In April, joint cybersecurity advisory (CSA) Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices, along with reports from Dragos and Mandiant were published on PIPEDREAM and INCONTROLLER, respectively, detailing that unidentified advanced persistent threat (APT) actors were exhibiting the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices. This access was not due to the exploitation of any technical vulnerabilities, but through simply using native device functionality – in devices, which are inherently insecure-by-design. At the time of these reports, the caveat was emphasized that while the components discussed were the first three that had been identified, other manufacturers and components could be impacted.

Therefore, in building on AA22-103A, and with respect to Project Basecamp, a research project conducted by Digital Bond, Forescout’s Vedere Labs released a report today detailing vulnerabilities caused by insecure-by-design practices in OT, in what they are calling “OT:ICEFALL.” In collaboration with CISA’s vulnerability disclosure process, Forescout is responsibly disclosing a set of 56 vulnerabilities affecting devices from 10 OT vendors. Likewise, today CISA published five Industrial Control Systems Advisories (ICSAs) for multiple products highlighted by OT:ICEFALL.

The impacted products discussed by OT:ICEFALL are used across multiple sectors and cover myriad devices and components that have been categorized into four main vulnerabilities types.

• Vendors: Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omoron, Phoenix Contact, Siemens, Yokogawa. Likewise, according to Forescout, there are four vulnerabilities affecting one vendor still under disclosure.
• Components: condition monitors, distributed control systems, engineering workstations, remote terminal units, programmable logic controllers, building controller, safety instrumented system, protocol (Motorola MDLC), logic runtime (Phoenix ProConOS), and SCADA (Siemens WinCC OA).
• Vulnerability categories: insecure engineering protocols; weak cryptography or broken authentication schemes; insecure firmware updates; Remote code execution via native functionality

According to Forescout, the premise of OT:ICEFALL is to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault. These issues range from persistent insecure-by-design practices in security-certified products to subpar attempts to move away from them. The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts.

Members are strongly encouraged to review this report and recommended to apply a risk-based approach to assessing these components and addressing the vulnerabilities across your ICS/SCADA environment. For more on OT:ICEFALL, visit Forescout.