Researchers disclose 56 vulnerabilities impacting thousands of OT devices

Forescout’s Vedere Labs disclosed OT:ICEFALL, 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors. This is one of the single largest vulnerability disclosures that impact OT devices and directly addresses insecure-by-design vulnerabilities.

In this video for Help Net Security, Daniel dos Santos, Head of Security Research, Forescout, talks about the 56 vulnerabilities, which impact ten vendors, including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

Devices affected by OT:ICEFALL

  • Bently Nevada – 3700, TDI equipmentCondition monitors
  • Emerson – DeltaVDistributed control system
  • Emerson – OvationDistributed control system
  • Emerson – OpenBSIEngineering Workstation
  • Emerson – ControlWave, BB 33xx, ROCRemote terminal unit
  • Emerson – Fanuc, PACsystemsProgrammable logic controller
  • Honeywell – Trend IQBuilding controller
  • Honeywell – Safety Manager FSCSafety instrumented system
  • Honeywell – Experion LXDistributed control system
  • Honeywell – ControlEdgeRemote terminal unit
  • Honeywell – Saia Burgess PCDProgrammable logic controller
  • JTEKT – ToyopucProgrammable logic controller
  • Motorola – MOSCAD, ACE IP gatewayRemote terminal unit
  • Motorola – MDLCProtocol
  • Motorola – ACE1000Remote terminal unit
  • Motorola – MOSCAD Toolbox STSEngineering workstation
  • Omoron – SYSMAC Cx series, Nx seriesProgrammable logic controller
  • Phoenix Contact – ProConOSLogic runtime
  • Siemens – WinCC AOSupervisory control and data acquisition (SCADA)
  • Yokogawa – STARDOMProgrammable logic controller

Vulnerability impact

Although the impact of each vulnerability is highly dependent on the functionality each device offers, they fall under the following categories:

Remote code execution (RCE): Allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialized processors and different contexts within a processor, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code.

Denial of service (DoS): Allows an attacker to either take a device completely offline or to prevent access to some function.

File/firmware/configuration manipulation: Allows an attacker to change important aspects of a device such as files stored within it, the firmware running on it or its specific configurations. This is usually achieved via critical functions lacking the proper authentication/authorization or integrity checking that would prevent attackers from tampering with the device.

Compromise of credentials: Allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely.

Authentication bypass: Allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device.

Don't miss