Researchers detected 56 vulnerabilities impacting devices from 10 operational technology (OT) vendors, most of which are attributed to inherent design flaws in equipment and a lacklustre approach to security and risk management.

According to the research from Forescout’s Vedere Labshe, vulnerabilities–detected in devices by familiar vendors such as Honeywell, Emerson, Motorola, Siemens, JTEKT, Bentley Nevada, Phoenix Contact, Omron, Yogogawa and an unnamed manufacturer–differ in their characteristics and what they threat actors are able to do.

Researchers categorized the flaw in each of the products into four categories: insecure engineering protocols; weak cryptography or broken authentication schemes; insecure firmware updates; or remote code execution via native functionality.

According to researchers, threat actors are able to perform the following in exploiting the flaws on a device: remote code execution (RCE), with code executed in different specialized processors and different contexts within a processor; denial of service (DoS) that can completely shut down a device or block access to a specific function; file/firmware/configuration manipulation that enables a threat actor to modify important aspects of a device; credential compromise enabling access to device functions; or authentication bypass that enables a threat actor to modify the desired functionality on the target device.

According to researchers, these flaws could have been avoided, as 74 per cent of the product families impacted by the vulnerabilities possess security certification and were verified before being sent to market. 

Security professionals lamented the lax security strategy of vendors in a field that produces the systems running critical infrastructure, attacks on which can be devastating not just for the networks on which the products exist but for society as a whole.

The researchers also focused on the reasons for the innate problems pertaining to security design and risk management in OT devices that manufacturers are urged to address in a swift fashion.

One issue mentioned by the researchers is the lack of uniformity in t functionality across devices. This means that their lack of security also sharply differs and makes troubleshooting very difficult.

In other instances, the inherent security of the device cannot be directly faulted on the manufacturer but that of “insecure-by-design” components in the supply chain. Researchers reveal that his further complicates how manufacturers manage risk.

“Indeed, managing risk management in OT and IT devices and systems alike requires “a common language of risk,” something that’s difficult to achieve with so many inconsistencies across vendors and their security and production strategies in an industry,” noted Nick Sanna, CEO of RiskLens.

To tackle this, he urged vendors to quantify risk in financial terms, which allow risk managers and plant operators to focus decision-making on “responding to vulnerabilities – patching, adding controls, increasing insurance — all based on a clear understanding of loss exposure for both IT and operational assets.”

However, even if vendors start to tackle the basic challenges that have created the OT:ICEFALL scenario, they face an uphill climb to mitigate the security problem completely, Forescout researchers said.