Icefall identifies vulnerabilities in industrial equipment

Technology News |
By Nick Flaherty

Consultancy Vedere Labs has identified a range of vulnerabilities in industrial equipment that could leave critical infrastructure open to attack.

The 56 issues, grouped together under the name Icefall, come from ten vendors, including Honeywell, Phoenix Contact, Fanuc, Siemens and Omron.

The products affected by Icefall are known to be prevalent in industries that are the backbone of critical infrastructures such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building automation.

The majority of devices (31%) are based on ARM microcontrollers and microprocessors, with 28% on x86. The high levels of PowerPC and SuperH still in use highlight that designs may be decades old and not adopting modern security techniques, or ‘insecure by design’. These are largely running the VxWorks real time operating system or Linux.

The vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality. Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of industrial devices, bypass authentication, compromise credentials, cause denials of service or have a variety of operational impacts. Vulnerabilities allowing for firmware manipulation or remote code execution represent 35% of the total.

In addition to network monitoring, mitigations for Icefall include isolating industrial networks from corporate networks and the internet, limiting network connections to only specifically allowed engineering workstations and focusing on consequence reduction where possible.

Related articles 

Insecurity by design remains very relevant, say the researchers. The past decade has shown that one of the biggest security problems in industrial equipment continues to be the lack of basic controls, and attackers have exploited this in practice. Over a third of these vulnerabilities (38%) allow for compromise of credentials, with firmware manipulation coming in second (21%) and remote code execution coming third (14%).

The prime examples of insecure-by-design issues are the nine vulnerabilities related to unauthenticated protocols, but researchers also found many broken authentication schemes, which demonstrates subpar security controls when they are implemented.

Vulnerable products are often insufficiently certified. 74% of the product families affected by the found vulnerabilities have some form of security certification and most issues should be discovered relatively quickly during in-depth vulnerability discovery.

Risk management is complicated by the lack of critical vulnerability and exposure (CVE) reports for industrial systems. It is not enough to know that a device or protocol is insecure. To make informed risk management decisions, asset owners need to know how these components are insecure.

Issues considered the result of insecurity by design have not always been assigned CVEs, so they often remain less visible and actionable than they should.

There are also insecure-by-design supply chain components, as vulnerabilities in hardware and software components tend to not be reported by every affected manufacturer:

Remote code execution (RCE) allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialized processors and different contexts within a processor, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code.

Denial of service (DoS) allows an attacker to either take a device completely offline or to prevent access to some function.

File / Firmware / Configuration Manipulation allows an attacker to change important aspects of a device or system, such as operational parameters, files stored within the device, the firmware running on the device or specific configurations of the device. This is usually achieved via critical functions lacking the proper authentication/authorization or integrity checking to prevent attackers from tampering with the device.

Compromise of credentials allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely.

Authentication bypass allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device.

Related cybersecurity articles

Other articles on eeNews Europe



Linked Articles