Forescout discloses OT:ICEFALL 56 exposures found in multiple devices

Daniel dos Santos, Head of Security Research, Forescout Vedere Labs

Forescout’s Vedere Labs, along with CISA’s vulnerability disclosure process, is disclosing OT:ICEFALL, 56 vulnerabilities affecting devices from 10 OT (operational tech) vendors. This is one of the largest vulnerability disclosures that impact OT devices and addresses insecure-by-design vulnerabilities. It has been ten years since Project Basecamp, a research project by Digital Bond, who investigated how critical OT devices and protocols were insecure by design.

Since then, real-world OT malware including Industroyer, TRITON, Industroyer2 and INCONTROLLER, has been hugely impactful in the abuse of insecure-by-design functionality.

What threats do these vulnerabilities pose?

“The expansion of the threat landscape is well documented. By connecting OT to IoT and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors. 10 years on from BASECAMP and now ICEFALL, we have a very long way to go to reach the summit of these OT design practices,” said Daniel dos Santos, Head of Security Research, Forescout Vedere Labs commenting on the study.  

“These types of vulnerabilities, and the proven desire for attackers to exploit them, show the need for robust, OT-aware network monitoring and deep-packet-inspection (DPI) capabilities.”

The 56 vulnerabilities in Forescout’s technical report, impact ten vendors; Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

What categories do the vulnerabilities fall under?

And even though the impact of each vulnerability listed is highly dependent on the functionality each device offers, they fall under the following categories:

  • Remote code execution (RCE): Allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialized processors, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code.
  • Denial of service (DoS): Allows a hacker to either take a device completely offline or to simply prevent access to some function during an attack.
  • File/firmware/configuration manipulation: Allows an attacker to change important aspects of a device such as files stored within it, the firmware running on it or its configurations. This is usually achieved via critical functions lacking the proper authorisation or integrity checking that would prevent attackers from tampering with the device.
  • Compromise of credentials: Allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely.
  • Authentication bypass: Allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device.

A full list of devices affected by OT: ICEFALL is available here, while details of each vulnerability are discussed in full detail Forescout’s technical report.

Insecure-by-design vulnerabilities

The vulnerabilities and related issues disclosed in this report range from persistent insecure-by-design practices in security-certified products to inadequate attempts to fix them.

It is crucial for asset owners to understand how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them, and the often-false sense of security offered by certifications complicate OT risk management efforts.