OT:ICEFALL – Forescout’s Vedere Labs Identifies 56 Vulnerabilities Impacting OT Devices

By Jonathan Means on September 12, 2022

Executive Summary

Vedere Labs researchers released a report, in June of 2022, concerning 56 new vulnerabilities in 26 models of ten different operational technology (OT) manufacturers’ devices. As insecurity by design remains relevant in OT, one of the biggest security problems continues to be the lack of sufficient controls, and OT-focused attackers have exploited this in practice [1]. This report’s disclosures break down into several categories. Therefore, they are particularly concerning when considering previous attacks, such as when the ransomware gang, EKANS, targeted Honda’s industrial control system (ICS) processes in June of 2020 or the Oldsmar water treatment attack in Florida. Thus, Forescout showed diligence by identifying all vulnerable devices possible and laying out likely attack scenarios [3]. Hence, discovering and replacing vulnerable products with “secure-by-design” devices and installing physical switches are suitable methods to diminish the possibility of a compromise [2]. 


Forescout’s Vedere Labs is a global team of experts focused on threat and vulnerability research which they share with the broader cybersecurity community. On June 20th, 2022, Vedere Labs released the latest results from their research into OT vulnerabilities titled OT: Icefall. Icefall identifies 56 vulnerabilities affecting the devices of ten OT vendors worldwide, including Emerson and Honeywell. Vedere Labs notified all vendors involved in a responsible disclosure coordinated by Phoenix Contact and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [2]. In addition, they divided the vulnerabilities into several categories. The four most extensive sections were insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution via native functionality [1]. As a result, CISA released multiple corresponding Industrial Controls Systems Advisories (ICSAs) to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks [4]. 


Vulnerabilities in devices, identified by Icefall, make for desirable targets to state-sponsored actors and advanced persistent threats. Most devices mentioned in the report operate within the manufacturing industry, but several of the vulnerabilities affect devices used widely in healthcare and the government [3]. Therefore, Forescout laid out several attack scenarios in its report, alluding to the possible results of an attacker leveraging these vulnerabilities, including creating false alarms, changing flow setpoints, disrupting supervisory control and data acquisition (SCADA) operations, or disabling emergency shutdown and fire safety systems [2]. Meanwhile, Shodan, a search engine that allows users to look for devices connected to the internet, showed a few thousand exposed devices even though these devices are not supposed to be discoverable by entities on the internet. Of the 18 million devices Forescout monitors through its Forescout Device Cloud service, nearly 30,000 were vulnerable to the Icefall Common Vulnerabilities and exposures (CVEs) [3].


As the intersection of information technology (IT) and OT continue to provide corporations and governments greater visibility, control, and monitoring capabilities, it also enables easier access to components that are worthwhile targets to cybercriminals. OT environments are a part of many organizations vital to the United States’ national security, as seen by the effects of the Colonial Pipeline ransomware attack. One triumphant attack can cause significant issues within the economy. The Forescout team offers a list of recommended mitigation steps a company should take to remain secure until the vendors address the vulnerabilities [1]. 

  • Discover and inventory vulnerable devices. 
  • Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. 
  • Monitor progressive patches released by affected device vendors.
  • Monitor all network traffic for suspicious activity that tries to exploit insecure-by-design functionality. 
  • Actively procure secure-by-design products and migrate to secure-by-design variants of products, where available and when possible. 
  • Make use of native hardening capabilities.
  • Work toward consequence reduction by following Cyber-PHA and CCE methodologies. 


CISA also encourages users and administrators to review the Icefall report and the ICSAs for technical details and mitigations[4].


[1] Forescout Vedere Labs. (2022, 6 22). OT: ICEFALL The legacy of “insecure by design” and its implications for certifications and risk management. Retrieved September 6, 2022, from Forescout: https://www.forescout.com/resources/ot-icefall-report/

[2] Toulas, B. (2022, 6 21). Icefall: 56 flaws impact thousands of exposed industrial devices. Retrieved September 6, 2022, from BleepingComputer: https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thousands-of-exposed-industrial-devices/

[3] Greig, J. (2022, 6 21). Siemens, Motorola, Honeywell and more affected by 56 ‘ICEFALL’ vulnerabilities. Retrieved September 6, 2022, from therecord.media: https://therecord.media/siemens-motorola-honeywell-and-more-affected-by-56-icefall-vulnerabilities/

[4] CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report. (2022, 6 22). Retrieved September 6, 2022, from Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/uscert/ncas/current-activity/2022/06/22/cisa-releases-security-advisories-related-oticefall-insecure