Products Prevalent In Many Important Industries Are Home To Dozens Of Vulnerabilities

Security researchers have disclosed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products that they say demonstrate significant “insecure-by-design” practices.

Forescout issued the OT:Icefall report today, naming products prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.

The vulnerabilities are divided into four main categories:

  • Insecure engineering protocols
  • Weak cryptography or broken authentication schemes
  • Insecure firmware updates
  • Remote code execution (RCE) via native functionality
    • 38% allow for compromise of credentials
    • 21% allow for firmware manipulation and 
    • 14% allow remote code execution
    • 74% of have some form of security certification

I have a pair of comments on this report. The first is from Rajiv Pimplaskar, CEO, Dispersive Holdings, Inc.:

“As the report illustrates, critical infrastructure industries that utilize ICS SCADA systems and IoT devices pose appealing soft targets for threat actors as a significant percentage of the estate has vulnerabilities. Also, they tend to fall out of the purview of the IT organization’s responsibility and its cyber security program. Oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation and other operations technology (OT) intensive businesses should be especially vigilant and actively secure their OT estate using zero trust strategies and leveraging next gen VPN technologies that are capable of protecting both IT and OT assets.  A key strategy is cloud obfuscation where source and destination relationships and sensitive data flows are anonymized and privatized using a smart secure communications overlay that makes it virtually impossible for a bad actor to even detect and target such vulnerable devices in the first place.”

Garret Grajek, CEO, YouAttest had this to say:   

“This is an extremely alarming but not surprising finding.  Hackers often go at known vulnerabilities in software – that’s noted and publicized. But deployment and misconfiguration errors are really the bread and butter. How the engineering pieces fit together is where the gaps usually are – and can be exploited.   This is where the man-in-the middle attacks, form hacking and hijacking of sessions occurs. Thorough pen testing through automated and manual means are a must to eliminate these errors – including thorough overview of system and admin privileges.”

The report is very much worth reading because it seriously got my attention. Which means that if you’re in any of the sectors outlined in the report, it should get your attention.

UPDATE: I have three additional comments. The first is from Ron Fabela, Co-founder and CTO of SynSaber:

“While the breadth and depth of the vulnerabilities identified in OT:ICEFALL seem like a doomsday scenario, Forescout has just outlined what many of us in the industry already know: Protocols are not secure, unauthenticated, and other ‘insecure by design’ engineering choices that were never really meant to be CVEs. Again, these are not vulnerabilities as information security would identify them, but truly ‘that’s not a bug, it’s a feature’ for industrial. Protocols were designed to not use authentication, and although there are secure options for industrial protocols, there has been slow adoption. ‘Protocol does not use authentication’ could generate thousands of CVEs across multiple vendors and business lines, because there was never meant to be authentication. But does generating thousands of CVEs, tying up vendor product security teams and asset owners, really cause a positive impact on the security of our critical infrastructure? The OT:ICEFALL report is well constructed, highly detailed, and great insight from a security perspective on legacy ICS ‘vulnerabilities,’ however, because CVE numbers are being generated, this will trigger a swell of unnecessary tracking and management of vulnerabilities with no patch and few mitigations.”

The second is from Chris Olson, CEO of The Media Trust:

“The ongoing convergence of information technology (IT) and operational technology (OT) has paved the way to an ever-expanding host of OT vulnerabilities that will continue to threaten public safety and national security for years to come. Even when OT systems are designed with cybersecurity in mind, an unsafe IT perimeter creates channels which global cyber actors can use to compromise critical infrastructure, especially when remote industrial control systems (ICS) come into play.”

“Today, geopolitical tensions and the growing possibility of cyberwarfare makes OT vulnerabilities a preoccupation for nation state actors. Following the Florida Water Supply hack, the attack on Colonial Pipeline and many similar incidents, these vulnerabilities represent a proven threat to the United States. In response, organizations throughout the public and private sector should not only be taking steps to secure OT, but also to harden their IT defenses and lock down their digital ecosystem.”

The third is from Christopher Prewitt, Chief Technology Officer of Inversion6:

IOT devices are often developed as commodity products that aren’t treated as enterprise products. The IOT software development process is immature and focus is not on security and software lifecycle, but immediate functionality and value to the consumer.

Some product developers have been improving security within their product sets for some time, but this is a long slow evolution as some products may exist within the market for more than a decade. At the time of development, there wasn’t concern for how would we maintain this software for 10 to 15 years. How would updates be provided, how would code be compiled as processors, chip sets, compilers come and go.

In some cases, you may have a computer or software that is tied to a piece of industrial or healthcare equipment that is expected to have a 10 or 20 year life. Not enough thought was given to managing the hardware and software componentry.


Leave a Reply

%d bloggers like this: