Industrial control systems may be vulnerable to software faults, according to CISA

Cybersecurity and Infrastructure Agency (CISA) of the United States has issued a warning for enterprises to check for newly discovered vulnerabilities impacting operational technology (OT) devices that should but are not always separated from the internet.

Researchers at Forescout have uncovered a slew of flaws in industrial control systems, and CISA has issued five warnings to address them.

OT:ICEFALL, a study from Forescout this week, addresses a number of common software security flaws that affect operational technology (OT) equipment. Devices from Honeywell, Motorola, Siemens, and others have been affected by the flaws they have revealed.

In the context of the Internet of Things, OT is a kind of IoT. (IoT). OT refers to internet-connected industrial control systems (ICS), while IoT encompasses a larger range of consumer electronics such as televisions, doorbells, and routers.

Forescout compiled all 56 flaws into a single document in order to draw attention to these recurring issues.

ICSAs (Industrial Controls Systems Advisories), issued by CISA, cover five related vulnerabilities and provide baseline mitigations for lowering the risk of these and other cyberattacks.

JTEKT’s software, three Phoenix Contact devices, and a Siemens product are all included in the advisory as being vulnerable to significant issues.

Authentication and privilege escalation issues were discovered in the JTEKT TOYOPUC ICSA-22-1702-02 advisory. These are rated 7-2 out of 10 in terms of severity.

ICSA-22-172-03 for Phoenix Contact Classic Line Controllers; ICSA-22-172-04 for Phoenix Contact ProConOS and MULTIPROG; and ICSA-22-172-05: Phoenix Contact Classic Line Industrial Controllers all disclose flaws that impact Phoenix devices.

ICSA-22-172-06 for Siemens WinCC OA details the serious vulnerabilities in Siemens software. With a severity rating of 9.8 out of 10, it’s a remotely exploitable flaw.

This vulnerability might enable an attacker to impersonate other users or abuse the client-server communication without being authenticated, according to CISA’s warning.

OT devices should be isolated from the rest of the network, but this is frequently not the case, making it easier for skilled cyber attackers to get in.

Four key kinds of vulnerabilities were uncovered by Forescount, which included poor encryption or faulty authentication mechanisms, unsafe firmware upgrades and remote code execution through native functionality.

Vulnerabilities in the supply of critical infrastructure gear have been disclosed as a collection to show that they are a frequent issue.

“With OT:ICEFALL, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities instead of relying on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault,” Forescout said.

These systems’ opaque and proprietary design, inadequate vulnerability management, and a skewed perception of security provided by certifications, according to the report, make it difficult to effectively manage operational risk.

There are a few typical mistakes that developers should be aware of, as detailed in a blog post:

  • Of the vulnerabilities detected, 38% enable credential compromise, with firmware modification coming in second (21%), and remote code execution coming in third (13%) as the most common outcomes (14 percent ).
  • Product families implicated by this vulnerability have 74 percent of their goods certified for security, and most of the vulnerabilities it warns about should be detected rather fast through an in-depth vulnerability detection investigation. Opacity in security definitions and an emphasis on functional testing are all factors contributing to this issue.
  • The absence of CVEs makes risk management more difficult: knowing that a device or protocol is vulnerable isn’t enough. Asset owners must understand how these components are insecure in order to make well-informed risk management choices. As a consequence, security flaws that are the result of intentional insecurity have not always been awarded a Common Vulnerability Expression (CVE).
  • Due to a lack of transparency among OT component manufacturers, it is impossible to assess the risks associated with a variety of unsecure supply chain components.
  • More than half of the insecure designs studied do not enable logic signing, and the majority of them are written in machine code (52 percent). Only 51% of these systems have authentication for firmware downloads via Ethernet, despite the fact that 62% of them allow it.
  • Reverse engineering a single proprietary protocol takes between one day and two weeks, but doing the same for complicated, multi-protocol systems took between five and six months.