Security researchers have uncovered 56 flaws affecting devices from 10 OT (operational technology) vendors in what’s billed as the single largest vulnerability disclosure to affect the computing components that control industrial plants.
Forescout’s Vedere Labs, which released a summary of its findings today (June 21), said that its findings illustrate that insecure-by-design functionality is rife in the domain of industrial control devices despite several years of high-profile attacks.
OT malware including Industroyer, TRITON, Industroyer2, and INCONTROLLER has plagued the sector, which historically has relied on ‘security by obscurity’ as a defense against attack.
Isolated no more
Operational technology components control a range of devices ranging from valves in oil refineries to power plant turbines and conveyor belts in factories, or escalators in shopping malls. Years ago, these systems were isolated, but increasingly they have been connected to the internet to facilitate remote monitoring and control.
More recently operational technology devices have been connected to IT systems such as enterprise resource planning systems.
“By connecting OT to IoT (Internet of Things) and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors,” said Daniel dos Santos, head of security research at Forescout Vedere Labs.
The 56 vulnerabilities, as detailed in Forescout’s technical report (PDF), collectively affect 10 vendors including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. A blog post by Forescout offers an overview of the main issues uncovered.
The vulnerabilities fall into four main categories:
- Insecure engineering protocols
- Weak cryptography or broken authentication schemes
- Insecure firmware updates
- Remote code execution (RCE) via native functionality
Impacts varied but ranged from Denial of Service (DoS) and configuration manipulation through authentication bypass and (in the most severe cases) RCE.
“The vulnerabilities range from persistent insecure-by-design practices in security-certified products to inadequate attempts to fix them,” according to Forescout.
The issues uncovered were reported through the US Critical Infrastructure Security Agency’s (CISA’s) vulnerability disclosure process.
Network segmentation
In response to question from The Daily Swig, Forescout summarized what enterprises need to do to defend against these various flaws. Precautions ought to involve a combination of patching and network security threat monitoring, it said.
“Each vendor is issuing their own security advisories with specific recommendations for their affected products, which range from patching to configuration changes and enforcing network protection,” Forescout’s dos Santos told The Daily Swig.
“Forescout recommends a focus on network protections, such as improving network segmentation to mitigate the likelihood and impact of attacks, as well as network security monitoring to detect and be able to respond to attacks if they happen.”
All affected vendors have been contacted, Forescout confirmed. dos Santos explained: “The disclosure was separated in specific cases for each vendor and coordinated by CISA, which also invited national CERTs (e.g, the Japanese JPCERT/CC) for some cases. The process started three months ago and communication was done separately with each vendor, which provided some challenges in terms of aligning dates, responses, etc.”
The head of security research at Forescout Vedere Labs concluded: “I believe the disclosure process for OT is evolving and most vendors are acting better than a few years ago, but we notice that there is still some resistance in acknowledging vulnerabilities in critical devices.”
