Cyber Security

Single largest disclosure for vulnerabilities in industrial control security reveals 56 flaws

Security researchers have uncovered 56 flaws affecting devices from 10 OT (operational technology) vendors in what’s billed as the single largest vulnerability disclosure to affect the computing components that control industrial plants.

Forescout’s Vedere Labs, which released a summary of its findings today (June 21), said that its findings illustrate that insecure-by-design functionality is rife in the domain of industrial control devices despite several years of high-profile attacks.

OT malware including IndustroyerTRITON, Industroyer2, and INCONTROLLER has plagued the sector, which historically has relied on ‘security by obscurity’ as a defense against attack.

Isolated no more

Operational technology components control a range of devices ranging from valves in oil refineries to power plant turbines and conveyor belts in factories, or escalators in shopping malls. Years ago, these systems were isolated, but increasingly they have been connected to the internet to facilitate remote monitoring and control.

More recently operational technology devices have been connected to IT systems such as enterprise resource planning systems.

“By connecting OT to IoT (Internet of Things) and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors,” said Daniel dos Santos, head of security research at Forescout Vedere Labs.

The 56 vulnerabilities, as detailed in Forescout’s technical report (PDF), collectively affect 10 vendors including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. A blog post by Forescout offers an overview of the main issues uncovered.

The vulnerabilities fall into four main categories:

Impacts varied but ranged from Denial of Service (DoS) and configuration manipulation through authentication bypass and (in the most severe cases) RCE.

“The vulnerabilities range from persistent insecure-by-design practices in security-certified products to inadequate attempts to fix them,” according to Forescout.

The issues uncovered were reported through the US Critical Infrastructure Security Agency’s (CISA’s) vulnerability disclosure process.

Network segmentation

In response to question from The Daily Swig, Forescout summarized what enterprises need to do to defend against these various flaws. Precautions ought to involve a combination of patching and network security threat monitoring, it said.

“Each vendor is issuing their own security advisories with specific recommendations for their affected products, which range from patching to configuration changes and enforcing network protection,” Forescout’s dos Santos told The Daily Swig.

“Forescout recommends a focus on network protections, such as improving network segmentation to mitigate the likelihood and impact of attacks, as well as network security monitoring to detect and be able to respond to attacks if they happen.”

All affected vendors have been contacted, Forescout confirmed. dos Santos explained: “The disclosure was separated in specific cases for each vendor and coordinated by CISA, which also invited national CERTs (e.g, the Japanese JPCERT/CC) for some cases. The process started three months ago and communication was done separately with each vendor, which provided some challenges in terms of aligning dates, responses, etc.”

The head of security research at Forescout Vedere Labs concluded: “I believe the disclosure process for OT is evolving and most vendors are acting better than a few years ago, but we notice that there is still some resistance in acknowledging vulnerabilities in critical devices.”

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/single-largest-disclosure-for-vulnerabilities-in-industrial-control-security-reveals-56-flaws

Click to comment

You May Also Like

Cyber Security

Cybercriminals are increasingly leveraging extreme weather events to launch attacks on critical infrastructure sectors. Cybersecurity experts say critical infrastructure operators can leverage a set...

Cyber Security

The United States is facing an unsustainable demand for water and lacks the security posture to defend the nation’s water systems from emerging threats,...

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version