Forescout discloses 'OT:Icefall,' 56 flaws from 10 vendors

Forescout disclosed more than 50 vulnerabilities Tuesday affecting operational technology from 10 different vendors.

All 56 operational technology flaws were presented under the banner of "OT:Icefall," and all were originally reported by Forescout threat intelligence team Vedere Labs. The vulnerabilities vary in severity, but a number of them allow for credential theft, remote code execution and firmware manipulation.

Vendors affected include Emerson, Honeywell, Motorola, Omron, Yokogawa, JTekt, Bently Nevada, Phoenix Contact, Siemens and a 10th vendor that has not yet been disclosed. The flaws encompass many popular products, such as Emerson ControlWave, a programmable logic controller, and Honeywell Safety Manager, a system used to process safety-related data in industrial settings like oil and gas plants, among others.

A complete list of vulnerabilities -- barring the four belonging to an undisclosed vendor -- with technical breakdowns is available in Forescout's report. The report includes a series of attack scenarios showing how threat actors could disrupt natural gas transport, wind power generation and discrete manufacturing.

The vulnerabilities are separated into four categories: insecure engineering protocols, insecure firmware updates, remote code execution via native functionality, and weak cryptography or broken authentication schemes.

The theme of OT:Icefall is "insecure-by-design" vulnerabilities, a class of bugs commonly seen in OT that inherently exist as part of deliberate features from the manufacturer and don't always receive designated CVEs. The report states that the problem is less that these flaws exist, but more that much of the technology with these flaws lacks sufficient security controls and consistent vulnerability reporting.

"The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them, and the often false sense of security offered by certifications significantly complicate OT risk management efforts," the report read.

OT and industrial control system (ICS) flaws can be problematic compared with bugs affecting IT networks for several reasons. ICS/OT is typically seen in critical infrastructure, manufacturing, healthcare and other industrial settings. If threat actors hijack systems that control electricity or public water, for example, the consequences can prove more perilous than most IT ransomware attacks.

In addition, industrial control systems are made to last for years, if not decades, and taking systems offline for vulnerability mitigation or patching can be a difficult, complicated undertaking for many organizations. A simple reset can mean production delays, or worse, potential downtime for a critical service.

Daniel dos Santos, head of security research at Forescout, told SearchSecurity in an email that the bugs were first disclosed to vendors in March, though the discovery timing of each varied.

"Some were discovered recently, and some were known for a longer time but not disclosed before because historically, insecure-by-design issues were not assigned CVEs," he said. "Since we noticed a recent shift in the community toward accepting those as CVEs, we bundled all the 56 issues together and started the disclosure process."

Asked about the challenges of disclosing flaws to 10 vendors at once, dos Santos pointed to the coordination aspect of the report.

"There were some challenges in communication and coordination of the publication date, because each vendor was treated in a separate case instead of bundling them all in one case (to avoid information leakage)," he said in the email. "There were also some vendors who provided answers very late in the process, which made it hard to coordinate advisories, affected products/versions, mitigations, etc.

"Overall, we were happy that we got responses from almost every vendor," dos Santos said, "which was not the case in past research we did about supply chain vulnerabilities, where we saw that many vendors treated third-party vulnerabilities as 'not their own.'"

Alexander Culafi is a writer, journalist and podcaster based in Boston.