Nearly five dozen security vulnerabilities have been disclosed in devices from 10 operational technology (OT) vendors due to what researchers call are "insecure-by-design practices."
Collectively dubbed OT:ICEFALL by Forescout, the 56 issues span as many as 26 device models from Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.
"Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of OT devices, bypass authentication, compromise credentials, cause denials of service or have a variety of operational impacts," the company said in a technical report.
These vulnerabilities could have disastrous consequences considering the impacted products are widely employed in critical infrastructure industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.
Of the 56 vulnerabilities discovered, 38% allow for compromise of credentials, 21% allow for firmware manipulation, 14% allow remote code execution, and 8% of flaws enable tampering with configuration information.
Besides potentially permitting an attacker to supply arbitrary code and make unauthorized modifications to the firmware, the weaknesses could also be leveraged to take a device completely offline and bypass existing authentication functions to invoke any functionality on the targets.
More importantly, broken authentication schemes — including bypass, use of risky cryptographic protocols, and hardcoded and plaintext credentials — accounted for 22 of the 56 flaws, indicating "subpar security controls" during implementation.
In a hypothetical real-world scenario, these shortcomings could be weaponized against natural gas pipelines, wind turbines, or discrete manufacturing assembly lines to disrupt fuel transport, override safety settings, halt the ability to control compressor stations, and alter the functioning of programmable logic controllers (PLCs).
But the threats are not just theoretical. A remote code execution flaw affecting Omron NJ/NX controllers (CVE-2022-31206) was, in fact, exploited by a state-aligned actor dubbed CHERNOVITE to develop a piece of a sophisticated malware named PIPEDREAM (aka INCONTROLLER).
Complicating risk management is the increasing interconnectedness between IT and OT networks, coupled with the opaque and proprietary nature of many OT systems, not to mention the absence of CVEs, rendering the lingering issues invisible as well as retaining such insecure-by-design features for a long time.
To mitigate OT:ICEFALL, it's recommended to discover and inventory vulnerable devices, apply vendor-specific patches, enforce segmentation of OT assets, monitor network traffic for anomalous activity, and procure secure-by-design products to beef up the supply chain.
"The development of recent malware targeting critical infrastructure, such as Industroyer2, Triton, and INCONTROLLER, has shown that threat actors are aware of the insecure by design nature of operational technology and are ready to exploit it to wreak havoc," the researchers said.
"Despite the important role that standards-driven hardening efforts play in OT security, products with insecure-by-design features and trivially broken security controls continued to be certified."
Update: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released five Industrial Controls Systems Advisories (ICSAs) related to OT:ICEFALL, urging impacted users to identify baseline mitigations for reducing potential risks arising out of exploiting these flaws.