Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



ICS Vendors Respond to OT:Icefall Vulnerabilities Impacting Critical Infrastructure

Several industrial control system (ICS) vendors impacted by the recently-disclosed OT:Icefall vulnerabilities have released advisories to inform customers about the impact of the flaws and to provide mitigations.

Several industrial control system (ICS) vendors impacted by the recently-disclosed OT:Icefall vulnerabilities have released advisories to inform customers about the impact of the flaws and to provide mitigations.

OT:Icefall is the name given to a collection of 56 vulnerabilities discovered by Forescout researchers across the products of ten companies that make operational technology (OT) systems.

The flaws are related to insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.

The security holes impact various types of ICS products, including engineering workstations, PLCs, distributed control systems, building controllers, safety instrumented systems, remote terminal units, and SCADA systems. Exploitation of the flaws can lead to remote code execution, DoS attacks, firmware manipulation, compromised credentials, and authentication bypass.

Affected vendors include Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. One of the impacted vendors has not been named as the disclosure process is still ongoing.

[ READ: Industry Reactions to ‘OT:Icefall’ Vulnerabilities Found in ICS Products ]

Patches do not appear to be available, but the impacted vendors have started informing customers about mitigations that should reduce the risk or prevent exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) has also published advisories for some of the impacted vendors.


JTEKT’s TOYOPUC PLCs are affected by two high-severity vulnerabilities that can be exploited for arbitrary machine code execution, changing controller configurations, manipulating data, or causing a DoS condition.

The mitigations recommended by the vendor include the use of VPNs for remote access, using firewalls to protect control systems, minimizing network exposure, and using LAN port locks to prevent unauthorized devices from being connected to the network.

Phoenix Contact

Phoenix Contact has released two separate advisories for the vulnerabilities affecting its ProConOS and MULTIPROG products, and its classic line industrial controllers. The advisories describe two critical flaws that can be exploited to upload logic with arbitrary malicious code to a controller.

Mitigations recommended by the vendor include network segmentation to protect industrial controllers, protecting connections between engineering tools and controllers, and saving or transmitting project data securely.


Siemens has published an advisory to inform customers about one critical client-side authentication issue affecting its SIMATIC WinCC OA product. Exploitation of the flaw can allow an attacker to impersonate other users or exploit the client-server protocol without authentication.

Exploitation can be prevented by ensuring that server-side authentication or Kerberos authentication is enabled.


Yokogawa’s STARDOM PLCs are affected by three types of security issues, including related to insecure transmission of credentials, hardcoded credentials, and the lack of firmware integrity mechanisms.

The vendor has released an advisory describing the two credentials-related vulnerabilities, to which a “medium severity” rating has been assigned. Mitigations include preventing MitM attacks, and only allowing trusted hosts to connect to the controller.


An advisory has been published for the four vulnerabilities discovered in Omron PLCs. For three of the flaws the vendor has made available mitigations, and for one of them it plans on releasing an update in July 2022. 


Three different advisories have been published for the eight vulnerabilities discovered in Motorola RTUs, gateways, and a protocol parser. Motorola’s recommendations for these flaws include mitigations and product upgrades. 

Bently Nevada

CISA has also published an advisory on behalf of Bently Nevada, whose machinery monitors are affected by critical and high-severity OT:Icefall vulnerabilities. The vendor has advised customers to upgrade their devices to a newer version that has the diagnostics port disabled and hardcoded credentials removed from the firmware image.


CISA has published two advisories describing impact of the vulnerabilities on Honeywell’s Safety Manager and Saia Burgess PG5 PCD products.


CISA has published two advisories to describe the impact of the vulnerabilities on Emerson ControlWave and OpenBSI products. The vendor has shared mitigation advice for both products. 

*updated on June 29, 2022 with Omron and Motorola advisories, on July 8 with Bently Nevada advisory, on July 27 with Honeywell advisories, and on August 9 with Emerson advisories

Related: ICS Vendors Assess Impact of INFRA:HALT Vulnerabilities

Related: ICS Vendors Respond to Log4j Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.