Report warns of security risk to operation technology

Operational technology (OT) devices used to control industrial equipment are subject to a number of cybersecurity vulnerabilities, according to a new study by Vedere Labs, the research arm of security vendor Forescout.

The study found 56 vulnerabilities in 20 popular OT product lines from providers including Motorola, Siemens and Honeywell, many of which would allow remote code execution.

OT is often designed to prioritise reliability over cybersecurity – unlike information technology (IT) –  however, it is a “growing concern”, according to Vedere Labs, as cyberattacks on OT can be used to disrupt critical national infrastructure.

The data suggests that, if exploited, 14% of the vulnerabilities would allow remote code execution, in which attackers run malicious code on the devices; 38% would allow attackers to steal user credentials; and 21% would enable firmware manipulation.

Since they are presumed to operate in a secure environment, many OT systems lack basic information security precautions, said Forescout’s head of security research Daniel dos Santos.

“Most of the systems that we analysed do not have any signing or integrity checks for the firmware,” dos Santos said in a statement to Tech Monitor. “They also accept firmware updates via the Ethernet network [with] no authentication for this.”

“Put this all together and you have a scenario that allows anybody who interacts with the device to be able to gain remote code execution.”

More than a quarter of the product lines identified as insecure are designed for use in manufacturing, making it the most exposed industry. This was followed by healthcare (16%), retail (14%) and government (12%).

Vedere Labs located a number of scenarios in which these vulnerabilities could be exploited with malicious effect. Tampering with manufacturing equipment, for example, could disrupt food or pharmaceutical production. Others include disrupting the energy supply or interfering with building management systems.

While attacks on OT are typically associated with sophisticated, state-backed offensive cybersecurity operations, the research found that many of the vulnerabilities could be easy to exploit. “Reverse engineering a single proprietary protocol took between one day and two man-weeks, while achieving the same for complex, multi-protocol systems took five-to-six man-months.”

“This shows that basic offensive cyber capabilities leading to the development of OT-focused malware or cyberattacks could be developed by a small but skilled team at a reasonable cost,” states the report.

One objective of the study was to encourage OT operators to think more carefully about security. “Only when a company knows which specific devices are insecure can it understand its risks and how to mitigate them,” said dos Santos.

“We need to say not just that [OT is] insecure, but how insecure, what kind of risk management decisions we can take based on that, what kind of risk controls and so on.”

Given the level of vulnerabilities identified, completely eradicating them all will be a lengthy process, Vedere Labs’ report concludes. “Complete protection against OT:ICEFALL requires that vendors address these fundamental issues with changes in device firmware and supported protocols, and that asset owners apply the changes (patches) in their own networks,” added the report. “Realistically, that process will take a very long time.”