Security News > 2022 > June > CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure

Fifty-six vulnerabilities - some deemed critical - have been found in industrial operational technology systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to the US government's CISA and private security researchers.

Forescout's Vedere Labs discovered the bugs in devices built by ten vendors in use across the security company's customer base, and collectively named them OT:ICEFALL. According to the researchers, the vulnerabilities affect at least 324 organizations globally - and in reality this number is probably much larger since Forescout only has visibility into its own customers' OT devices.

Most of the flaws occur in level 1 and level 2 OT devices.

Level 1 devices - such as programmable logic controllers and remote terminal units - control physical processes, while level 2 devices include supervisory control and data acquisition and human-machine interface systems.

"So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password."

The researchers noted that patching these security issues won't be easy - either because they are the result of OT products being insecure by design, or because they require changes in device firmware and supported protocols.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/21/56_vulnerabilities_critical_industrial/