OT:ICEFALL demonstrates the legacy of “insecure by design” OT, and its implications for certifications and risk management

Dubai, United Arab Emirates; 21 June 2022:

Forescout’s Vedere Labs, in collaboration with CISA’s vulnerability disclosure process, today is disclosing OT:ICEFALL, 56 vulnerabilities affecting devices from 10 OT (operational technology) vendors. This is one of the single largest vulnerability disclosures that impact OT devices and directly addresses insecure-by-design vulnerabilities.

It has been ten years since Project Basecamp, a research project conducted by Digital Bond, who investigated how critical OT devices and protocols were insecure by design. Since then, real-world OT malware including Industroyer, TRITON, Industroyer2 and INCONTROLLER, has been hugely impactful in the abuse of insecure-by-design functionality.

“The rapid expansion of the threat landscape is well documented at this stage. By connecting OT to IoT and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors.” said Daniel dos Santos, Head of Security Research, Forescout Vedere Labs.  “10 years on from BASECAMP and now ICEFALL, we have a very long way to go to reach the summit of these OT design practices. These types of vulnerabilities, and the proven desire for attackers to exploit them, demonstrate the need for robust, OT-aware network monitoring and deep-packet-inspection (DPI) capabilities.”

The 56 vulnerabilities, detailed in Forescout’s technical report, impact ten vendors, including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

Although the impact of each vulnerability is highly dependent on the functionality each device offers, they fall under the following categories:

  • Remote code execution (RCE): Allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialized processors and different contexts within a processor, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code.
  • Denial of service (DoS): Allows an attacker to either take a device completely offline or to prevent access to some function.
  • File/firmware/configuration manipulation: Allows an attacker to change important aspects of a device such as files stored within it, the firmware running on it or its specific configurations. This is usually achieved via critical functions lacking the proper authentication/authorization or integrity checking that would prevent attackers from tampering with the device.
  • Compromise of credentials: Allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely.
  • Authentication bypass: Allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device.

Insecure-by-design vulnerabilities

The vulnerabilities and associated issues disclosed in this report range from persistent insecure-by-design practices in security-certified products to inadequate attempts to fix them.

It is crucial for asset owners to understand how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them, and the often-false sense of security offered by certifications complicate OT risk management efforts.

-ends-