thielemann, VP analyst at Gartner, said the volume of OT vulnerabilities will only increase in the future, because more researchers are looking into this previously ignored part of the technology stack.
This will place a heavier burden on original equipment manufacturers to test in tightly controlled environments and on end users to determine whether patching, isolation or upgrades make the most sense.
Erik Nost, senior analyst at Forrester, said the report highlights challenges facing the software development lifecycle.
“Integrating security into the entire process, from design to testing to deployment, often competes against other priorities and deadlines,” Nost said via email. “It takes commitment at an organizational level which seems to be coming to fruition for a lot of organizations these days, after years of trials and missteps.”
The vulnerabilities Vedere Labs researchers discovered are not very difficult to reverse-engineer and could be exploited within a manner of days, according to researchers.
The manufacturers have been notified and the Cybersecurity and Infrastructure Security Agency (CISA) is working to coordinate the disclosure process, according to dos Santos. In some cases other national agencies have been brought into the process, including in Japan, as some of the manufacturers are based overseas.
CISA is expected to issue an advisory on the vulnerabilities, according to Vedere Labs, but agency officials have not yet returned a request for comment.