Dozens of insecure-by-design flaws found in OT products

A new research project has uncovered 56 vulnerabilities in operational technology (OT) devices from 10 different vendors, all of which stem from insecurely designed or implemented functionality rather than programming errors. This highlights that despite the increased attention this type of critical devices have received over the past decade from both security researchers and malicious attackers, the industry is still not following fundamental secure-by-design principles.

“Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of OT devices, bypass authentication, compromise credentials, cause denials of service or have a variety of operational impacts,” researchers from security firm Forescout said in their new report.

The identified security issues, collectively dubbed OT:ICEFALL, stem from insecure engineering protocols, weak cryptographic implementations or broken authentication schemes, insecure firmware update mechanisms, and improperly protected native functionality that can be abused for remote code execution. In fact, 14% of the disclosed vulnerabilities can result in remote code execution and another 21% can lead to firmware manipulation.

Another interesting finding of this research was that many of the vulnerable devices had been certified according to different standards applicable to OT environments such as IEC 62443, NERC CIP, NIST SP 800-82, IEC 51408/CC, IEC 62351, DNP3 Security, CIP Security, and Modbus Security.

“While these standards-driven hardening efforts have certainly contributed to major improvements in the areas of security program development, risk management and architecture-level design and integration activities, these efforts have been less successful at maturing secure development lifecycles for individual systems and components,” the researchers concluded.

A history of insecurity-by-design in OT

The Forescout researchers draw comparisons between their findings and those of Project Basecamp, a research project from 10 years ago that focused on exposing insecure-by-design problems in remote terminal units (RTUs), programmable logic controllers (PLCs), and other controllers that make up the SCADA (Supervisory Control and Data Acquisition) systems used in industrial installations.

Copyright © 2022 IDG Communications, Inc.

Source link

Leave a Reply

%d bloggers like this: