Home > Cybersecurity > Report Reveals 56 Vulnerabilities in OT Devices from 10 Vendors
A new report released in June has revealed a set of 56 vulnerabilities affecting devices from 10 Operational Technology (OT) system vendors. The OT:ICEFALL study, the result of cooperation between the US Cybersecurity and Infrastructure Security Agency (CISA) and Forescout’s Vedere Labs, divided the vulnerabilities into four main categories: insecure engineering protocols, weak encryption or broken authentication schemes, flaws in firmware updates, and remote code execution via native functionality.
A table on the Forescout website shows the affected devices. The researchers recommend following each vendor’s alerts for more details and the specific impacts that may be caused by the vulnerabilities. There are four issues with one vendor that are still in process in disclosure; details have not been released, but these vulnerabilities have already been included in the quantitative analysis of the technical report.
Although the impacts of each vulnerability depend on the related functionality, the study fell into the following categories:
The researchers say the goal of the OT:ICEFALL study is to present a quantitative overview of vulnerabilities found in OT environments that are often insecure by design. With this overview in mind, decision-makers could rely less on lists of CVEs (Common Vulnerabilities and Exposures) for single products, for example, which are often ignored, and invest in more efficient actions to monitor and manage vulnerabilities.
Some of the key findings of this research are:
OT:ICEFALL, named for the study, refers to the second stop on the Everest climbing route after base camp and has to do with increasing numbers of vulnerabilities in OT environments. According to the researchers, “we have a mountain to climb to protect these devices and protocols.”