OT:ICEFALL

A Decade of Insecure-by-Design Practices in OT

Forescout Vedere Labs has discovered a set of 61 vulnerabilities affecting devices from 13 operational technology (OT) vendors caused by insecure-by-design practices in OT. The affected products are known to be prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.

 

Watch Webinar Get The Report

 

OT: Icefall Webinar

Webinar: Lessons Learned from OT:ICEFALL

Join head researcher Daniel dos Santos as he shares the insights gained during a year-long deep dive into the state of OT product security and how best to mitigate risk with insecure-by-design assets.

OT:ICEFALL - A Decade of Insecure-by-Design Practices in OT

Forescout Vedere Labs has discovered a set of 61 vulnerabilities affecting devices from 13 operational technology (OT) vendors caused by insecure-by-design practices in OT. The affected products are known to be prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation. Many of these products are sold as “secure by design” or have been certified with OT security standards

61

Vulnerabilities

100+

Device Models

13

Device Manufacturers Affected

What We Found

The vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.

  • Among the vulnerabilities we found, 38% allow for compromise of credentials, 21% allow for firmware manipulation and 14% allow remote code execution
  • 74% of affected product families have some form of security certification
  • Risk management is complicated by the lack of CVEs

Concluding OT:ICEFALL – New Vulnerabilities and Insights on OT Security Design and Patching

Exactly one year after the original disclosure, we concluded OT:ICEFALL with these three insights into the state of OT product security:

  • Vendors still lack a fundamental understanding of secure-by-design. Our research shows the continuing prevalence of insecure-by-design practices in OT products and highlights that existing security controls were often broken.
  • Vendors often release low-quality patches. Incomplete patches can lead to the discovery of new vulnerabilities, exemplifying how a bad patch increases risk instead of decreasing it.
  • Vendors must improve their security testing procedures. The shallow nature of many vulnerabilities we found in the project casts doubt on the quality of the testing these products currently undergo.

 

Why OT:ICEFALL Matters

With OT:ICEFALL, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault. These issues range from persistent insecure-by-design practices in security-certified products to subpar attempts to move away from them. The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts.

Read The Blog

Why the Name OT:ICEFALL?

It has been 10 years since Project Basecamp, a research project conducted by Digital Bond that investigated how critical OT devices and protocols were, to use the term they coined, “insecure by design.” Icefall is the name of the second stop on the Everest route, after Base Camp. Given the rising number of OT vulnerability disclosures, we know we have a mountain to climb to secure these devices and protocols.

Download The FAQ

How Forescout Can Help

Implementing mitigation for OT:ICEFALL requires:

The Forescout Platform helps you achieve all of these steps without disrupting critical business processes or requiring operational downtime. Forescout’s eyeInspect product has native monitoring capabilities for the protocols used by the affected devices and built-in detection for exploitation of OT:ICEFALL vulnerabilities. Customers should update to the latest eyeInspect release to make full use of our industrial threat library updated monthly, and ICS-specific IOC and CVEs.

Commitment to the Cybersecurity Community

As part of the OT:ICEFALL disclosure, Forescout provided the cybersecurity community with a technical report in which we discuss the 56 vulnerabilities, their impact and their mitigation in detail, as well as the insecure-by-design debate, the effect of opacity on risk management, industry-specific attack scenarios and more.

Read The Report

Security Advisories

Demo RequestForescout PlatformTop of Page