The US Cybersecurity and Infrastructure Agency (CISA) has warned organizations to monitor recently disclosed vulnerabilities that affect operational technology (OT) devices that should but are not always isolated from the Internet.
CISA issued five advisory reports on multiple vulnerabilities affecting industrial control systems discovered by Forescout researchers.
Forescout released its “OT:ICEFALL” report this week, which addresses a series of common security vulnerabilities in operating technology (OT) device software. The bugs they revealed affect devices from Honeywell, Motorola, Siemens, and others.
OT is a subset of the Internet of Things (IoT). OT includes industrial operating systems (ICS) that may be connected to the Internet, while the broader IoT category includes consumer goods such as TVs, doorbells, and routers.
Forescout detailed the 56 vulnerabilities in one report to highlight these common issues.
CISA has released five corresponding Industrial Controls Systems Advisories (ICSAs) that it claims identify the reported vulnerabilities and identify basic mitigations to mitigate the risks for these and other cybersecurity attacks.
The advisory includes details of critical flaws affecting software from Japan’s JTEKT, three flaws affecting devices from US supplier Phoenix Contact, and one affecting products from Germany’s Siemens.
The ICSA-22-172-02 advisory for JTEKT TOYOPUC details missing authentication and privilege escalation errors. These have a severity rating of 7-2 out of 10.
Defects related to Phoenix devices are described in the advisory ICSA-22-172-03 for Phoenix Contact Classic Line controllers; ICSA-22-172-04 for Phoenix Contact ProConOS and MULTIPROG; and ICSA-22-172-05: Phoenix Contact Classic Line industrial controls.
The Siemens software with critical vulnerabilities is detailed in the advisory ICSA-22-172-06 for Siemens WinCC OA. It is a remotely exploitable bug with a severity score of 9.8 out of 10.
Successful exploitation of this vulnerability could allow an attacker to impersonate other users or exploit the client-server protocol without being authenticated.
OT devices should be air-gapped on a network, but often they aren’t, giving advanced cyber attackers a wider range to penetrate.
The 56 vulnerabilities identified by Forestcount fell into four main categories, including insecure technical protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution via native functionality.
The company published the vulnerabilities (CVEs) as a collection to illustrate that flaws in critical infrastructure hardware delivery are a common problem.
“With OT:ICEFALL, we wanted to provide a quantitative overview of vulnerabilities in OT that are insecure by design rather than relying on the periodic bursts of CPUs for a single product or a small series of public, real-world incidents that are often brushed off as a particular seller or owner of assets that has defaulted,” Forescout said.
“Its purpose is to illustrate how the opaque and proprietary nature of these systems, the sub-optimal management of vulnerabilities surrounding them, and the often false sense of security afforded by certifications significantly complicate OT risk management efforts,” it said.
As solid details in a blog post, here are some common mistakes developers should be aware of:
- Insecure vulnerabilities galore: More than a third of the vulnerabilities found (38%) allow for credentials compromise, with firmware manipulation in second place (21%) and remote code execution in third place (14%).
- Vulnerable products are often certified: 74% of affected product families have some form of security certification, and most of the issues warned about should be discovered relatively quickly during deep vulnerability discovery. Contributing factors to this issue include limited space for assessments, opaque security definitions, and focus on functional testing.
- Risk management is complicated by the lack of CVEs: It is not enough to know that a device or protocol is insecure. To make informed risk management decisions, asset owners need to know how unsafe these components are. Problems considered the result of insecurity by design are not always CPUs assigned, so they often remain less visible and usable than they should be.
- There are unsafe components of the supply chain: Vulnerabilities in OT supply chain components are typically not reported by every manufacturer involved, adding to the risk management issues.
- Not all insecure designs are created equal: None of the analyzed systems support logical signing and most (52%) compile their logic to native machine code. 62% of those systems accept firmware downloads over Ethernet, while only 51% have authentication for this functionality.
- Offensive abilities are easier to develop than often thought: Reverse engineering of a single proprietary protocol took between 1 day and 2 weeks, while achieving the same for complex systems with multiple protocols took 5 to 6 months.