Researchers disclose 56 vulnerabilities impacting thousands of OT devices

Forescout’s Vedere Labs disclosed OT:ICEFALL, 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors. This is one of the single largest vulnerability disclosures that impact OT devices and directly addresses insecure-by-design vulnerabilities.

In this video for Help Net Security, Daniel dos Santos, Head of Security Research, Forescout, talks about the 56 vulnerabilities, which impact ten vendors, including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

Devices affected by OT:ICEFALL

• Bently Nevada – 3700, TDI equipment – Condition monitors
• Emerson – DeltaV – Distributed control system
• Emerson – Ovation – Distributed control system
• Emerson – OpenBSI – Engineering Workstation
• Emerson – ControlWave, BB 33xx, ROC – Remote terminal unit
• Emerson – Fanuc, PACsystems – Programmable logic controller
• Honeywell – Trend IQ – Building controller
• Honeywell – Safety Manager FSC – Safety instrumented system
• Honeywell – Experion LX – Distributed control system
• Honeywell – ControlEdge – Remote terminal unit
• Honeywell – Saia Burgess PCD – Programmable logic controller
• JTEKT – Toyopuc – Programmable logic controller
• Motorola – MOSCAD, ACE IP gateway – Remote terminal unit
• Motorola – MDLC – Protocol
• Motorola – ACE1000 – Remote terminal unit
• Motorola – MOSCAD Toolbox STS – Engineering workstation
• Omoron – SYSMAC Cx series, Nx series – Programmable logic controller
• Phoenix Contact – ProConOS – Logic runtime
• Siemens – WinCC AO – Supervisory control and data acquisition (SCADA)
• Yokogawa – STARDOM – Programmable logic controller

Vulnerability impact

Although the impact of each vulnerability is highly dependent on the functionality each device offers, they fall under the following categories:

Remote code execution (RCE): Allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialized processors and different contexts within a processor, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code.

Denial of service (DoS): Allows an attacker to either take a device completely offline or to prevent access to some function.

File/firmware/configuration manipulation: Allows an attacker to change important aspects of a device such as files stored within it, the firmware running on it or its specific configurations. This is usually achieved via critical functions lacking the proper authentication/authorization or integrity checking that would prevent attackers from tampering with the device.

Compromise of credentials: Allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely.

Authentication bypass: Allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device.