Critical Infrastructure Gear is Full of Flaws, but Hey, at Least It's Certified

by
janrinok
from SoylentNews on (#6A6ZT)

guest reader writes:

Security researchers find bugs, big and small, in every industrial box probed:

Devices used in critical infrastructure are riddled with vulnerabilities that can cause denial of service, allow configuration manipulation, and achieve remote code execution, according to security researchers.

The researchers looked at 45 operational technology (OT) product lines used in government, healthcare, water, oil and gas, power generation, manufacturing, retail and other sectors from ten different major vendors. By reverse engineering the products, they were able to identify bad practices like unauthenticated protocols and weak cryptography.

From 53 identified CVEs: More than a third (21 CVEs) could facilitate credential compromise. Another 18 CVEs involved data manipulation, with 13 of these allowing firmware manipulation. And 10 CVEs provided a path to remote code execution.

Based on open source inquiries (e.g., using the Shodan search engine), the authors determined that a significant number of potentially vulnerable systems are exposed to the internet.

The vendors covered included: Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, Yokogawa, and Schneider Electric.

"Worryingly, many of these products are certified but suffer from vulnerabilities that should have been caught in the certification process," the researchers say in their paper, citing IEC 62443 labelled products that weren't compliant. "...This suggests that apart from what the standards may not cover, even the things they do cover are not always properly covered in practice."

The Biden administration has cited the need to protect critical infrastructure as part of its recently announced National Cybersecurity Strategy. That goal evidently remains a work in progress.

Pre-print paper:
Jos Wetzels, Daniel dos Santos, and Mohammad Ghafari. 2023. Insecure by Design in the Backbone of Critical Infrastructure. In Cyber-Physical Systems and Internet of Things Week 2023 - this is a preprint version, May 9-12, 2023, San Antonio, TX, USA. ACM, New York, NY, USA, 6 pages. https://doi.org/10.48550/arXiv.2303.12340

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments