On Monday researchers at Forescout’s Vedere Labs disclosed 56 vulnerabilities for Operational Technology (OT) devices across 10 vendors. Among the affected devices are Distributed Control Systems, Programmable Logic Controllers (PLCs), Remote Terminal Units, and a Supervisory Control and Data Acquisition (SCADA) system. Further, the researchers identified more than 5000 impacted devices exposed to the internet via Shodan. The vendors affected are Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.
To quote Digital Bond’s Project Basecamp, these vulnerabilities exist due to the OT devices and protocols being “Insecure by Design.” This means that extra care should be taken when deploying OT devices in company infrastructure: severely limit access to OT devices, leveraging both logical and physical delineations of networks, and supplement logical segregation with Access Control lists (ACL) or restrictive firewall rules. Consider the principal of least functionality when designing these controls.
Vedere Labs notes that the categories of the vulnerabilities (Remote Code Execution, Denial of Service, Configuration Manipulation, Compromise of Credentials, and Authentication Bypass) don’t tell the whole story. It’s important when analyzing vulnerabilities to consider what it allows the attacker to do within the context of the system it is in. Proper asset management can help support categorization of risk due to these vulnerabilities.