"Researchers Reveal 56 OT Bugs in "Icefall" Report"

Security researchers at Forescout have recently disclosed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products.  The researchers say the vulnerabilities found demonstrates significant “insecure-by-design” practices.  The impacted manufacturers are Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.  The researchers stated that the vulnerabilities broadly fit into four categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution (RCE) via native functionality.  The researchers noted that the most common vulnerability type enables attackers to compromise credentials (38%).  Next comes firmware manipulation (21%), RCE (14%), and configuration manipulation (8%).  A small number of the bugs allow DoS, authentication bypass, file manipulation, and logic manipulation.  The researchers stated that opacity in the industry is harming efforts to improve the security of OT products.  Many insecure-by-design problems aren’t assigned CVEs, so they often remain “less visible and actionable,” the researchers argued.  

Infosecurity reports: "Researchers Reveal 56 OT Bugs in "Icefall" Report"