Insecurity by design encompasses security vulnerabilities that were caused by design choices rather than coding errors. For example, an out of date encryption protocol implemented correctly or not authenticating commands. They are essentially vulnerabilities that are also features of the product.
Unlike vulnerabilities that are created in error, many of these insecure by design issues are known to vendors already — but the vendors have neither alerted users directly nor issued CVEs, Daniel Dos Santos, head of security research at Vedere, told SC Media.
“[With] unauthenticated protocols, it's always the case. They're like, ‘Yeah, we know that this isn't authenticated. It wasn't designed like that,’” he said. OT products, designed to last dozens of years, were often designed during a time when security was an afterthought, and have been fixed on a disjointed, ad-hoc basis ever since.
The affected vendors and product lines are Bently Nevada (3700 and TDI equipment); Emerson (DeltaV, Ovation OpenBSI ControlWave, BB 33xx, ROC,Fanuc, PACsystems); Honeywell (Trend IQ*, Safety Manager FSC, Experion LX, ControlEdge, Saia Burgess PCD); JTEKT (Toyopuc); Motorola (MOSCAD, ACE IP gateway, MDLC, ACE1000, MOSCAD Toolbox STS); Omron SYSMAC (Cx series, Nx series); Phoenix Contact( ProConOS); Siemens (WinCC OA); and Yokogawa (STARDOM). An additional vendor affected by four vulnerabilities was not named by Vedere Labs because it was still amid the disclosure process. Any enterprise using those products should check the report for more detail. Vulnerabilities range from poor encryption to hardcoded credentials.
But the main takeaway from the report, said Dos Santos, is that while a marketplace of security products surrounding OT equipment has matured in the last decade, efforts to harden OT systems through awareness and certifications has still left behind a non-trivial amount of insecure design that vendors are already aware of, but clients are not.
It’s an issue that tracks with Amir Preminger, VP of Research at Claroty. “It makes sense that vendors are aware of security problems with their protocols. It is known that the majority of OT protocols lack basic security capabilities and can be easily exploited by attackers to cause damage,” he said, via email.
“That said,” he added, “some vendors are shifting to develop more secure and improved protocols, and even starting to run internal security reviews of their own products, which yields CVEs reported from the vendor's internal security review teams,”
The Vedere report, dubbed “Project Icefall” comes almost 11 years after “Project Basecamp," an influential audit of ICS products that highlighted insecurity by design. The project is named after the Khumbu Icefall, a sort-of waterfall of ice, and is the first notable feature climbers attempting to summit Mount Everest encounter after leaving basecamp.
Acording to the report, the vast majority of devices audited were listed as certified in a security standard.
“We need to be aware of the issues. Vendors cannot just brush it off, and say, 'Forget about it, let's not talk about it,' right?” said Dos Santos. “We need to we need to have CVEs for these things. We need to have CISA alerts.”
