CISA warns of software flaws in industrial control systems

The U.S. Cyber ​​Security and Infrastructure Agency (CISA) should check for recently disclosed vulnerabilities affecting operational technology (OT) devices that need to be isolated from the Internet at all times, but not necessarily. Warn the organization.

For CISA 5 released advisories released It covers multiple vulnerabilities affecting industrial control systems discovered by Forescout researchers.

Forescout released the report “OT: ICEFALL” this week. It covers a set of common security issues in software for operational technology (OT) devices. The bugs they disclose affect devices such as Honeywell, Motorola, and Siemens.

OT is a subset of the Internet of Things (IoT). OT targets industrial control systems (ICS) that can connect to the Internet, but the broader IoT category includes consumer goods such as televisions, doorbells, and routers.

Forescout 56 vulnerabilities in one report Emphasize these common issues.

CISA has released five corresponding Industrial Controls Systems Advisories (ICSA). It states that it will notify you of reported vulnerabilities and identify baseline mitigations to mitigate the risk of these and other cybersecurity attacks.

The advisory details of a major flaw affecting JTEKT’s software in Japan, three flaws affecting the devices of US vendor Phoenix Contact, and one flaw affecting the products of the German company Siemens. is included.

Advisory for ICSA-22-172-02 JTEKT TOYOPUC Details of missing authentication and privilege escalation flaws. These severities are 7 to 2 out of 10.

Defects affecting Phoenix devices are described in detail in the ICSA-22-172-03 advisory. Phoenix Contact Classic Line ControllerICSA-22-172-04 Phoenix Contact ProConOS and MULTIPROG; And ICSA-22-172-05: Phoenix Contact Classic Line Industrial Controller..

For more information on Siemens software with critical vulnerabilities, see the ICSA-22-172-06 advisory. Siemens WinCCOA.. This is a remotely exploitable bug with a severity score of 9.8 out of 10.

“A successful exploitation of this vulnerability could allow an attacker to impersonate another user or exploit the client-server protocol without being authenticated,” CISA said.

OT devices need to be air-gap on the network, but often not, and provide a wider range for invading advanced cyber attackers.

The 56 vulnerabilities identified by Forescount have been categorized into four major categories, including insecure engineering protocols, weak cryptographic or broken authentication schemes, insecure firmware updates, and remote code execution with native capabilities.

The company has published a collection of vulnerabilities (CVEs) to show that flaws in the supply of critical infrastructure hardware are a common problem.

“OT: Using ICEFALL, OT’s design-safe vulnerabilities rather than relying on regular bursts of CVE for a single product or a small number of published real-life incidents that often occur. We wanted to disclose and provide a quantitative overview of sex. It was wiped out as a particular vendor or asset owner was making a mistake. ” Fore Scout said..

“The goal is that the opaque and unique nature of these systems, the suboptimal vulnerability management surrounding the systems, and the often false sense of security provided by certification significantly complicate OT risk management efforts. Is to explain. “

Firmly Blog post detailsThere are some common drawbacks that developers should be aware of:

  • There are many vulnerabilities that are not safe by design: More than one-third (38%) of the vulnerabilities found allow credential compromise, with firmware operation second (21%) and remote code execution third (14%).
  • Vulnerable products are often certified: 74% of the affected product families have some form of security certification, and most issues that are warned need to be discovered relatively quickly during the discovery of detailed vulnerabilities. Factors that cause this issue include limiting the scope of evaluation, opaque security definitions, and a focus on functional testing.
  • Risk management is complicated by the lack of CVE: It is not enough to know that a device or protocol is insecure. To make informed risk management decisions, asset owners need to know how insecure these components are. Problems that are considered unstable by design are often less noticeable and less feasible than they should be, because CVEs are not always assigned.
  • There are supply chain components that are not safe by design: Vulnerabilities in OT supply chain components tend to be reported by not all affected manufacturers, making risk management difficult.
  • Not all unsafe designs are created the same: None of the analyzed systems support logic signing, and most (52%) compile the logic into native machine code. 62% of these systems accept firmware downloads over Ethernet, but only 51% have certification for this feature.
  • Aggressive features are often more developable than you might imagine: Reverse engineering a single proprietary protocol took a day or two, but it took five to six months to achieve the same in a complex multiprotocol system.

Read An Article Like This

Watch the video here: CISA warns of software flaws in industrial control systems

CISA warns of software flaws in industrial control systems