Security News > 2022 > June > CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
Fifty-six vulnerabilities - some deemed critical - have been found in industrial operational technology systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to the US government's CISA and private security researchers.
Forescout's Vedere Labs discovered the bugs in devices built by ten vendors in use across the security company's customer base, and collectively named them OT:ICEFALL. According to the researchers, the vulnerabilities affect at least 324 organizations globally - and in reality this number is probably much larger since Forescout only has visibility into its own customers' OT devices.
Most of the flaws occur in level 1 and level 2 OT devices.
Level 1 devices - such as programmable logic controllers and remote terminal units - control physical processes, while level 2 devices include supervisory control and data acquisition and human-machine interface systems.
"So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password."
The researchers noted that patching these security issues won't be easy - either because they are the result of OT products being insecure by design, or because they require changes in device firmware and supported protocols.
News URL
Related news
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- CISA, FBI Issue Guidance for Securing Communications Infrastructure (source)
- New IOCONTROL malware used in critical infrastructure attacks (source)
- CISA confirms critical Cleo bug exploitation in ransomware attacks (source)
- Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks (source)
- CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List (source)