Final OT:ICEFALL vulnerability disclosed affecting Schneider tool

Researchers have disclosed a vulnerability affecting tools made by operational technology (OT) manufacturer Schneider Electric — the final bug announced as part of a set of disclosures collectively known as OT:ICEFALL.

The vulnerability affects the company’s ION and PowerLogic power meters, which provide power and energy monitoring tools to organizations in the manufacturing, energy, water and wastewater systems sectors.

Tagged as CVE-2022-46680, the vulnerability has a CVSS score of 8.8 out of 10, indicating a high severity, and allows hackers to gain access to credentials that would help them change configuration settings or potentially modify firmware.

The vulnerability is the last issue found in the original OT:ICEFALL research from security company Forescout, which unveiled 56 OT vulnerabilities almost exactly one year ago affecting products from Siemens, Motorola, Honeywell, Yokogawa, ProConOS, Emerson, Phoenix Contract, Bentley Nevada, Omron and JTEKT. Several other OT:ICEFALL vulnerabilities were unveiled in February.

Daniel dos Santos, head of security research at Forescout, told Recorded Future News that the vulnerability was held out of the initial 56 bugs released at the request of Schneider Electric, which needed time to help customers remediate the issue and find workarounds.

A spokesperson for Schneider Electric said they worked closely with Forescout on the disclosure and published a security notification in May that provides remediations and mitigations.

“As per the notification, we advise that customers deploy the remediations and mitigations detailed therein. In addition, we continue to recommend that customers implement cybersecurity best practices across their operations as outlined in Schneider Electric Recommended Cybersecurity Best Practices document,” the spokesperson said.

Alongside CVE-2022-46680, Forescout unveiled two other OT vulnerabilities affecting a line of automation controllers from WAGO that are used in sectors such as commercial facilities, manufacturing, energy and transportation.

WAGO did not respond to requests for comment and the bugs are of a low CVSS severity. But dos Santos explained that both issues allow hackers to crash a device, forcing them to be manually rebooted.

Vulnerabilities like these are concerning considering the tools are used by transportation systems and are often located in remote locations along railways – meaning someone would have to venture out to them and manually restart them.

Forescout noted that while both of the WAGO and Schneider Electric devices are not supposed to be exposed online, they found between 2,000 and 4,000 potentially unique devices directly accessible when querying Shodan, a tool used to search internet-exposed devices.

WAGO controllers are most popular in Europe, while ION meters are most popular in North America.

While these vulnerabilities would normally be investigated and exploited by nation-states, dos Santos told Recorded Future News that things have changed significantly over the last year since the onset of Russia’s invasion of Ukraine.

Unaffiliated hackers have jumped in the fray to help both sides, muddying the waters of what is typically considered a “state-backed” hacker. Attackers supporting both countries have targeted critical infrastructure like railways, opening the door for other conflicts where private actors may take unilateral actions and exploit bugs previously reserved for militaries.

“What we started seeing towards the second half of last year, mainly because of the conflict in Ukraine and the geopolitical situation, is the rise of hacktivists that are also looking at operational technology,” he said.

“So I would say these vulnerabilities are not complicated at all to exploit compared to some others that we have seen exploited in the past. They could be exploited by other types of attackers. It doesn't require the sophistication of a nation-state actor. It would still be something that a nation-state actor could leverage for their purposes, but a hacktivist could leverage it to bring devices offline or cause damage.”

Continuous OT security failings

Alongside the disclosure of the three vulnerabilities, Forescout and dos Santos said a larger conversation needs to be had about OT manufacturers and their continual failure to build products with security in mind.

He said his team is still finding many of the same vulnerabilities that were uncovered in OT:ICEFALL and in subsequent reports.

Forescout said vendors still “lack a fundamental understanding of secure-by-design” and explained that they find recurring design issues that “demonstrate a lack of understanding of basic security control design, such as plaintext and/or hardcoded credentials, client-side authentication, stateful control on stateless protocols, missing critical steps in authentication, broken algorithms and faulty implementations.”

For operational technology tools, patches are often difficult to implement considering their long-term use, making it imperative that companies consider security implications from the beginning.

dos Santos said one concern many OT companies raise with his team is the fact that many security issues can be traced back to the need for backward compatibility.

Because OT companies are dealing with critical infrastructure that is in use for decades, their new tools have to be compatible with systems made 30-50 years ago. These systems are often insecure themselves, making it difficult to build newer products that can co-exist with old systems while also implementing new security features.

But Forescout noted that vendors often release low-quality or incomplete patches that at times can lead to the discovery of other vulnerabilities, increasing risk rather than decreasing it.

A Schneider Electric spokesperson said it is well aware of the challenges they face as an OT manufacturer but said organizations using their products also need to “ensure they have implemented cybersecurity best practices across their operations to protect themselves from possible exploitation of these vulnerabilities.”

“Where appropriate, this includes locating their systems and remotely accessible devices behind firewalls, installing physical controls to prevent unauthorized access, and preventing mission-critical systems and devices from being accessed from outside networks,” the spokesperson said.

Forescout backed calls within the recently unveiled U.S. National Cybersecurity Strategy for vendors to face some kind of liability for insecure or vulnerable products – explaining that “piecemeal patching” in OT is “inefficient and disruptive.”

Several cybersecurity experts, like Viakoo vice president John Gallagher, said one part of Forescout’s report that stood out to him was the discussion of “slow drip patching” – which refers to the lengthy amount of time it takes vendors to produce patches.

Gallagher said that in addition to the patch creation process, it also takes organizations a long amount of time to deploy them because they generally have to do it manually.

“OT vendors will become faster as time goes on in providing patches for new vulnerabilities (they are relatively new at this, and are getting better), but organizations should be taking action right now to ensure they have an automated method to quickly deploy those patches when they become available,” he said.

“Other barriers to making IoT/OT devices secure include the lack of a secure distribution mechanism for patches (they typically are not digitally signed or authenticated), and how many organizations still use manual methods to patch IoT/OT devices (despite them existing at 5x to 20x the scale of IT devices).”