A recent research report from Forescout’s Vedere Labs finds that the OT devices that make up industrial control systems often ship with vulnerabilities that are difficult to remediate or patch out, and are well known to attackers.
The study lists a total of 56 vulnerabilities in at least 24 model types made by 10 different vendors. These are pieces of equipment from big names in industrial control systems, and used in a wide variety of applications.
Built to last decades, industrial control systems prove resistant to security updates
OT devices are meant to do hard, repetitive work for many years. Cybersecurity is not often a key consideration in this design process. Thus it frequently proves difficult to address vulnerabilities when they develop some years into the long life of this equipment. Key features of OT devices are also sometimes not designed with a security perspective, leaving them open to abuse from the moment they ship. Attackers can, in some cases, learn everything they need to know to compromise industrial control systems simply by reading a manufacturer’s manual.
Various industry standard security certifications are supposed to guarantee to buyers that their industrial control systems will not develop problems of this nature. But the research report finds that substantial gaps between what the certification promises and the level of security it actually delivers are not uncommon. Guarantees are often only good until the current hardware or software version is updated, or require period recertification that creates an extra cost for the buyer.
More of a security-first perspective needed in design of OT devices
Repeatable and relatively simple exploits in industrial control systems are not just a cause of concern for individual organizations; they create the possibility of a widespread attack on critical infrastructure. Some nation-state hacking groups, most notably those of Russia, have been exploiting flaws in OT devices with custom malware for some years now (including attempted attacks connected to the current invasion of Ukraine).
Unfortunately, there are no simple answers for impacted organizations. Flaws in how features work rarely can be patched out, and some known vulnerabilities also cannot be directly corrected. In some cases, operators of industrial control systems are stuck with “workaround” measures, primarily segmenting the hardware from the internet as much as possible. Owners of OT devices are also advised to monitor internet traffic specifically for certain telltale signs that an attack is being attempted on industrial equipment.
The study finds that, in total, over 70% of the known vulnerabilities it documents allow attackers to either compromise user credentials from the outside or to directly manipulate device firmware; in both cases this can lead not just to total compromise of specific OT devices, but a path to move into networks and step up access privileges. Other types of attacks allow hackers to shut down or damage the equipment without gaining full access to it.
Equipment from major manufacturers is impacted by the vulnerabilities found in this study: Siemens, Motorola, Honeywell, Emerson and others. Despite this, nearly 3 out of 4 of these devices carry some sort of security certification touting their safety and resilience to cyber attacks.
The researchers found, via a simple Shodan search that can be conducted by just about anyone, that there are nearly 6000 internet-connected industrial control systems with impacted devices. If unable to cordon these devices off from the internet, organizations will need to place added protections in the way of hackers such as firewalls and physical switches.