Critical infrastructure gear is full of flaws, but hey, at least it's certified
Security researchers find bugs, big and small, in every industrial box probed
Devices used in critical infrastructure are riddled with vulnerabilities that can cause denial of service, allow configuration manipulation, and achieve remote code execution, according to security researchers.
And most of these operational technology (OT) products – which include industrial control systems and related devices – claim security certifications, some of which they did not actually have.
In a pre-print paper titled, "Insecure by Design in the Backbone of Critical Infrastructure," Jos Wetzels and Daniel dos Santos, security researchers at Forescout, and Mohammad Ghafari, professor for secure IT systems at Technical University of Clausthal, Germany, identify 53 CVEs in products from the makers of industrial technology, some trivial and some critical.
The flaws arise from basic security design failures, some of which can lead to serious consequences.
The researchers looked at 45 OT product lines used in government, healthcare, water, oil and gas, power generation, manufacturing, retail and other sectors from ten different major vendors. By reverse engineering the products, they were able to identify bad practices like unauthenticated protocols and weak cryptography.
The vendors covered included: Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, Yokogawa, and Schneider Electric.
"We found that every product suffers from at least one trivial vulnerability," the trio said in their paper, which is scheduled to be presented at the IEEE/ACM Workshop on the Internet of Safe Things in May. "We reported a total of 53 weaknesses, including several critical issues, with impacts ranging from denial-of-service and configuration manipulation to remote code execution."
- What to do about inherent security flaws in critical infrastructure?
- CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
- Pushers of insecure software in Biden's crosshairs
- 'Woefully insufficient': Biden administration's assessment of critical infrastructure infosec protection
More than a third (21 CVEs) could facilitate credential compromise. Another 18 CVEs involved data manipulation, with 13 of these allowing firmware manipulation. And 10 CVEs provided a path to remote code execution.
One of the ways in which remote code execution could be achieved would be through firmware tampering.
"Only 51 percent of the examined devices had some sort of authentication for firmware updates, even if it was in the form of hardcoded credentials in some cases," the trio said, adding that 78 percent did not implement cryptographic firmware signing.
Only 51 percent of the examined devices had some sort of authentication for firmware updates
Most of the software components involved (84 percent) "were written in C++ which is typically more tedious and involved than C or .NET," the researchers explain, adding that the firmware relied on a mix of C or C++ without encryption or obfuscation, though often with proprietary file formats.
Hardware architectures included: Arm (31 percent), x86 (26 percent), PowerPC (24 percent), SuperH (12 percent), and others (7 percent). Firmware architectures included: VxWorks (22 percent), QNX (14 percent), Linux (13 percent), WinCE (9 percent), OS-9 (4 percent), ITRON/TKERNEL (4 percent), along with 11 percent using a custom OS and 23 percent using other operating systems.
The authors note that they followed responsible disclosure practices and that some of the manufacturers disagreed with their findings. In five instances, the authors accepted the vendor's response and dropped or moderated their disclosure, or adjusted the timing of the disclosure. In at least ten cases, no agreement was reached, leading to some public CVEs without vendor participation.
Based on open source inquiries (e.g., using the Shodan search engine), the authors determined that a significant number of potentially vulnerable systems are exposed to the internet.
These products are certified but suffer from vulnerabilities that should have been caught in the certification process
Italy topped the list for the number of exposed devices (1,255), followed by Germany (440), Spain (393), France (376), Switzerland (263), and the US (178).
"Worryingly, many of these products are certified but suffer from vulnerabilities that should have been caught in the certification process," the researchers say in their paper, citing IEC 62443 labelled products that weren't compliant. "...This suggests that apart from what the standards may not cover, even the things they do cover are not always properly covered in practice."
The Biden administration has cited the need to protect critical infrastructure as part of its recently announced National Cybersecurity Strategy. That goal evidently remains a work in progress.
"We conclude that despite a decade of efforts in improving OT security, the OT install base is still suffering from insecure-by-design issues even for products that are security certified," the researchers say. ®