Forescout Finds Icefall Vulnerabilities in Honeywell, Ericsson Devices

Forescout Finds Icefall Vulnerabilities in Devices from Honeywell, Ericsson, More

Written by Edward Gately
June 22, 2022

Impacted industries include manufacturing, nuclear, power generation and more.

Forescout has discovered 56 vulnerabilities, collectively dubbed Icefall. This affects devices from 10 operational technology (OT) vendors, including Honeywell, Ericsson, Motorola and Siemens.

Industries impacted by Icefall include manufacturing, nuclear, power generation and more. Forescout‘s Vedere Labs made the discovery.

Vedere Labs divided the Icefall vulnerabilities into four main categories: insecure engineering protocols; weak cryptography or broken authentication schemes; insecure firmware updates; and remote code execution via native functionality.

Vedere Labs’ Daniel dos Santos

Daniel dos Santos is head of security research at Vedere Labs.

“The damage is highly dependent on the industry being attacked,” he said. “In the report, we discuss three scenarios: natural gas transport, wind power generation and manufacturing.”

Vedere Labs divided the impact of the Icefall vulnerabilities into three categories, dos Santos said. Those include:

Manipulation/denial of control, which means the attacker targets control systems to tamper with the physical process. For example, changing some setpoint that would lead to incorrect or dangerous products being manufactured.
Loss of safety, which means the attacker targets not the control, but the safety systems to allow for damaging conditions to happen. For example, targeting a safety system in a gas pipeline to allow for an unsafe increase in pressure.
Loss of productivity, which means the attacker stops or degrades the performance of the physical process to affect service delivery and the target’s revenue. For example, stopping one or a series of wind turbines.

Verticals Most Impacted by Icefall

Based on data from customer networks, manufacturing is the most impacted vertical, dos Santos said. This isn’t surprising given the nature of these devices.

“The next most impacted verticals (health care, retail and government) are a bit surprising,” he said. “But that is because they rely heavily on building automation systems for their large facilities. Building automation is an often forgotten type of OT that is present in nearly every organization nowadays.”

Many vendors are moving to more secure designs, dos Santos said. In addition, some of the vendor advisories will recommend either patches or moving to more recent alternatives.

“Nevertheless, both patching and replacing systems are challenging in OT because of the impact they have on running processes,” he said. “Systems often have to be taken offline for patching. Patching often has to wait months for a maintenance window while replacing a system may incur a large engineering effort.”

Vendors Issuing Advisories

Vendors have started issuing advisories about the Icefall vulnerabilities in coordination with the Cybersecurity and Infrastructure Security Agency (CISA).

“Each advisory contains the recommended mitigation actions for the affected products,” dos Santos said.

Vedere Labs recommends that organizations …