Forescout has discovered 56 vulnerabilities, collectively dubbed Icefall. This affects devices from 10 operational technology (OT) vendors, including Honeywell, Ericsson, Motorola and Siemens.

Industries impacted by Icefall include manufacturing, nuclear, power generation and more. Forescout‘s Vedere Labs made the discovery.

Vedere Labs divided the Icefall vulnerabilities into four main categories: insecure engineering protocols; weak cryptography or broken authentication schemes; insecure firmware updates; and remote code execution via native functionality.

Vedere Labs’ Daniel dos Santos

Daniel dos Santos is head of security research at Vedere Labs.

“The damage is highly dependent on the industry being attacked,” he said. “In the report, we discuss three scenarios: natural gas transport, wind power generation and manufacturing.”

Vedere Labs divided the impact of the Icefall vulnerabilities into three categories, dos Santos said. Those include:

Verticals Most Impacted by Icefall

Based on data from customer networks, manufacturing is the most impacted vertical, dos Santos said. This isn’t surprising given the nature of these devices.

“The next most impacted verticals (health care, retail and government) are a bit surprising,” he said. “But that is because they rely heavily on building automation systems for their large facilities. Building automation is an often forgotten type of OT that is present in nearly every organization nowadays.”

Many vendors are moving to more secure designs, dos Santos said. In addition, some of the vendor advisories will recommend either patches or moving to more recent alternatives.

“Nevertheless, both patching and replacing systems are challenging in OT because of the impact they have on running processes,” he said. “Systems often have to be taken offline for patching. Patching often has to wait months for a maintenance window while replacing a system may incur a large engineering effort.”

Vendors Issuing Advisories

Vendors have started issuing advisories about the Icefall vulnerabilities in coordination with the Cybersecurity and Infrastructure Security Agency (CISA).

“Each advisory contains the recommended mitigation actions for the affected products,” dos Santos said.

Vedere Labs recommends that organizations …

… identify vulnerable devices in their networks so they can perform the necessary risk assessment to understand what controls to apply; tighten network segmentation efforts; and monitor the network closely to detect signs of suspicious activity.

“We don’t have indication about these particular vulnerabilities being exploited,” dos Santos said. “But there have been previous instances of malware that exploited similar issues, such as Industroyer and Industroyer2 in Ukraine, as well as TRITON in Saudi Arabia. Some of the devices listed in our current research have also been targeted by real-world malware, such as the Omron controllers that were targeted by INCONTROLLER.”

Security Controls ‘Frighteningly Easy’ to Defeat

Chris Clements is vice president of solutions architecture at Cerberus Sentinel.

“One may incorrectly assume that the industrial control and OT devices that perform some of the most vital and sensitive tasks in critical infrastructure environments would be among the most heavily secured systems in the world,” he said. “Yet the reality is often the exact opposite. Far too many devices in these roles have security controls that are frighteningly easy for attackers to defeat or bypass to take complete control of the devices.”

Manufacturers of sensitive OT devices must adopt a culture of cybersecurity that starts at the beginning of the design process and continues through to validating the resulting implementation in the final product, Clements said.

“It’s also critical that organizations are honest about their ability to perform such validations themselves,” he said. “Schneier’s Law famously posited this limitation almost [25 years] ago: ‘Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.’ It’s not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. Manufacturers should heed this advice and recruit personnel or contract with outside organizations with experience in breaking the systems they make to validate that the final product is as secure as possible against exploitation by threat actors who have advanced sophistication and powerful motivation to compromise the critical infrastructure of customers who use their devices.”

Icefall Vulnerabilities Already Exploited Against Ukraine

Terry Olaes is director of sales engineering at Skybox Security.

Skybox Security’s Terry Olaes

“The Russian state-sponsored hacking group known as Sandworm is already known to have successfully leveraged these vulnerabilities against Ukraine in recent months, identifying users and infrastructure, including electrical systems, and disconnecting its electrical substations,” he said. “To stay ahead of cybercriminals, companies must address vulnerability exposure risks before hackers attack them. That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape.”

Organizations should ensure they have solutions capable of quantifying the business impact of cyber risks into economic impact, Olaes said.

“This will help them identify and prioritize the most critical threats based on the size of the financial impact, among other risk analyses such as exposure-based risk scores,” he said.

They must also enhance the maturity of their vulnerability management programs, Olaes said. That will ensure they can quickly discover whether a vulnerability impacts them and how urgent it is to remediate.