Several industrial control system (ICS) vendors impacted by the recently-disclosed OT:Icefall vulnerabilities have released advisories to inform customers about the impact of the flaws and to provide mitigations.
OT:Icefall is the name given to a collection of 56 vulnerabilities discovered by Forescout researchers across the products of ten companies that make operational technology (OT) systems.
The flaws are related to insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.
The security holes impact various types of ICS products, including engineering workstations, PLCs, distributed control systems, building controllers, safety instrumented systems, remote terminal units, and SCADA systems. Exploitation of the flaws can lead to remote code execution, DoS attacks, firmware manipulation, compromised credentials, and authentication bypass.
Affected vendors include Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. One of the impacted vendors has not been named as the disclosure process is still ongoing.
Patches do not appear to be available, but the impacted vendors have started informing customers about mitigations that should reduce the risk or prevent exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) has also published advisories for some of the impacted vendors.
JTEKT’s TOYOPUC PLCs are affected by two high-severity vulnerabilities that can be exploited for arbitrary machine code execution, changing controller configurations, manipulating data, or causing a DoS condition.
The mitigations recommended by the vendor include the use of VPNs for remote access, using firewalls to protect control systems, minimizing network exposure, and using LAN port locks to prevent unauthorized devices from being connected to the network.
Phoenix Contact has released two separate advisories for the vulnerabilities affecting its ProConOS and MULTIPROG products, and its classic line industrial controllers. The advisories describe two critical flaws that can be exploited to upload logic with arbitrary malicious code to a controller.
Mitigations recommended by the vendor include network segmentation to protect industrial controllers, protecting connections between engineering tools and controllers, and saving or transmitting project data securely.
Siemens has published an advisory to inform customers about one critical client-side authentication issue affecting its SIMATIC WinCC OA product. Exploitation of the flaw can allow an attacker to impersonate other users or exploit the client-server protocol without authentication.
Exploitation can be prevented by ensuring that server-side authentication or Kerberos authentication is enabled.
Yokogawa’s STARDOM PLCs are affected by three types of security issues, including related to insecure transmission of credentials, hardcoded credentials, and the lack of firmware integrity mechanisms.
The vendor has released an advisory describing the two credentials-related vulnerabilities, to which a “medium severity” rating has been assigned. Mitigations include preventing MitM attacks, and only allowing trusted hosts to connect to the controller.
An advisory has been published for the four vulnerabilities discovered in Omron PLCs. For three of the flaws the vendor has made available mitigations, and for one of them it plans on releasing an update in July 2022.
Three different advisories have been published for the eight vulnerabilities discovered in Motorola RTUs, gateways, and a protocol parser. Motorola’s recommendations for these flaws include mitigations and product upgrades.
CISA has also published an advisory on behalf of Bently Nevada, whose machinery monitors are affected by critical and high-severity OT:Icefall vulnerabilities. The vendor has advised customers to upgrade their devices to a newer version that has the diagnostics port disabled and hardcoded credentials removed from the firmware image.
*updated on June 29, 2022 with Omron and Motorola advisories, on July 8 with Bently Nevada advisory, on July 27 with Honeywell advisories, and on August 9 with Emerson advisories