Forescout’s Vedere Labs today disclosed an update to its OT:ICEFALL study distributed in June 2022, which detailed vulnerabilities found in thousands of OT (operational technology) devices. Vedere Labs’ research has uncovered three new vulnerabilities affecting OT products from two German vendors, Festo and CODESYS, that could impact device manufacturers across different industrial sectors globally.
The new vulnerabilities are similar to others that have been previously included in the original OT:ICEFALL disclosure. These issues highlight either an insecure-by-design approach where manufacturers include dangerous functions that can be accessed with no authentication, or a subpar implementation of security controls, such as cryptography.
“Threat actors are adapting their attack methods in tandem with current cybersecurity trends to maximise outcomes,” said Daniel dos Santos, Head of Security Research, Forescout Vedere Labs. “For instance, cybercriminals are exploiting vulnerabilities in connected devices to gain access to organizational networks, enabling them to launch attacks on OT systems that can cause physical business disruption. With new malware specifically targeting known OT security gaps, these collectively reaffirm a clear need for OT security standards that can be useful to mitigate risks arising from insecure design.”
New Vulnerabilities in Festo Automation Controllers and CODESYS V3
Details of the new vulnerabilities found in Festo automation controllers and the CODESYS V3 runtime include the following:
- CODESYS V3 Runtime: The CODESYS V3 runtime environment offers application encryption to ensure download code and boot applications are encrypted. CODESYS’ runtime is used by hundreds of device manufacturers around the world, inclusive of Festo. CODESYS V3 before version 3.5.18.40 has been found to use weak cryptography for download code and boot applications, enabling attackers to trivially decrypt and manipulate protected code by brute forcing session keys.
- Festo CPX-CEC-C1 and CPX-CMXX controllers: These controllers allow unauthenticated, remote access to critical webpage functions. Anyone with network access to a controller can browse to a hidden web page found on the controller’s filesystem, causing the controller to reboot immediately and potentially causing a denial of service.
- Festo controllers using the Festo Generic Multicast (FGMC) protocol: The FGMC protocol allows for the unauthenticated reboot of controllers and other sensitive operations. The same effect can be obtained with the Festo Field Device Tool, which uses FGMC to communicate. Controllers can also be rebooted without authentication via the PLC Browser tool, which allows operators to issue commands.
A more detailed overview of each vulnerability may be found here and in Forescout’s technical report.
Recommendations to Mitigate Risk
As patching or replacing OT devices is notoriously difficult due to their mission-critical nature, Forescout recommends that organisations adopt mitigation strategies that prioritise securing their increased attack surface based on up-to-date threat intelligence. These strategies include:
- Discover and inventory connected devices: Organisations need to be able to collect and maintain up-to-date information about cyber assets as soon as they join or leave the network, providing them with information such as what the device is, where it is connected to, and where the connection originates. This empowers security teams with the necessary context to recognise and differentiate between legitimate and unauthorised devices, enabling appropriate follow-up actions to be taken.
- Segmentation controls and proper network hygiene: Organisations should segment their network to isolate IT and OT to decrease the probability of OT/ICS malware reaching its target. Security teams should also be able to restrict external communication or isolate vulnerable devices as a mitigating control until vulnerabilities can be patched.
- Monitor all network traffic: Security teams should adopt monitoring solutions capable of alerting them of malicious indicators and behaviours such as intrusions attempting to exploit known vulnerabilities or possible 0-days. Anomalous and malformed traffic should be blocked, or at least flagged to network operators.
