Cybersecurity company Forescout has released a report detailing 56 very concerning security gaps they discovered across a string of devices used in industrial equipment, including devices used by manufacturers, distributors, and building automation.
The devices were sold by 10 well-established operational technology (OT) vendors, including Honeywell, Ericsson, and Motorola, among others, and included products being sold as “secure by design” or certified with operational OT security standards.
Leapfrog believes this report serves as a reminder that companies need to take responsibility for their own security, which includes identifying and plugging vulnerabilities within any of their systems. Your cybersecurity team can easily detect security gaps like the ones Forescout found — but so can hackers.
So your team needs to find them first.
OT vulnerability ripple effects
OT is industrial software or hardware that detects or causes changes in things that happen in real life. OT usually has a long life cycle, limited functionality, and stringent safety requirements.
In total, Forescout estimates that the security vulnerabilities it found affected over 30,000 OT machines, many of which are in use by facilities that make up the backbone of our critical infrastructures — oil and gas companies, chemical plants, nuclear power plants, water treatment facilities, and others. These security gaps can lead to catastrophic effects and impact hundreds and thousands of people.
Not all of the companies with affected systems are part of critical infrastructure, but all are at risk for unplanned disruptions or other malicious activity. Hackers can exploit the vulnerabilities through:
- Remote code execution that runs harmful code on the device
- Denial of Service (DoS) that shuts down a machine or network
- Firmware manipulation that changes a device’s operating system or other components
- User credential compromise or authentication bypass to gain access to systems
More connections, more risk
OT “insecure by design” vulnerabilities aren’t new. What’s new is it’s more likely that the vulnerabilities are exposed now.
More companies have been connecting their OT networks to their corporate IT networks, primarily to improve productivity with technologies like remote access, predictive maintenance, and ERP system integration. Yet, these same companies haven’t taken steps to secure and monitor their OT networks after making the connections.
If a hacker breaches an OT vulnerability and the OT network is connected to the corporate network, the company and its clients are instantly at greater risk. And the public may be at risk, too, depending on the corporation’s industry.
How to remediate
Isolating your OT network (and your IoT network) from your corporate network and the internet is the best practice. If it’s necessary to connect them, do so judiciously — set policy and time restrictions and limit connections to a few specific workstations.
Forescout recommends other specific actions. Leapfrog concurs and can perform all of them for our clients:
- Discover and inventory vulnerable devices
- Enforce segmentation controls and proper network hygiene
- Monitor progressive patches and devise a remediation plan
- Monitor all network traffic for suspicious activity
- Procure products that are genuinely “secure by design”
- Use of native hardening capabilities
- Work toward consequence reduction by following a proven cybersecurity methodology
If your company uses industrial equipment, see the Forescout report for details about the dozens of vulnerabilities it found and related attack scenarios and potential impacts.
Cybersecurity is fundamental to your business continuity. It’s important to be diligent and holistic in your risk management approach and address each system change from a security perspective.
At Leapfrog, we work with businesses to proactively consider security risks and take steps to mitigate and reduce potential attacks across every type of technology you use, from servers and computers to industrial systems.
Still, technology represents only 45% of your attack surface — your people, processes, and facilities make up the rest. Our CyberRisk Program is designed to secure all attack vectors and manage cyber risk across your entire organization.
