‘Insecure-by-Design’ – Impact and Mitigation
In its 2022 OT:ICEFALL report Vedere Labs has detected a group of 56 security flaws that impact devices manufactured by some of the most recognisable operational technology (OT) vendors.
These vulnerabilities have been classified into four primary categories:
- insecure engineering protocols,
- weak cryptography or broken authentication methods,
- insecure firmware updates,
- and remote code execution through native functionality.
Exploiting these vulnerabilities, rogue actors with network access to a target device could execute a number of attacks with the following impacts:
Manipulation of control / view
- Modify authentication
- Alter setpoints and monitored variables
- Flood operators with false positives
- Alter system configuration, operation parameters and control microcode
Denial of control / view
- Modify authentication
- Misuse unauthenticated communications
- Execute commands
- Prevent operators from controlling and monitoring
Loss of safety
- Obtain code execution
- Deactivate monitoring & safety systems
Decrease in performance and proceeds
- Reduce productivity
- Denial of service on PLCs
The types of devices affected the most are Building automation controllers.
In terms of verticals impacted, the greatest number of vulnerable devices occur in Manufacturing (26%), followed by Healthcare (16%), Retail and Government with 14% and 12% respectively.
What becomes apparent from these findings is that the reported vulnerabilities don’t only affect ‘OT heavy’ environments but due to the occurrence of the OT solutions in such areas as building automation or warehouse automation (which has a direct impact on retail) have a direct impact on many apparently not related environments.
To achieve comprehensive protection against the vulnerabilities discovered in OT:ICEFALL, vendors must make modifications to the firmware of their devices and the protocols they support. In addition, asset owners must apply the necessary changes (patches) to their own networks.
In reality, implementing these changes will take a significant amount of time. Therefore the following actionable mitigation strategies should be implemented promptly by that asset owners and system integrators:
Identify and list vulnerable devices.
Solutions for network visibility allow for the identification of vulnerable devices within the network and the implementation of appropriate control and mitigation measures.
Implement segmentation controls and maintain proper network hygiene.
To minimize the risk posed by vulnerable devices, it is recommended to limit external communication paths and to isolate or contain vulnerable devices within designated zones as a mitigating control measure in cases where patching is not possible, or until a patch is made available. Firewall rules should also be reviewed, with particular attention given to whitelisted OT protocols, in accordance with the expertise of subject matter experts. Some vendors may offer dedicated firewalls and switches that come with protocol-aware security features.
Track the incremental patches released by the affected device vendors.
Develop a plan for the remediation of your vulnerable assets that takes into consideration both business risk and continuity requirements.
Scrutinise all network traffic for any unusual or suspicious activity.
Employ monitoring solutions with deep packet inspection (DPI) capabilities to notify security personnel of such activities, thereby enabling them to take necessary actions.
Proactively acquire products that are designed with security in mind.
Transition to secure-by-design versions of products wherever they are available and feasible. Assess the security posture of devices by including security evaluations in procurement prerequisites.
Leverage built-in hardening features.
Activate physical mode switches on controllers that necessitate manual intervention before performing dangerous engineering tasks. Certain vendors provide plug-and-play alternatives for emulating this feature across several controllers at the network level. Where feasible, set up alerts on operational mode switches to notify monitoring solutions.