Security Experts:

Industry Reactions to 'OT:Icefall' Vulnerabilities Found in ICS Products

Cybersecurity firm Forescout has disclosed OT:Icefall, a collection of 56 vulnerabilities discovered across the products of ten companies that make operational technology (OT) systems.

Forescout researchers discovered issues related to insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.

The security holes impact various types of industrial control systems (ICS), including engineering workstations, PLCs, distributed control systems, building controllers, safety instrumented systems, remote terminal units, and SCADA systems. Exploitation of the flaws can lead to remote code execution, DoS attacks, firmware manipulation, compromised credentials, and authentication bypass.

Affected vendors include Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. These companies have started sharing mitigations for the vulnerabilities.

Industry professionals have commented on various aspects of the OT:Icefall vulnerabilities and provide recommendations for impacted organizations.

Ron Fabela, Co-founder and CTO, SynSaber:

“While the breadth and depth of the vulnerabilities identified in OT:ICEFALL seem like a doomsday scenario, Forescout has just outlined what many of us in the industry already know: Protocols are not secure, unauthenticated, and other 'insecure by design' engineering choices that were never really meant to be CVEs. Again, these are not vulnerabilities as information security would identify them, but truly 'that's not a bug, it's a feature' for industrial.

 

Protocols were designed to not use authentication, and although there are secure options for industrial protocols, there has been slow adoption. 'Protocol does not use authentication' could generate thousands of CVEs across multiple vendors and business lines, because there was never meant to be authentication. But does generating thousands of CVEs, tying up vendor product security teams and asset owners, really cause a positive impact on the security of our critical infrastructure? The OT:ICEFALL report is well constructed, highly detailed, and great insight from a security perspective on legacy ICS 'vulnerabilities,' however, because CVE numbers are being generated, this will trigger a swell of unnecessary tracking and management of vulnerabilities with no patch and few mitigations.”

Chris Olson, CEO, The Media Trust:

“The ongoing convergence of information technology (IT) and operational technology (OT) has paved the way to an ever-expanding host of OT vulnerabilities that will continue to threaten public safety and national security for years to come. Even when OT systems are designed with cybersecurity in mind, an unsafe IT perimeter creates channels which global cyber actors can use to compromise critical infrastructure, especially when remote industrial control systems (ICS) come into play.

 

Today, geopolitical tensions and the growing possibility of cyberwarfare makes OT vulnerabilities a preoccupation for nation state actors. Following the Florida Water Supply hack, the attack on Colonial Pipeline and many similar incidents, these vulnerabilities represent a proven threat to the United States. In response, organizations throughout the public and private sector should not only be taking steps to secure OT, but also to harden their IT defenses and lock down their digital ecosystem.”

Deral Heiland, Principal Security Researcher, Rapid7:

“A number of these discovered vulnerabilities are related to hard coded or default credentials. While not new issues, hard coded and default credential vulnerabilities have been haunting the industry for quite some time and are often the most typical issues found within embedded technology solutions, including Medical, Industrial (OT) and Consumer grade devices. I highly recommend all vendors of embedded technology devices (OT, IoT) start out by applying NIST Document NISTR 8259 ‘IoT Device Cybersecurity Capability Core Baseline’ guidelines to their products. This will at least solve some of the core issues that we continue to encounter.”

Chris Clements, VP of Solutions Architecture, Cerberus Sentinel:

"One may incorrectly assume that the industrial control and operational technology devices that perform some of the most vital and sensitive tasks in critical infrastructure environments would be among the most heavily secured systems in the world, yet the reality is often the exact opposite. Far too many devices in these roles have security controls that are frighteningly easy for attackers to defeat or bypass to take complete control of the devices.

 

I believe this is an industry that is experiencing a long overdue cybersecurity reckoning. Manufacturers of sensitive operational technology devices must adopt a culture of cybersecurity that starts at the very beginning of the design process but continues through to validating the resulting implementation in the final product. It’s also critical that organizations are honest about their ability to perform such validations themselves. Schneier’s law famously posited this limitation almost two and a half decades ago: ‘Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis.’

 

Manufacturers should heed this advice and recruit personnel or contract with outside organizations with experience in breaking the systems they make to validate that the final product is as secure as possible against exploitation by threat actors who have advanced sophistication and powerful motivation to compromise the critical infrastructure customers who use their devices.”

Ryan Cribelar, Vulnerability Research Engineer, Nucleus Security:

“Insecure-by-design is coming back to haunt us with the release of these Icefall vulnerabilities. The introduction of more complex IT systems on top of the dusty OT/ICS systems has allowed attackers to find some of the most basic flaws in our most vital technology. From a security methodology perspective, a long time ago folks decided that with the CIA model in mind, availability and integrity were more important than confidentiality as it relates to OT systems and ICS environments. If something running is keeping someone alive, it needs to be available, and we need to ensure it is functioning properly and as expected. This logic was innocent in its intent because cyberattacks were of, basically, no concern! There are OT networks out there that were built without any thought to a cyberattack, because they simply didn’t exist yet.

 

The layering of additional IoT and IT devices has given attackers a pickaxe to start digging at what is behind them, OT and ICS. There are hosts of malware being made to specifically target critical infrastructure which is something that is fairly new in the space. This needs to be met with a daring, aggressive response that looks to learn from our mistakes with insecure-by-design OT and ICS systems. A lack of response to engage in mitigation of a vulnerability found in OT or ICS environments can be caused by something as simple as a missing CVE! Some vulnerabilities discovered in OT go under the radar simply because everyone knows OT is insecure. One could argue the recent events surrounding the war in Ukraine are catalysts for attackers to understand, learn from and discover new attack vectors for OT and ICS environments.

 

What this and other advancements in offensive security in the last two decades has shown is that insecure-by-design is a principle that should be left in the security graveyard, as this should be seen as a non-response when conducting risk assessments. Current certifications that allow for this design to exist should update their procedures to better reflect new environments our critical infrastructure lives in. What is so damning about this situation overall is that some of these attacks, on critical infrastructure, can be accomplished by a small but skilled team with basic OT offensive capabilities and reasonable cost. Attackers are learning it doesn’t take a power-state to conduct offensive operations on another power-state. It simply takes a small group with the right incentive.”

Rajiv Pimplaskar, CEO, Dispersive Holdings:

“As the report illustrates, critical infrastructure industries that utilize ICS SCADA systems and IoT devices pose appealing soft targets for threat actors as a significant percentage of the estate has vulnerabilities. Also, they tend to fall out of the purview of the IT organization’s responsibility and its cyber security program.

 

Oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation and other operations technology (OT) intensive businesses should be especially vigilant and actively secure their OT estate using zero trust strategies and leveraging next gen VPN technologies that are capable of protecting both IT and OT assets. A key strategy is cloud obfuscation where source and destination relationships and sensitive data flows are anonymized and privatized using a smart secure communications overlay that makes it virtually impossible for a bad actor to even detect and target such vulnerable devices in the first place.”

Terry Olaes, Director of Sales Engineering, Skybox:

“This is yet another reminder that critical infrastructure remains a top target for cybercriminals. Skybox Research Lab found that new vulnerabilities in operational technology (OT) products have risen 88% year over year. Too often, our researchers see organizations that only rely on conventional approaches to vulnerability management move to patch the highest severity vulnerabilities first based on the Common Vulnerability Scoring System (CVSS). Cybercriminals know this is how many companies handle their cybersecurity, so they’ve learned to take advantage of vulnerabilities seen as less critical to carry out their attacks. Additionally, in the case for OT, the mechanisms used to exploit these devices are less-sophisticated due to the design of these technologies to minimize friction and focus on HSE impact, above all. This enables bad actors to identify and weaponize new exploits more quickly, resulting in the drastic vulnerability count increase.

[...]

To stay ahead of cybercriminals, companies must address vulnerability exposure risks before hackers attack them. That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape. Organizations should ensure they have solutions capable of quantifying the business impact of cyber risks into economic impact. This will help them identify and prioritize the most critical threats based on the size of the financial impact, among other risk analyses such as exposure-based risk scores. They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them and how urgent it is to remediate.”

James McQuiggan, Security Awareness Advocate, KnowBe4:

“Regarding OT (operational technology) systems used in manufacturing, power generation, or industrial control systems (ICS), those systems must be protected behind firewalls, with strong access controls and, if possible, additional segmentation to reduce the risk of compromise and exploitation.

 

With the recent vulnerabilities released and the high impact of remote code execution, compromised credentials, and authentication bypass, a cybercriminal can quickly gain access into an ICS environment to do nefarious and dangerous actions. Conducting a Shodan search (the Google of internet-connected devices), it's been discovered that almost 6000 vulnerable devices related to the Icefall report are exposed to the internet with little to no protection.

 

Organizations want to isolate devices they cannot patch or update and consider moving them behind additional firewalls. Consider using jump systems for remote access or having any machine data sent to somewhere else internally in their organization for data collection.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.