Operational technology (OT) devices used to control industrial equipment are riddled with cybersecurity vulnerabilities, according to a new study by Vedere Labs, the research arm of security vendor Forescout.
The study identified 56 vulnerabilities in 20 popular OT product lines from providers including Motorola, Siemens and Honeywell, many of which would allow remote code execution.
What is operational technology?
The term operational technology (OT) is used to describe systems that control industrial equipment, such as manufacturing plant or energy infrastructure. Unlike information technology (IT), it is often designed to prioritise reliability over cybersecurity. However, OT security is a growing concern, as cyberattacks on OT can be used to disrupt critical national infrastructure.
Vedere Labs analysed 20 popular OT product lines from ten manufacturers, and identified 56 security vulnerabilities, which the researchers call ‘OT:ICEFALL’. The majority of the vulnerabilities relate to three device makers: Emerson, Honeywell and Motorola.
If exploited, 14% of these vulnerabilities would allow remote code execution, in which attackers run malicious code on the devices; 38% would allow attackers to steal user credentials and 21% would enable firmware manipulation.
What causes OT security flaws?
Because they are presumed to operate in a secure environment, many OT systems lack basic information security precautions, explained Daniel dos Santos, Forescout's head of security research. "Most of the systems that we analysed do not have any signing or integrity checks for the firmware," dos Santos told Tech Monitor. "They also accept firmware updates via the Ethernet network [with] no authentication for this.
"Put this all together and you have a scenario that allows anybody who interacts with the device to be able to gain remote code execution."
Just over a quarter of the product lines found to be insecure are designed for use in manufacturing, making it the most exposed industry. This was followed by healthcare (16%), retail (14%) and government (12%).
Vedere Labs identified a number of scenarios in which these vulnerabilities could be exploited with malicious effect. Tampering with manufacturing equipment, for example, could disrupt food or pharmaceutical production. Others include disrupting the energy supply or interfering with building management systems.
While attacks on OT are typically associated with sophisticated, state-backed offensive cybersecurity operations, Vedere Labs' research found that many of the vulnerabilities could be easy to exploit. “Reverse engineering a single proprietary protocol took between one day and two man-weeks, while achieving the same for complex, multi-protocol systems took five-to-six man-months.
"This shows that basic offensive cyber capabilities leading to the development of OT-focused malware or cyberattacks could be developed by a small but skilled team at a reasonable cost,” the report states.
Taking OT security seriously
One objective of the Vedere Labs study was to encourage OT operators to think more carefully about security. Only when a company knows exactly which devices are insecure can it understand its risks and how to mitigate them, said dos Santos.
"We need to say not just that [OT is] insecure, but how insecure, what kind of risk management decisions we can take based on that, what kind of risk controls and so on."
Given the breadth of vulnerabilities identified, completely eradicating them all will be a lengthy process, Vedere Labs' report concludes. "Complete protection against OT:ICEFALL requires that vendors address these fundamental issues with changes in device firmware and supported protocols, and that asset owners apply the changes (patches) in their own networks," states the report. "Realistically, that process will take a very long time."