A Novel Perspective on IceFall Vulnerabilities

A Novel Perspective on IceFall Vulnerabilities

The risk is real, but it doesn’t have to send OT into a freefall

AMIT SERPER

July 18, 2022

The operational technology (OT) world suffered a rude awakening when Forescout researchers disclosed more than 50 vulnerabilities, affecting 26 different device models, from 10 different OT manufacturers, dubbed “OT:Icefall”, on June 21, 2022. These vulnerabilities sent shockwaves through the industry, in part due to their expansiveness, but mainly because of the types of devices they impact. 

According to Forescout’s report, these are the devices affected by OT:Icefall:

Manufacturer Model Device type
Bently Nevada 3700, TDI equipment Condition monitors
Emerson DeltaV Distributed control system
Emerson Ovation Distributed control system
Emerson OpenBSI Engineering Workstation
Emerson ControlWave, BB 33xx, ROC Remote terminal unit
Emerson Fanuc, PACsystems Programmable logic controller
Honeywell Trend IQ* Building controller
Honeywell Safety Manager FSC Safety instrumented system
Honeywell Experion LX Distributed control system
Honeywell ControlEdge Remote terminal unit
Honeywell Saia Burgess PCD Programmable logic controller
JTEKT Toyopuc Programmable logic controller
Motorola MOSCAD, ACE IP gateway Remote terminal unit
Motorola MDLC Protocol
Motorola ACE1000 Remote terminal unit
Motorola MOSCAD Toolbox STS Engineering workstation
Omron SYSMAC Cx series, Nx series Programmable logic controller
Phoenix Contact ProConOS Logic runtime
Siemens WinCC OA Supervisory control and data acquisition (SCADA)
Yokogawa STARDOM Programmable logic controller

Why OT is so Different from IT

OT devices are deployed in much of our critical infrastructure - everything from refineries to nuclear plants. Because of their criticality and spartan processing/memory resources, patching or updating these devices is extremely difficult, if not impossible. 

From a device manufacturer perspective, developing a patch is a time consuming, expensive process that doesn’t always work. It can end up costing in excess of a few million dollars per patch, when all the resources, testing and updating required for all deployed devices are considered. This process is further complicated, and potentially delayed or rendered unfeasible by any downstream vendors that may be involved. Often third party source code, which is typically needed to engineer a patch, is unavailable. (According to Forescout’s report, there are downstream vendors to consider with the IceFall vulnerabilities). 

Even if a patch can be issued, many of these OT and IoT devices can’t be reached or taken offline at all to apply it. (Not to mention the downtime resulting from testing required to make sure the patching process itself didn’t break or introduce any issues). Typically, patching these embedded devices often means flashing a new firmware. This is a process that makes even the most experienced device operators very nervous. Why? Because, unlike applying a patch to a Windows or Mac machine, the process isn’t just installing a single program on an existing system, it is reflashing the entire firmware of the device. The smallest of mistakes in this very delicate process could have significant consequences, disrupting the device’s availability and leading to even more downtime.

In addition, most OT devices are designed to be self-contained and run autonomously, without much (or any) human intervention or disruption. This means other controls and mitigating measures available to protect general information technology (IT) systems are often off the table for OT devices. For instance, the limited compute resources of OT devices often prevent security agents from being able to run on them. And typical controls, like those implemented by firewalls and intrusion prevention systems, can’t be used because of their potential impact on normal, ongoing operations. (Imagine an energy grid going down because a firewall blocked a connection.)

It’s Time for a Paradigm Shift

The current IoT threat landscape is forcing us to reconsider the security compromises we've been making over the last few years.  We’ve really only had three options (or a combination): 

  1. Constantly chase new firmware versions and patches and try to manage any disruptions that applying them can have on ongoing operations (via patch management planning and orchestration).  
  2. Use passive approaches, like security by design, static and firmware analysis, or segmentation, and hope for the best (although we know these methods have proven only modestly successful at averting threats) 
  3. Close our eyes, pretend the problem doesn’t exist, and hope that our organization’s devices aren’t targeted by threat actors (a.k.a. putting our proverbial heads in the ground).

Obviously, these options are insufficient. The good news is, now, with Sternum, there is finally an option that is both effective and sustainable: 

  1. Give devices the ability to protect themselves, ahead of time, as part of the firmware, to make patch-chasing irrelevant and exploitation of vulnerabilities moot.

The Sternum Device Security and Insights Platform takes a direct-to-binary approach that ensures code can’t be manipulated or used to perpetrate attacks. It is universal, working for any device (any OS or version of RTOS or Linux) at any deployment stage (in development or in the field) immediately – adding visibility and security, without changing any functionality. 

Sternum’s runtime protection can identify exploits and mitigate them on-the-fly without causing any downtime. It is a lightweight embedded endpoint protection solution that can be seamlessly integrated into the firmware to protect all running processes and services on a system. It tracks and protects every piece of code that’s being called or executed on the device to ensure it can’t be exploited or used for something it shouldn’t. If an anomaly is detected (be it memory corruption, a logic bug, etc.), Sternum will eliminate the malicious exploitation and alert on exactly what piece of the code on the firmware was exploited.

Further, Sternum provides an autonomous, non-intrusive, cloud-based analytics system that offers real-time visibility into the device. It will alert on blocked threats, as well as monitor for and alert on behavior anomalies, such as brute force login attempts, data leakage/theft, authentication and password violations, and more.

As a result, Sternum provides complete visibility, insights, and control for IoT/OT devices, giving device manufacturers a way to easily include persistent protection against whatever vulnerabilities may arise. Finally, there is a deterministic way to pre-emptively protect OT devices from the most frequent attack patterns, be notified in real time when these occur, and prevent vulnerabilities, such as IceFall, from sending organizations into a freefall.