Industrial Cybersecurity Alert: 56 Insecure-by-Design FlawsBugs Allow Attackers to 'Abuse Native Capabilities of OT Equipment,' Expert Warns
If a vendor builds a product with exploitable vulnerabilities that are present due to design decisions, should these be classified as anything other than bugs?
That's one question posed by the release this week of information pertaining to 56 vulnerabilities across operational technology - aka OT - hardware and software from 10 different vendors, discovered by researchers at San Jose, California-based Forescout, which builds technology to maintain visibility of and control over network devices.
The vulnerabilities have been detailed in a report authored by Forescout's Vedere Labs research team, titled OT:Icefall. The name is a reference to climbing Mount Everest - Icefall is the stop after Base Camp - and by extension, the steep challenges facing defenders of OT networks.
Operational technology environments center on industrial operations and often include industrial controls systems as well as the Supervisory Control and Data Acquisition - or SCADA - systems used to manage them. But just like IT environments, OT environments are at risk of being remotely accessed and manipulated, if hackers can find vulnerabilities or misconfigurations to exploit.
The 56 different flaws detailed in the report are not directly tied to each other but are being grouped together "because they are related to 'insecure by design' functionality, i.e., they allow attackers to abuse native capabilities of OT equipment to attack these devices," Daniel dos Santos, head of security research at Forescout, tells Information Security Media Group. "This is opposed to vulnerabilities arising from programming errors - such as memory corruption or logic flaws, for instance."
As with any type of software, there's no single culprit for how such vulnerabilities come to be present in OT software or hardware. For this series of vulnerabilities, "we subdivide the 56 vulnerabilities into four categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality," dos Santos says.
Forescout's report says that of the vulnerabilities detailed, "38% allow for compromise of credentials, 21% allow for firmware manipulation and 14% allow remote code execution." In addition, despite the flaws that have been discovered, "74% of affected product families have some form of security certification" attesting to code-level checks that were supposedly already conducted.
The public release of information on the flaws was coordinated in advance with all relevant vendors to give them time to prep patches or at least detail recommended mitigations or other workarounds, dos Santos says.
Repeat Problem: 'Insecure by Design'
Forescout's report "is the product of long-term research into how to monitor operational technology networks," dos Santos says. "Some of these vulnerabilities were found very recently and some were found more than a year ago. But in the past there was little interest in assigning CVE IDs to insecure-by-design functionality."
Many security teams use the Common Vulnerabilities and Exposures list of publicly disclosed software flaws to help them identify and track which flaws are present in their organization, and with what severity, to guide remediation and mitigation efforts.
But dos Santos says the security community, on the whole, now seems to be taking OT flaws more seriously.
Indeed, the U.S. Cybersecurity and Infrastructure Security Agency on Tuesday began issuing multiple ICS security alerts for products detailed in the report. "CISA has released five corresponding Industrial Controls Systems Advisories (ICSAs) currently to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks," the agency says.
The alerts highlight vulnerabilities in multiple versions of:
- Phoenix Contact Classic Line Controllers - CVE-2022-31800;
- Phoenix Contact ProConOS and MULTIPROG - CVE-2022-31801;
- Phoenix Contact Classic Line Industrial Controllers - CVE-2019-9201;
- JTEKT's TOYOPUC products - CVE-2022-29951;
- Siemens WinCC OA - CVE-2022-33139.
The first three alerts center on vulnerabilities that each have a CVSS rating of 9.8, meaning if an attacker successfully exploited a vulnerability on the system, they could execute any code of their choosing.
Of the 56 flaws detailed in Forescout's report, one-third could be used for remote-code execution. "Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of OT devices, bypass authentication, compromise credentials, cause denials of service or have a variety of operational impacts," Forescout says in its report.
Supply Chain Challenges
While the four categories of flaws detailed in the OT:Icefall report are common across OT hardware and software, dos Santos says other types of flaws also oftentimes exist. For reference, he points to research released by his team in 2020, dubbed Project Memoria, "which has identified close to 100 vulnerabilities in the TCP/IP stacks used by many operational technology devices" (see: Millions of IoT Devices at Risk From TCP/IP Stack Flaws).
Such flaws are concerning in part because many designers of many different types of internet of things devices often use prebuilt - and oftentimes free - components, such as TCP/IP stacks, in the firmware the runs their devices. But if these components have software flaws, that puts the devices and any network they touch at risk. Many vendors, furthermore, do not rapidly issue patches when problems come to light. Even when they do, uptake may be low. Furthermore, OT products may only get refreshed every 10 or 20 years, meaning known, exploitable flaws may be present for a significant period of time.
One example of the supply chain software problem: Forescout says that the Phoenix Contact - previously KW-Software - ProConOS/ eCLR runtime system is widely used in programmable logic controllers, or PLCs. But known vulnerabilities in Phoenix Contact do not necessarily get assigned to every product that uses the software. Accordingly, users may not be aware that the product they're using has a known, exploitable flaw.
Unraveling these supply chains to identify the software that gets built into any given OT device, so that underlying vulnerabilities can be tracked, remains difficult.
Such software supply chain problems are not unique to the industrial cybersecurity sphere. Notably, many organizations are still attempting to mitigate or patch flaws in the Apache Log4j logging framework that has been built into hundreds of products. But it's not always clear which products have Log4j built in or what version of the software might be present (see: Google Unveils Service to Secure Open-Source Dependencies).