Vedere Labs
researchers released a report, in June of 2022, concerning 56 new
vulnerabilities in 26 models of ten different operational technology (OT)
manufacturers’ devices. As insecurity by design remains relevant in OT, one of
the biggest security problems continues to be the lack of sufficient controls,
and OT-focused attackers have exploited this in practice [1]. This report’s
disclosures break down into several categories. Therefore, they are
particularly concerning when considering previous attacks, such as when the
ransomware gang, EKANS, targeted Honda’s industrial control system (ICS)
processes in June of 2020 or the Oldsmar water treatment attack in Florida.
Thus, Forescout showed diligence by identifying all vulnerable devices possible
and laying out likely attack scenarios [3]. Hence, discovering and replacing
vulnerable products with “secure-by-design” devices and installing
physical switches are suitable methods to diminish the possibility of a
compromise [2].
Background
Forescout’s Vedere
Labs is a global team of experts focused on threat and vulnerability research
which they share with the broader cybersecurity community. On June 20th, 2022,
Vedere Labs released the latest results from their research into OT
vulnerabilities titled OT: Icefall. Icefall identifies 56 vulnerabilities
affecting the devices of ten OT vendors worldwide, including Emerson and
Honeywell. Vedere Labs notified all vendors involved in a responsible
disclosure coordinated by Phoenix Contact and the U.S. Cybersecurity and
Infrastructure Security Agency (CISA) [2]. In addition, they divided the
vulnerabilities into several categories. The four most extensive sections were
insecure engineering protocols, weak cryptography or broken authentication
schemes, insecure firmware updates, and remote code execution via native
functionality [1]. As a result, CISA released multiple corresponding Industrial
Controls Systems Advisories (ICSAs) to provide notice of the reported
vulnerabilities and identify baseline mitigations for reducing risks to these
and other cybersecurity attacks [4].
Impact
Vulnerabilities in devices, identified by Icefall, make for desirable targets to state-sponsored actors and advanced persistent threats. Most devices mentioned in the report operate within the manufacturing industry, but several of the vulnerabilities affect devices used widely in healthcare and the government [3]. Therefore, Forescout laid out several attack scenarios in its report, alluding to the possible results of an attacker leveraging these vulnerabilities, including creating false alarms, changing flow setpoints, disrupting supervisory control and data acquisition (SCADA) operations, or disabling emergency shutdown and fire safety systems [2]. Meanwhile, Shodan, a search engine that allows users to look for devices connected to the internet, showed a few thousand exposed devices even though these devices are not supposed to be discoverable by entities on the internet. Of the 18 million devices Forescout monitors through its Forescout Device Cloud service, nearly 30,000 were vulnerable to the Icefall Common Vulnerabilities and exposures (CVEs) [3].
Conclusion
As the intersection of information technology (IT) and OT continue to provide corporations and governments greater visibility, control, and monitoring capabilities, it also enables easier access to components that are worthwhile targets to cybercriminals. OT environments are a part of many organizations vital to the United States’ national security, as seen by the effects of the Colonial Pipeline ransomware attack. One triumphant attack can cause significant issues within the economy. The Forescout team offers a list of recommended mitigation steps a company should take to remain secure until the vendors address the vulnerabilities [1].
Discover and inventory vulnerable devices.
Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices.
Monitor progressive patches released by affected device vendors.
Monitor all network traffic for suspicious activity that tries to exploit insecure-by-design functionality.
Actively procure secure-by-design products and migrate to secure-by-design variants of products, where available and when possible.
Make use of native hardening capabilities.
Work toward consequence reduction by following Cyber-PHA and CCE methodologies.
CISA also encourages users and administrators to review the Icefall report and the ICSAs for technical details and mitigations[4].
References
[1] Forescout
Vedere Labs. (2022, 6 22). OT: ICEFALLThe legacy of “insecure by
design” and its implications for certifications and risk management.
Retrieved September 6, 2022, from Forescout: https://www.forescout.com/resources/ot-icefall-report/
[2] Toulas, B. (2022,
6 21). Icefall: 56 flaws impact thousands of exposed industrial devices.
Retrieved September 6, 2022, from BleepingComputer: https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thousands-of-exposed-industrial-devices/
[3] Greig, J.
(2022, 6 21). Siemens, Motorola, Honeywell and more affected by 56 ‘ICEFALL’
vulnerabilities. Retrieved September 6, 2022, from therecord.media: https://therecord.media/siemens-motorola-honeywell-and-more-affected-by-56-icefall-vulnerabilities/
[4] CISA
Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report.
(2022, 6 22). Retrieved September 6, 2022, from Cybersecurity &
Infrastructure Security Agency: https://www.cisa.gov/uscert/ncas/current-activity/2022/06/22/cisa-releases-security-advisories-related-oticefall-insecure