Report Reveals 56 Vulnerabilities in OT Devices from 10 Vendors 

A new report released in June has revealed a set of 56 vulnerabilities affecting devices from 10 Operational Technology (OT) system vendors. The OT:ICEFALL study, the result of cooperation between the US Cybersecurity and Infrastructure Security Agency (CISA) and Forescout’s Vedere Labs, divided the vulnerabilities into four main categories: insecure engineering protocols, weak encryption or broken authentication schemes, flaws in firmware updates, and remote code execution via native functionality.

A table on the Forescout website shows the affected devices. The researchers recommend following each vendor’s alerts for more details and the specific impacts that may be caused by the vulnerabilities. There are four issues with one vendor that are still in process in disclosure; details have not been released, but these vulnerabilities have already been included in the quantitative analysis of the technical report.

Although the impacts of each vulnerability depend on the related functionality, the study fell into the following categories:

• Remote Code Execution (RCE): When an attacker executes arbitrary code on the affected device, but does not always mean full control of the equipment. Control is usually achieved by failing to update the firmware.
• Denial of Service (DoS): When an attacker takes the device completely offline or prevents access to some function.
• File/firmware/configuration manipulation: When an attacker changes important aspects of the device, such as stored files, and firmware running specific configurations. This usually happens through critical functions without proper authentication/authorization or lack of integrity checking, which would prevent tampering with the equipment, without being noticed.
• Credential compromise: When an attacker obtains credentials to perform device functions, usually because they are stored or transmitted unsecured.
• Authentication bypass: When an attacker is able to bypass existing authentication functions to achieve the desired functionality on the device.

The researchers say the goal of the OT:ICEFALL study is to present a quantitative overview of vulnerabilities found in OT environments that are often insecure by design. With this overview in mind, decision-makers could rely less on lists of CVEs (Common Vulnerabilities and Exposures) for single products, for example, which are often ignored, and invest in more efficient actions to monitor and manage vulnerabilities.

Some of the key findings of this research are:

• Vulnerabilities resulting from insecure design are plentiful: More than a third of vulnerabilities found (38%) facilitate credential compromise. Firmware manipulation comes second (21%), followed by remote code execution (14%). The main examples of problems caused by insecure design can be found in nine vulnerabilities related to unauthenticated protocols, but also in many broken authentication schemes, demonstrating poor quality security controls.
• Vulnerable products are certified: 74% of the affected product families have some form of certification, and most of the reported problems were discovered relatively quickly. Factors contributing to this problem are limited scope for evaluation, opaque definition of security, and focus on functional testing.
• Risk management is complicated by the lack of CVEs: To make informed risk management decisions, decision-makers would need to know in what ways these components are unsafe. Unsafe design issues have not always been addressed in CVEs, so they have remained invisible.
• Insecure components exist by design in supply chains: Vulnerabilities in components used in the OT supply chain tend not to be reported by all affected manufacturers, making risk management difficult.
• Not all insecure designs are developed in the same way: Three main routes of OER in level 1 devices via native functionality were investigated by the study: logic downloads, firmware updates, and memory read/write operations. None of the analyzed systems uses logic subscriptions, and most (52%) compile their logic into native machine code. Also, 62% of the systems support firmware downloads via Ethernet, but only 51% have authentication of this functionality.
• Offensive features are easier to develop than we imagine: Reverse engineering a single proprietary protocol took between 1 day and 2 weeks, and 5 to 6 months for complex, multi-protocol systems. This shows that systems for attacking OT environments can be developed by a small, yet skilled team for a reasonable cost.

OT:ICEFALL, named for the study, refers to the second stop on the Everest climbing route after base camp and has to do with increasing numbers of vulnerabilities in OT environments. According to the researchers, “we have a mountain to climb to protect these devices and protocols.”