OT:ICEFALL - Forescout Discloses 56 Vulnerabilities in OT Devices

On June 20, Forescout’s Vedere Labs published a blog post detailing its discovery of 56 vulnerabilities across nine vendor’s products in operational technology (OT). A tenth vendor is also affected by four vulnerabilities, but they are still going through the disclosure process. This set of vulnerabilities are all tied to “insecure-by-design” features within the following products:

• Bently Nevada 
  • 3700
  • TDI equipment 
• Emerson
  • DeltaV 
  • Ovation 
  • OpenBSI 
  • ControlWave
  • BB 33xx
  • ROC 
  • Fanuc
  • PACsystems 
• Honeywell 
  • Trend IQ
  • Safety Manager FSC 
  • Experion LX 
  • ControlEdge 
  • Saia Burgess PCD 
• JTEKT 
  • Toyopuc 
• Motorola 
  • MOSCAD
  • ACE IP gateway
  • MDLC 
  • ACE1000 
  • MOSCAD Toolbox STS 
• Omron 
  • SYSMAC Cx series
  • Nx series 
• Phoenix Contact
  • ProConOS
• Siemens 
  • WinCC OA 
• Yokogawa 
  • STARDOM 

Forescout’s full report lists all 56 vulnerabilities by vendor. However, Forescout does not include information on which of the vulnerabilities have been patched at this time. The researchers have grouped the vulnerabilities into four categories:

• Insecure engineering protocols
• Weak cryptography or broken authentication schemes
• Insecure firmware updates
• Remote code execution via native functionality

The goal of this project was less to describe individual vulnerabilities and more to analyze and understand the prevalence and impact of insecure-by-design vulnerabilities in OT products. The researchers took a systemic look at OT risk management. The research notes that many factors complicate OT risk management including the certification of vulnerable products, lack of CVE assignment and supply chains propagating vulnerabilities. 

Forescout offers some mitigation guidance for this broad swath of vulnerabilities that align with OT best practices:

• Assess systems for vulnerable devices
• Segment vulnerable devices, particularly from the internet
• Keep up to date on patches from vendors and establish remediation practices
• Develop network monitoring rules to block or alert for anomalous traffic

Tenable Research has developed plugins to identify some of the devices that may be vulnerable to the OT:ICEFALL related flaws:

500655 - Saia Burgess OT:ICEFALL Multiple Potential Vulnerabilities

500656 - Honeywell OT:ICEFALL Multiple Potential Vulnerabilities

500657 - Omron OT:ICEFALL Multiple Potential Vulnerabilities

500658 - Emerson OT:ICEFALL Multiple Potential Vulnerabilities

A blog post for these vulnerabilities is forthcoming.