"Critical Infrastructure Gear Is Full of Flaws, but Hey, at Least It's Certified"
According to security researchers, devices used in critical infrastructure are infested with vulnerabilities that can cause Denial-of-Service (DoS), enable configuration manipulation, and help attackers achieve Remote Code Execution (RCE). In addition, most of these Operational Technology (OT) products, including Industrial Control Systems (ICS) and related devices, claim to have security certifications, some of which they do not have. In a pre-print paper titled "Insecure by Design in the Backbone of Critical Infrastructure," security researchers Jos Wetzels and Daniel dos Santos from Forescout, along with Mohammad Ghafari, a professor in secure Information Technology (IT) systems at the Technical University of Clausthal in Germany, identify 53 CVEs in products from the manufacturers of industrial technology. Some of these vulnerabilities are relatively trivial, while others are potentially destructive. The flaws stem from basic security design errors, some of which can have severe impacts. The researchers examined 45 OT product lines from ten major vendors used in government, healthcare, water, oil and gas, power generation, manufacturing, retail, and other sectors. They uncovered unauthenticated protocols, weak cryptography, and other bad practices by reverse engineering the products. Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, Yokogawa, and Schneider Electric were among the vendors covered by the research. This article continues to discuss the researchers' findings from the analysis of 45 OT product lines.