Security News > 2022 > June > Discovery of 56 OT Device Flaws Blamed on Lackluster Security Culture

Researchers discovered 56 vulnerabilities affecting devices from 10 operational technology vendors, most of which they've attributed to inherent design flaws in equipment and a lax approach to security and risk management that have been plaguing the industry for decades, they said.

Overall the "Impact of each vulnerability is high dependent on the functionality each device offers," according to a blog post about the flaws published Tuesday.

Among the activities that threat actors can engage in by exploiting the flaws on an affected device include: remote code execution, with code executed in different specialized processors and different contexts within a processor; denial of service that can take a device completely offline or block access to a certain function; file/firmware/configuration manipulation that allows an attacker to change important aspects of a device; credential compromise allowing access to device functions; or authentication bypass that allows an attacker to invoke desired functionality on the target device, researchers said.

Researchers outlined some of the reasons for the inherent issues with security design and risk management in OT devices that they suggest manufacturers remedy in swift fashion.

Sometimes the inherent security of the device wasn't directly the fault of the manufacturer but that of "Insecure-by-design" components in the supply chain, which further complicates how manufacturers manage risk, researchers found.

Long Road Ahead. Indeed, managing risk management in OT and IT devices and systems alike requires "a common language of risk," something that's difficult to achieve with so many inconsistencies across vendors and their security and production strategies in an industry, noted Nick Sanna, CEO of RiskLens.

News URL

https://threatpost.com/discovery-of-56-ot-device-flaws-blamed-on-lackluster-security-culture/180035/