Security Experts:

ICS Vendors Respond to OT:Icefall Vulnerabilities Impacting Critical Infrastructure

Several industrial control system (ICS) vendors impacted by the recently-disclosed OT:Icefall vulnerabilities have released advisories to inform customers about the impact of the flaws and to provide mitigations.

OT:Icefall is the name given to a collection of 56 vulnerabilities discovered by Forescout researchers across the products of ten companies that make operational technology (OT) systems.

The flaws are related to insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.

The security holes impact various types of ICS products, including engineering workstations, PLCs, distributed control systems, building controllers, safety instrumented systems, remote terminal units, and SCADA systems. Exploitation of the flaws can lead to remote code execution, DoS attacks, firmware manipulation, compromised credentials, and authentication bypass.

Affected vendors include Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. One of the impacted vendors has not been named as the disclosure process is still ongoing.

[ READ: Industry Reactions to 'OT:Icefall' Vulnerabilities Found in ICS Products ]

Patches do not appear to be available, but the impacted vendors have started informing customers about mitigations that should reduce the risk or prevent exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) has also published advisories for some of the impacted vendors.

JTEKT

JTEKT’s TOYOPUC PLCs are affected by two high-severity vulnerabilities that can be exploited for arbitrary machine code execution, changing controller configurations, manipulating data, or causing a DoS condition.

The mitigations recommended by the vendor include the use of VPNs for remote access, using firewalls to protect control systems, minimizing network exposure, and using LAN port locks to prevent unauthorized devices from being connected to the network.

Phoenix Contact

Phoenix Contact has released two separate advisories for the vulnerabilities affecting its ProConOS and MULTIPROG products, and its classic line industrial controllers. The advisories describe two critical flaws that can be exploited to upload logic with arbitrary malicious code to a controller.

Mitigations recommended by the vendor include network segmentation to protect industrial controllers, protecting connections between engineering tools and controllers, and saving or transmitting project data securely.

Siemens

Siemens has published an advisory to inform customers about one critical client-side authentication issue affecting its SIMATIC WinCC OA product. Exploitation of the flaw can allow an attacker to impersonate other users or exploit the client-server protocol without authentication.

Exploitation can be prevented by ensuring that server-side authentication or Kerberos authentication is enabled.

Yokogawa

Yokogawa’s STARDOM PLCs are affected by three types of security issues, including related to insecure transmission of credentials, hardcoded credentials, and the lack of firmware integrity mechanisms.

The vendor has released an advisory describing the two credentials-related vulnerabilities, to which a “medium severity” rating has been assigned. Mitigations include preventing MitM attacks, and only allowing trusted hosts to connect to the controller.

Omron

An advisory has been published for the four vulnerabilities discovered in Omron PLCs. For three of the flaws the vendor has made available mitigations, and for one of them it plans on releasing an update in July 2022. 

Motorola

Three different advisories have been published for the eight vulnerabilities discovered in Motorola RTUs, gateways, and a protocol parser. Motorola’s recommendations for these flaws include mitigations and product upgrades. 

Bently Nevada

CISA has also published an advisory on behalf of Bently Nevada, whose machinery monitors are affected by critical and high-severity OT:Icefall vulnerabilities. The vendor has advised customers to upgrade their devices to a newer version that has the diagnostics port disabled and hardcoded credentials removed from the firmware image.

Honeywell

CISA has published two advisories describing impact of the vulnerabilities on Honeywell's Safety Manager and Saia Burgess PG5 PCD products. 

*updated on June 29, 2022 with Omron and Motorola advisories, on July 8 with Bently Nevada advisory, and on July 27 with Honeywell advisories

Related: ICS Vendors Assess Impact of INFRA:HALT Vulnerabilities

Related: ICS Vendors Respond to Log4j Vulnerabilities

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.