Security News > 2023 > March > Critical infrastructure gear is full of flaws, but hey, at least it's certified
Devices used in critical infrastructure are riddled with vulnerabilities that can cause denial of service, allow configuration manipulation, and achieve remote code execution, according to security researchers.
Most of these operational technology products - which include industrial control systems and related devices - claim security certifications, some of which they did not actually have.
The researchers looked at 45 OT product lines used in government, healthcare, water, oil and gas, power generation, manufacturing, retail and other sectors from ten different major vendors.
Another 18 CVEs involved data manipulation, with 13 of these allowing firmware manipulation.
"Only 51 percent of the examined devices had some sort of authentication for firmware updates, even if it was in the form of hardcoded credentials in some cases," the trio said, adding that 78 percent did not implement cryptographic firmware signing.
Italy topped the list for the number of exposed devices, followed by Germany, Spain, France, Switzerland, and the US. "Worryingly, many of these products are certified but suffer from vulnerabilities that should have been caught in the certification process," the researchers say in their paper, citing IEC 62443 labelled products that weren't compliant.