Vedere Labs updates OT:ICEFALL findings, adds three more vulnerabilities in Festo automation controllers, CODESYS equipment
November 30, 2022 – Published on Industrial Cyber
Forescout’s Vedere Labs identified three new vulnerabilities affecting OT (operational technology) products from two German vendors – Festo automation controllers and the CODESYS runtime, which is used by hundreds of device manufacturers in different industrial sectors, including Festo. These security loopholes add to the earlier 56 vulnerabilities caused by insecure-by-design practices affecting devices from ten OT vendors, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.
“As in the original OT:ICEFALL disclosure, these issues exemplify either an insecure-by-design approach— which was usual at the time the products were launched – where manufacturers include dangerous functions that can be accessed with no authentication or a subpar implementation of security controls, such as cryptography,” Vedere Labs researchers wrote in a Tuesday blog post.
The OT:ICEFALL vulnerabilities impact major OT/ICS products, including SCADA systems, PLCs, Distributed Control Systems (DCS), engineering workstations, Human-Machine Interfaces (HMIs), Building Management Systems (BMS), Safety Instrumented Systems (SIS) which, SIS protect life and safety of personnel, Chris Warner, senior security consultant for OT governance and risk at GuidePoint Security, wrote in an emailed statement. “Exploiting the vulnerabilities can lead to remote code execution, firmware manipulation, and authentication bypass creating a greater risk that could cause catastrophic events in life, health, safety, reputation, production, and financial impacts.”
“Asset owners must rely on manufacturers of OT equipment for secure products and secure designs from system integrators,” according to Warner. “The IEC 62443-4-1 has secure product development requirements and IEC 62443-4-2 has technical security requirements for Industrial Automation Control Systems (IACS) components. OT/ICS Manufacturers should leverage the IEC 62443 framework to ensure a minimum level of security,” he added.
Read More HERE.