Skip to content

Vedere Labs updates OT:ICEFALL findings, adds three more vulnerabilities in Festo automation controllers, CODESYS equipment

Posted by: GuidePoint Security

< 1 min read

November 30, 2022 – Published on Industrial Cyber

Forescout’s Vedere Labs identified three new vulnerabilities affecting OT (operational technology) products from two German vendors – Festo automation controllers and the CODESYS runtime, which is used by hundreds of device manufacturers in different industrial sectors, including Festo. These security loopholes add to the earlier 56 vulnerabilities caused by insecure-by-design practices affecting devices from ten OT vendors, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

“As in the original OT:ICEFALL disclosure, these issues exemplify either an insecure-by-design approach— which was usual at the time the products were launched – where manufacturers include dangerous functions that can be accessed with no authentication or a subpar implementation of security controls, such as cryptography,” Vedere Labs researchers wrote in a Tuesday blog post. 

The OT:ICEFALL vulnerabilities impact major OT/ICS products, including SCADA systems, PLCs, Distributed Control Systems (DCS), engineering workstations, Human-Machine Interfaces (HMIs), Building Management Systems (BMS), Safety Instrumented Systems (SIS) which, SIS protect life and safety of personnel, Chris Warner, senior security consultant for OT governance and risk at GuidePoint Security, wrote in an emailed statement. “Exploiting the vulnerabilities can lead to remote code execution, firmware manipulation, and authentication bypass creating a greater risk that could cause catastrophic events in life, health, safety, reputation, production, and financial impacts.”

“Asset owners must rely on manufacturers of OT equipment for secure products and secure designs from system integrators,” according to Warner. “The IEC 62443-4-1 has secure product development requirements and IEC 62443-4-2 has technical security requirements for Industrial Automation Control Systems (IACS) components. OT/ICS Manufacturers should leverage the IEC 62443 framework to ensure a minimum level of security,” he added.

Read More HERE.

Categories: Cybersecurity Governance, Risk & Compliance Vulnerability Management & Penetration Testing
Tags:ICS

GuidePoint Security

The Importance of OT Cybersecurity
For the past 25 years, I have been working with Operational Technology (OT), and for the last 10 I have […]
View Page

Related Articles

View All

  • Blog
The Importance of OT Cybersecurity
Posted by: GuidePoint Security
Read More 10 min read
  • Cybersecurity
ICS Security Services
Read More < 1 min read
  • Cybersecurity
Considerations for merging your IT and OT environments into ICS
Posted by: GuidePoint Security
Read More 3 min read